TLS/SSL certificates

Do you have questions about our TLS/SSL certificates? We will be pleased to assist you. You can find information in our FAQs section or you can contact our support team directly. 

Latest information about using SSL certificates

As a trust service provider (CA) that issues publicly trusted certificates, we are particularly committed to supporting you in the practical use of TLS/SSL certificates. In this context, we would like to draw your attention to the fact that we rely on you to co-operate not just in in your interest, but also in order to ensure that the certificates and their contents can be trusted. Trust in TLS/SSL encrypted websites and online applications is based on this information.

At the same time, we, like any other CA that issues publicly trusted certificates worldwide, are obliged to investigate any indication of false or obsolete information, misuse, key compromise, or encoding errors in or by TLS/SSL certificates, and to revoke such certificates, if necessary. The reasons for revocation are laid down, for instance, in our Certificate Policy (CP) and Certificate Practice Statements of D-Trust GmbH (CPS) (see, by the CA/B Forum (, but also by browser manufacturers in their root store policies. If an analysis is required, we need your prompt co-operation and we truly appreciate your support in such matters. 

In this context, we would especially like to  point out that there may be situations in which we – like any other CA – are obliged to immediately revoke a certificate (period varying between ‘within 24 hours’ and ‘within 120 hours’). This has an immediate impact on your TLS/SSL secured service.

In this case, we will do everything together with you to ensure a smooth transition between the old and the new certificate. Your prompt response will provide us with invaluable help in this process. 

In light of this, it is very important to examine how you use the TLS/SSL certificates issued by us in your infrastructures. In particular, you should be able to replace certificates within 24 hours without this having any impact on your TLS/SSL secured service. Certain technologies, such as certificate pinning, may prove to be contra-productive in situations like these because you are dependent on how long it takes to publish a new certificate on all systems. If you have any questions regarding how to achieve greater agility when replacing certificates, please contact us.

In the guide for using TLS certificates you will find further information on the contemporary use of TLS certificates.

We look forward to supporting you in the future with our Internet security products. Should you have any questions, please do not hesitate to contact us at 

Download and frequent questions regarding root and issuer certificates

Our SSL certificates are issued on the basis of two different certificate chains, depending on the product focus:

1. Advanced SSL ID, Wild Card SSL ID

2. Advanced EV SSL ID

More information about Security issue notification

In order to create a Certificate Signing Request (CSR), please have the following information at the ready:

  • Common Name (CN) − Fully Qualified Domain Name (FQDN) of the website to be secured
  • Organisation Name (O) − applicant (i.e. the organisation that wishes to identify both itself and its web server in future)
  • Locality (L) − city (applicant's official place of business)
    State (S) − federal state/canton (applicant's official place of business as recorded in the commercial register (HRA/HRB)
  • Country (C) − e.g. DE for Germany (applicants's official place of business)

Note: It is essential that you archive your CSR file and your private key after you have created them.

Once D-Trust has approved the application, we will send you the certificate by e-mail or we will provide you with a link that you can use to download it. All you need to do now is to install the certificate on your web server.

Note: Our certificates are compatible with all customary platforms that support today's hash algorithms. If you should have questions related to creating a CSR or certificate requests, please refer to the comprehensive and specific documentation provided by the manufacturer of your hardware and software.

If you should experience problems during installation, this may be due to the following reasons:

  • Between the time the request was generated and the time the certificate was installed, the certificate request and/or private key was deleted or carried out on a different computer.

  • The certificate chain is incomplete on the web server. Please check whether the root certificate (as the root certification authority) and the issuing intermediate certificate (as the intermediate certification authority and/or chain-CA or sub-CA) exist. If one of these certificates does not exist, it will not be possible to import the SSL certificate. This also means that error-free client access to the server will not be possible at a later point in time. You can find our current CA certificates on our certificate download page.

CAA stands for “Certificate Authority Authorization”. This Resource Record determines which CAs (Certificate Authorities) are authorized to issue SSL certificates for the Internet domain administrated by you. 
Although the CAA Resource Record is not mandatory, it is designed to protect you since it prevents the unauthorized TLS certificates from being issued for one of your Internet domains. If there is no CAA Resource Record, any CA can issue a TLS certificate for your domain.
The specification of the D-Trust CA in your CAA Resource Record ensures that no unauthorized TLS certificates can be issued for one of your Internet domains.
Examples of a CAA Resource Record specifying D-Trust as the authorized CA:

  • All TLS certificate types (including wildcards)        CAA 0 issue “”
  • Wildcard TLS certificates only        CAA 0 issuewild “”

The first entry applies to all TLS certificate types, the second to wildcard TLS certificates only. If you wish to obtain all TLS certificate types from one CA, the first entry is sufficient. For more in-depth information, please refer to RFC 6844.

Where is the entry made?

You can enter a corresponding CAA record in the DNS configuration of your domain provider (for instance, 1und1, Strato, etc.).
NOTE: Please note that D-Trust GmbH will be unable to issue any TLS certificates to you if your CAA Resource Record contains any CA other than D-Trust GmbH.

In June 2021, D‑Trut increased the number of SAN entries with SSL/TLS certificates to 256. These certificates can be used to secure different domains and sub-domains (placeholder function). Each SAN entry can be edited or deleted at any time. This means greater flexibility and simplifies management. With just one SSL/TLS certificate from D‑Trust, you can protect 256 domains while at the same time complying with the sometimes very different security requirements from one network to the next.


Guide for using TLS certificates

Guide for using TLS certificates
Piktogramm für Support
+49 (0) 30 2598 – 0