FAQs - Buying and managing a Certificate

To change the validation method of a domain:

go to the company website and sign in to your Customer Area. For more details on how to sign in to the Customer Area, see the guide;
select Certificate status, based on the SSL certificate for which you want to change the validation method;
select Edit next to Verification method;
follow the guided procedure. Read the guide for more details on the validation methods you can choose.

If your certificate has not yet been issued and is in the process of being activated, open a support request. If it has already been issued, follow the instructions in the guide to revoke a certificate and place a new order.

If you have lost your private key:

generate a new CSR;
follow the instructions in the guide to open a support request and attach the CSR you have just created.

See the official Microsoft guides to installing a Certificate imported to a Windows webserver or installing a Certificate on IIS 7.

Yes, but you need a SAN (Up to 5 domains) or Wildcard certificate (1 website and all subdomains) if you want to protect multiple domains.

Yes, SSL certificates give you "X509v3 Extended Key Usage: TLS Web Client Authentication" that allows you to certify an electronic system.

Yes, the OV SSL certificate allows you to use APIs that require mTLS.

To renew a certificate, sign in to your account, select the certificate due to expire and follow the renewal procedure. A new certificate can be issued up to 30 days in advance and any remaining days will be added on automatically.

Validating an EV certificate involves verifying the legal existence of your organization, checking the identity of the applicant and confirming the authenticity of the data provided. The process can take several days.

Yes, you can export a certificate with a private key from the original server and import it to a new server. Make sure that you use secure protocols to transfer the file.

If you choose to verify the domain via email, this step is required and cannot be skipped.

To download the CRL:

go to the details of your Certificate, depending on your browser;
find the CRL distribution points field;
manually copy one of the URLs you find;
paste the URL directly into the browser bar;
the browser will prompt you to save the CRL to a file. Save it.

Click on the saved file twice to access the content of the CRL.

It is an X.509 digital certificate used not to authenticate a server, but to authenticate the client (application, device, service, user) to a server. It works as a "cryptographic ID card" that proves who/what is making the connection.

Yes, if the service requires authentication through client certificates issued by a public CA (included in the Italian TSL – Trust Service List).

Technically yes, but it is not recommended. It is best practice to keep the certificate tied to a single device.

No, the certificate is not recognized by browsers.

The client can no longer authenticate. This may cause downtime, sudden errors, API and workflow blocks.
For this reason, it is essential to monitor expiration dates and renew the certificate before it expires.

Starting from 15/06/2026, it will no longer be possible to issue SSL certificates that also allow client authentication.
This means that the SSL certificate installed on a server will no longer be usable to authenticate to another server using client authentication (a concept also known as mutual TLS / mTLS).
Mutual TLS is mainly used in machine-to-machine communications (for example, in payment networks), but it is not required for normal web browsing via browsers or mobile apps.
For mutual TLS to be possible, the SSL certificate used by the client side must include the clientAuth value in the ExtendedKeyUsage field. After the set date, this will no longer be possible for SSL Server certificates; therefore, separate certificates will be required for this purpose.

Yes, the certificate is still valid and can be used normally.
There is no need to replace it immediately. At renewal, the new certificate will be issued without the Client Authentication EKU extension, in line with current issuance policies.

No, browsers will continue to accept certificates that have already been issued, even if they include “Client Authentication.”
The change applies only to new certificates issued after that date, not to those already in use.

The Client Authentication EKU indicates that a certificate can be used by a client to authenticate to a server.
Some Certification Authorities included this extension in TLS certificates by default, but it is not necessary to secure a website. For this reason, it will no longer be included in new certificates issued after 15 June 2026.

FAQs - Buying and managing a Certificate

How do I change the domain validation method?

I have uploaded the wrong CSR: how can I upload the right one?

How can I recover a private key?

How do I manage certificates with Microsoft IIS?

Can I use the same SSL certificates for more than one domain?

Can I certify an electronic system with SSL certificates?

Is the OV SSL certificate suitable for use with APIs that require mutual TLS (mTLS)?

Can I renew an SSL certificate before it expires?

How does the validation process work for an EV SSL certificate?

Can I migrate an SSL certificate from one server to another?

Why do I have to verify my email address again when activating the SSL certificate, even though I already provided it when registering my account?

How can I download the CRL?

What is a client SSL/TLS certificate?

Can I use the certificate to access Public Administration services?

Can the certificate be installed on multiple devices?

Is the certificate recognized by browsers?

What happens if a client certificate expires?

Can I use an Actalis SSL certificate for mutual TLS after 15/06/2026?

My TLS certificate shows "Client Authentication." Is it still valid?

After 15 June, will browsers reject the certificate?

What is the "Client Authentication" EKU and why was it present in my certificate?

AdBlock detected