OpenSRS offers a complimentary domain-vetted SSL Lite certificate, allowing resellers to provide a free, baseline level of security to their customers. This article explains what SSL Lite is, who qualifies, what to check before ordering, and the steps to add SSL Lite through the Reseller Control Panel or API.
About SSL Lite
SSL Lite is a domain-validated certificate that secures the root domain at no charge. It is part of the Encryption Everywhere program and is designed to give every eligible OpenSRS-managed domain a baseline of HTTPS protection.
For coverage beyond the root domain, you can purchase the SSL Lite Wildcard, which secures unlimited subdomains on the same web server with a single certificate. For example, a wildcard certificate for opensrs.com also covers mail.opensrs.com, ftp.opensrs.com, and any other subdomain (the certificate is provisioned for *.opensrs.com).
Note: An SSL Lite certificate only covers the root domain. To cover subdomains, purchase the SSL Lite Wildcard.
Before you begin
To qualify for the free SSL Lite certificate, the registrant must meet these requirements:
- OpenSRS domain. The domain must be registered with OpenSRS.
- SystemDNS nameservers. The domain's nameservers must be set to OpenSRS SystemDNS (ns1.systemdns.com, ns2.systemdns.com, ns3.systemdns.com). See for details.
- Active domain status. The domain cannot have a status of Client hold or Suspended.
- Valid CSR. Your Certificate Signing Request (CSR) must contain the correct Common Name and any additional SANs, and must be generated with a SHA2 signature algorithm.
Warning: Once an SSL Lite order is placed, the following actions are not supported: cancel order, reissue certificate with a new CSR, update order (for example, approver email change), and renewal. If you need any of these capabilities, choose an entry-level DV product such as RapidSSL instead.
Step 1: Add SSL Lite to a new domain registration
- From the Domains tab, select the + icon and enter the domain name you want to register.
- Under Domain Settings, check Free SSL Certificate.
- Complete all required fields, scroll to the bottom, and click Submit Registration.
- Review the order in the confirmation window. SSL Lite is selected by default; you can choose the wildcard version instead. Click Continue to Next Step.
- Provide the CSR and confirm the contact information, then click Submit to complete the order.
Step 2: Add SSL Lite to an existing domain
- From the Domains tab, click the domain you want to secure.
- Under Domain Settings, locate Free SSL Certificate and click Get it now!
- Review the order in the confirmation window. SSL Lite is selected by default; you can choose the wildcard version instead. Click Continue to Next Step.
- Provide the CSR and confirm the contact information, then click Submit to complete the order.
Step 3: Add SSL Lite as a new Trust service
- From the Trust tab, select the + icon and enter the domain name.
- In the dialog that appears, select Symantec SSL as the supplier and SSL Lite as the service, then click Continue to Next Step.
- From the service drop-down, select product_type.symantec_ssl_lite or product_type.symantec_ssl_lite_wildcard.
- Click Associate with existing user and select the domain you want to secure.
- Click Submit to finish the order.
Warning: The Reseller Control Panel still references the Symantec SSL supplier and symantec_ssl_lite product types. Following the DigiCert rebrand, confirm whether these names have been updated in the current UI and API before publishing.
Generate a CSR
A CSR is generated on the server where the certificate will be installed. The best source for help is your hosting provider or web server administrator.
Make sure your CSR is generated with a SHA2 signature algorithm. The following partner resources can help:
- How to generate a CSR: GeoTrust, Sectigo, Trustwave, Symantec, Thawte
- How to install an SSL certificate: DigiCert, Trustwave
- How to convert a certificate format: GeoTrust, Sectigo
Troubleshoot a certificate order
To avoid processing delays or cancellations, double-check that the Common Name and any additional SANs in your CSR are correct before submitting. Use the OpenSRS CSR Parser Tool to inspect a CSR while the order is pending or processing — see for details.
API example
The two product types used for SSL Lite over the API are symantec_ssl_lite and symantec_ssl_lite_wildcard.
Note: The free SSL Lite certificate itself cannot be obtained over the API; only the wildcard variant is available as a paid API order. See the sw_register-trust_service API guide for the complete XML schema.
<OPS_envelope>
<header><version>0.9</version></header>
<body>
<data_block>
<dt_assoc>
<item key="protocol">XCP</item>
<item key="action">sw_register</item>
<item key="object">trust_service</item>
<item key="attributes">
<!-- contact_set, csr, period, server_type, handle, and other parameters -->
<item key="product_type">symantec_ssl_lite</item>
</item>
</dt_assoc>
</data_block>
</body>
</OPS_envelope>Next steps
- Review related product changes in to understand SAN, wildcard, and validation updates that affect SSL Lite.
- Learn about the Symantec rebrand in to map old product names to their DigiCert equivalents.
- Browse all SSL topics in for related ordering, validation, and management articles.
- See the full API reference in the sw_register-trust_service API guide.
Questions? Contact OpenSRS Support.
How helpful was this article?
Thanks for your feedback!
Do you still need help? If so please submit a request here.