Verification steps before a certificate gets issued
Verifications will be carried out before issuing an SSL Certificate. Which validation steps will be carried out depends on the type of certificate. Below you'll find a schedule of the steps that need to be taken for the different types of certificates. These steps will be taken in chronological order according to the schedule. For example; domain validation takes place once all other validation steps are completed.
Business data that will be added in the certificate needs to be verified with an independent source. Business data are:
- Legal- or tradename
- Legal form
- Postal code
Examples of independent sources are:
- Netherlands: Chamber of Commerce (KvK)
- Belgium: Kruispuntbank van Ondernemingen (KBO)
- Other Countries: Dun & Bradstreet (D&B)
The business name as added in the CSR needs to be an exact match with the one registered in the commercial register. If the given name is not registered or it doesn't contain the correct notation (for EV), it's not possible to process the order and we'll have to reject it. Sometimes a new request with the correct data in the CSR is necessary, sometimes we need your approval to make changes.
The data in the certificate needs to be an exact match with the data in the commercial register, this means that:
- With Organisation Validation (OV) it's allowed to use a tradename or a postal address, if registered in the commercial register.
- With Extended Validation (EV) it's only allowed to use the registered Legal Name, or the Tradename followed by the Legal Name in parentheses. Use the notation: Tradename (Legal Name). For entities without a legal name, all tradenames can be used.
It's not allowed to use a postal address.
The whois displays the owner information of a domain. The whois information of the domain will be compared to the registered company information and must match. To change the whois information the hosting provider or registrar can be contacted. Usually they can adjust the information in real time.
The sources to verify the whois information differ for each TLD.
When requesting an EV certificate, legal documents have to be signed. This consists of a Certificate Request form and a Certificate Subscriber Agreement. The forms are pre-filled and the corporate contact needs to check and return the signed documents. Sectigo (Comodo) also allows to confirm these documents online. During the request process it's possible to enter the e-mailaddress of te corporate contact, the e-mail will be sent by Sectigo. This e-mail contains a link to the Certificate Subscriber Agreement. Confirming the documents online will be sufficient.
Note: If you want to sell SSL certificates "white-labeled", we advice you to use the pre-filled PDF form. It's possible to change the e-mailaddress from Sectigo (Comodo) to your own.
The corporate contact will be contacted by phone. This will be done on a publicly registered phone number from the organization, registered with for instance the Chamber of Commerce. This is to verify if the organisation actually requested the certificate.
Note: If you request a certificate for one of your customers as a reseller, it's necessary to give a contact for the organisation you're requesting for. We also advise you to inform this corporate contact in advance.
The exact procedure depends on the validation level (the type of certificate) and the supplier.
- Organisation Validation(OV)
The organisation will be verified once per 27 months (with Sectigo certificates) by phone. This is not required anymore if:
- A renewal or reissue is done under the same account, or;
- A new request is done under the same account and for the same organisation for which an OV certificate has been issued before.
as long as the phone validation isn't older than 27 months.
The other CA's use different procedures.
- Extended Validation(EV)
Every request will be validated by phone, including renewals and reissues of Multi Domain certificates. When ordering EV certificates the corporate contact and the EV documents will be verified.
Domain validationThis validation step verifies that you have full control over the domain for which the certificate is requested. Sectigo offers three methods. GlobalSign, Geotrust, Thawte or DigiCert only use e-mail validation.
Every (sub)domain needs to be approved individually. Sectigo checks every root domain individually when choosing for e-mail validation. When using file validation or CNAME validation each subdomain will be checked. When requesting a reissue using the same CSR, the domain verification will not be necessary for the same domains.
The supplier of the certificate sends a DCV (Domain Control Validation) e-mail to the e-mailaddress selected when the certificate was requested. An e-mail is sent containing a link to a webpage and a code. The code needs to be entered on the webpage.
Allowed e-mailaddresses for e-mail validation are:
- admin-, administrator-, hostmaster-, postmaster-, firstname.lastname@example.org
- the e-mailaddressess registered in the whois register of the domain.
Note: Due to the GDPR some registrars don't show those email adresses anymore. In these cases, we can't check the e-mail addresses. To avoid possible delay in the certificate issuance, we advise you to use one of the 5 standard email addresses.
(HTTP) File Validation
From the used CSR an MD5 and SHA-256 hash is made. The hash-values will be shown when the request is confirmed. For every domain a .txt record file needs to created containing these hash-values. This file needs to be placed in a specific path of the HTTP of HTTPS server of the domain. The CA will check the presence and content of the record for verification.
(DNS) CNAME Validation
From the used CSR an MD5 and SHA-256 hash is made. The hash-values ready for use in the DNS will be shown when the request is confirmed. With these values a CNAME record needs to be made in the DNS configuration. This record refers to a domain name of the CA. The CA will check the record and if it actually refers to the domain name of the CA. Via http://www.mxtoolbox.com/ a check can be done to see if the record was placed correctly.