In order to proof domain control there are various validation methods for the different types of SSL certificates we offer. There are three types of SSL certificates we offer in general from different SSL suppliers.
- Domain validated SSL-certificates
- Organisation validated (OV) SSL-cerrtifactes
- Extended validation (EV) SSL-certificates
A brief explanation of the different types of certificates detailed above is given below.
Domain Validated SSL-certificates
Domain validation proofs you have full control over the domain for which you're requesting an SSL-certificate. There are three diffrent methods to prove domain control; e-mail validation, file validation and CNAME validation (DNS). Keep in mind that every domain or sub domain has to be validated individually.
Al the certificates we offer have the option to be validated through email.
The SSL-provider sends an email to the email address you've select in the process when you order an SSL-certificate. In the email a password is given i which needs to be submitted on a website which is also detailed through email.
The email addresses which are detailed in the WHOIS can be used for receiving the DCV email. Another option is to use admin, administrator, hostmaster, postmaster or firstname.lastname@example.org.
Sectigo offers two alternative methods of domain validation; HTTP file validation & CNAME validation.
HTTP file validation
HTTP file validation is domain control validation through a specific file path. This is realized by adding a .txt file containing a MD5 and SHA-256 hash which is forced from the CSR of the requested certificate. By placing this txt file at location specified by the Certificate Authority (CA), the CA is able to determine domain control.
With CNAME validation, an MD5 and SHA-256 hash is created from the CSR of the requested certificate, similar to the HTTP-file validation. The difference between HTTP file validation and CNAME validation is easy. With CNAME validation the MD5 and SHA-256 hash forced from the CSR of the requested SSL-certificate is used in a CNAME-record in the domain's DNS configuration. This CNAME-record containing the MD5 and SHA256 hashes will prove domain control to the CA.
Organisation validated (OV) SSL-cerrtifactes
SSL-certificates also can contain organisation validation. This ensures a deeper sense of trust towards the customers that visit a webshop for example since company details are verified by a trusted CA before delevering the OV SSL-certificate.
In addition to domain validation, the following steps are undertaken to validate the company details of any company who requests an OV SSL-certificate:
- Company validation
- WHOIS validation
- Phone validation
Company data will be verified by the CA in order for it to be enclosed in any OV SSL certificate. The data that will be veriefied is:
- Legal- or tradename
- Legal form
- Postal code
The data will be checked against public commercial registers. An example of a commercial register is Dun & Bradstreet (https://www.dnb.com) or the Dutch chamber of commerce (https://www.kvk.nl/). When validating organisation details for an OV SSL-certificate, it's allowed to use tradenames and postal adresses if they're registered in the comercial register.
WHOIS validation is executed by the CA and usually does not require any form of action form the company who's requesting the SSL-certificate. The CA checks a domain's WHOIS details and compares them to the company details. They must be an exact match.
A contact person which is registered in the commercial register will be contacted through phone in order to check if the requesting organisation actually has requested the OV-SSL certificate.
Extended validation SSL-certificates
EV SSL-certificates in general are similar to OV SSL-certificates. There are a few minor differences in the company validation procedure for EV SSL-certificates. The diffrences are detailed below per subject.
The company name in the CSR needs to be an exact match to the company name registered in the commercial register. If this is not the case the certificate will be rejected. With EV SSL-certificates you can only use the company's legal name, trade names are not allowed to be used. In the case you want to enclose a trade name you can format the company name in the CSR as detailed below.
Tradename (Legal name)
For company's without a legal name, trade names can be used.
For EV SSL-certificates, every request or renewal will have to validated through phone. The phone number in the commercial register will be used to validate new requests or renewals by the CA.
When requesting an EV certificate, legal documents have to be signed. This consists of a Certificate Request form and a Certificate Subscriber Agreement. The forms are pre-filled and the corporate contact needs to check and return the signed documents. The procedure to provide documetns can differ per CA.