AusCERT - Domain approval and domain control validation

Domain approval and domain control validation

Date: 19 September 2011
Original URL: http://www.auscert.org.au/render.html?cid=11262&it=14860

Domain approval and Domain Control Validation (DCV)

Domain approval

Before a participant organisation may request/order certificates from the CSM, it must add the associated :

registered, fully qualified domain name (FQDN); or
internal domain entries; or
public IP addresses

which are to appear in the certificate to the Certificate Service Management (CSM) system, for approval by AusCERT. For non-internal domains, and public IP addresses, AusCERT must verify that each FQDN, or public IP address, belongs to the organisation before approving the addition of the domain in the CSM. This applies for all (SSL, code signing and S/MIME) certificate types.

This process does not apply to non-FQDNs that are for internal hosting purposes only. For more information about certificate requirements for non-FQDNs, refer to the FAQ.

Process for submitting a domain registered to your organisation for verification:

The RAO uses the Certificate Service Manager (CSM) to associate one or more domain(s) for their organisation.
AusCERT conducts a validation process that includes a WHOIS check to verify that the domain is registered to the Participant Organisation: AusCERT procedure for primary domain and public IP address approval.
If the validation is successful, AusCERT approves the domain addition.
The domain (and its sub-domains), is available for management within the CSM.
Certificates ordered from within the CSM are subject to further domain control validation (DCV) by Comodo.

Domain Control Validation (DCV)

The CAB Forum standards requires that Comodo and other CAs perform domain control validation (DCV) to verify domain ownership by POs. DCV procedures have been simplified by being built into the AusCERT CS Certificate Service Manager. To read more about using DCV within the CSM, see the following guide:

Initiating Domain Control Validation (DCV) (NEW)

Note that public IP addresses are subject to manual verfication by Comodo.

Extended Validation SSL (EVSSL) certificates

EVSSL certificates have additional ("extended") validation steps, beyond those conducted by AusCERT for domain addition. POs can obtain EV SSL certificates for single and multiple domains, at extra cost, through the Certificate Service Manager. Contact AusCERT CS to enable this to occur. For further details about how to acquire an EVSSL Certificate through Comodo, see the FAQ.

Delays in issuing certificates

The turn-around time for domain approvals is affected by the current AusCERT CS workload, as well as by Comodo DCV requirements. AusCERT will always endeavour to approve domains as quickly as possible, however it can take up to two business days to obtain a certificate. If there are delays, send an email to AusCERT CS.