Verification Requirements for Organisation Validation & Extended Validation SSL Certificates
Here is a general breakdown of the verification areas and requirements:
1. Verification of Domain Control –
This can be quickly done in three different ways:
- By administrator email: you will need to have already existing one of the following five email IDs: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com or firstname.lastname@example.org. If you don’t have one of these already existing to send the verification email to, you can create one of them for this verification process and later delete if you wish.
- By file upload: Any email account @yourdomain.com will do for this method. An email containing a unique code will be sent to the email account provided. You will need to create a file named certum.txt (which you can easily do with notepad or right on your server or hosting account). Next, you copy the unique code in the file upload verification email you received, paste/insert it into this text file and save. You then go to your server or hosting account’s root directory and create a folder called .well-known and inside it, create another folder called pki-validation. Then you can upload or place your certum.txt file there such that it can be viewed in a browser when accessed as such: www.yourwebsite.com/.well-known/pki-validation/certum.txt. Finally, you can head back to the file upload verification email you received and click the “Verify domain” link in it. You should be redirected to a Certum Page in your browser, where you have to click a button to Perform the verification. If you do not see any results, after waiting for 30 seconds, you can click the “Refresh” button until you see green checkmarks showing that your domain(s) has been verified.
- By creating a DNS TXT record: this is simply verification of domain access by creating a TXT record in your domain or hosting account’s DNS. The content of the TXT record should be the unique code you received in the verification email.
See more on DOMAIN VERIFICATION.
PLEASE NOTE in line with new CA/Browser forum rules, the file upload method will no longer be possible for verification in the case of subdomains (e.g. certum.asseco.ng) or Wildcards (*.certum.ng).
2. Verification of Domain Ownership –
This is different from verifying domain control and is only required for issuance of Extended Validation certificates.
There are two ways to meet this requirement:
- By WhoIs Record: We will check to see if the organization requesting the EV certificate is named in the WHoIs Record, whether as admin contact, technical contact or billing contact. If this is not the case, the customer or client could quickly edit any one of the three listings to show the organisation’s name. If the domain has a privacy feature which is hiding the real domain owner contact details, this will have to be removed or disabled so our verification unit can take a look.
- By Domain Purchase/Renewal Receipt: Domain ownership can also be proven by simply providing a softcopy of your domain purchase/registration payment receipt. A payment receipt for renewal is also accepted.
3. Verification of the applicant –
A company employee will have to stand in as the applicant for the EV/OV certificate. This could also be a director, agent, attorney or consultant.
The applicant will need to provide soft copies of Government-issued ID, specifically; international passport, national ID card issued by NIMC (front and rear) or Drivers’ License (front and rear).
Secondly, the applicant must provide a simple authorization letter (which a Director or Senior Management team member can sign). The letter must be in the Organisation’s letterhead.
Below is a sample content for this letter:
Subject Line – Authorization for Purchase of SSL for “The Organisation Name PLC”
Body – I write to confirm that Mr. John Lagbaja is our IT Security Officer and fully authorized to acquire SSL Certificates for the Organisation’s use. Please accord him your full cooperation.
– The letter must be signed by a company director whom we can see listed in the CAC documents (forms 2 and 7). In the case of banks, Government bodies or very large enterprises, we may accept signing by any Manager or Director listed on the corporate website.
– In cases where a company Director is the applicant (meaning we can find this person named in the CAC forms 2 and 7 et al), there will be no need for an authorization letter. The Director will only need to provide his Government-issued ID as defined above.
– Please contact us for who and how to address this letter.
4. Verification of the organisation –
– We will need softcopies of the Organisation’s CAC registration documents; the registration certificate, CAC forms 2 and 7 (or equivalent).
– We will need to find the organisation listed on the CAC’s Public Search engine.
5. Ensuring the company is not inactive
Recently, the CAC threw a spanner in the works when they replaced their registered companies’ portal with a new one which marks most companies as inactive, with the exception of newly registered companies and businesses.
There are two ways we provide to get around this:
- Account statement – a bank account statement showing the company name with with recent transactions.
- Invoice – the organisation requesting a certificate should provide an invoice issued to it within the past one year by some other organisation or business for any product or service. The invoice must be issued to the organisation (not an individual). This could be an invoice issued to the organisation for stationery, supplies, equipment, a bill etc.