1.3.5 SSL certificate and methods of their activation

What is SSL and why is it needed

SSL Security

SSL protocol ensures confidential communication between client and server. Data encryption occurs using a public key. There are two such keys, and each of them can be used both to encrypt a message and to decrypt it. Thus, if one key is used for encryption, then another key will be used for decryption. In such a situation, it is possible to receive secure messages by publishing the public key and keeping the private key secret.

SSL works through two “sub-protocols” – the SSL recording protocol and the handshake protocol. The SSL recording protocol defines the format used for data transfer. The SSL protocol includes a handshake using the SSL recording protocol. Thus, on the first connection, a series of messages are exchanged between the server and the client.

When opening a page on a website on which an SSL certificate is installed, the browser requests identification information from the web server. Next, the server sends a copy of its SSL certificate to the browser. The browser confirms the authenticity of the SSL certificate and reports this to the server. In response, the server sends a virtually signed agreement allowing encrypted data transfer. From this point on, data transmission becomes safe for interception by third parties.

SSL certificate begins to encrypt any data that comes from the client’s computer to your server. In this case, the usual link in the browser (http://www.my_domain.com.ua) turns into https, where “s” means secure – protected, secure.

Depending on the type of SSL certificate, it can work only for one domain name (host) or for a domain and its subdomains (subdomain.my_domain.com.ua, billing.my_domain.com.ua, etc.). Certificates also differ in the information they can confirm - some certificates only confirm the authenticity of a domain, while others can confirm both the authenticity of a domain name and the existence of a company in principle.

You can select the certificate you need on our website

After ordering, the SSL certificate must be activated. There are these main types of SSL:

SSL certificate with domain verification

Domain Validated SSL Certificate is available to everyone - businesses, individuals and private clients. To activate, you do not need to provide any documents; you just need to pass verification using an email account, which must be created on the domain being verified or using alternative verification methods. Activation of this type of certificate takes approximately 3-8 minutes; upon completion, an archive with certificate elements is sent to the email of the certificate administrator. Domain-validated SSL certificates are suitable for small sites and systems where end-user trust is not your top priority.

SSL activation procedures with domain verification: Domain Validation SSL certificates are issued easier and faster than all others. It takes 3-5 minutes to issue SSL once the verification is passed. No paperwork required, all you need is to control your domain. DCV (Domain Validation Control) is a verification of ownership of a domain name. You can verify the domain using one of the methods such as email verification, DNS CNAME, HTTP/HTTPS file hash and meta tags.

  • email verification is the most popular and easiest way to pass ownership verification. The CA sends an email to the domain’s administrative contact. The letter contains a unique verification code and links. Follow the link and enter the code to transfer domain control. You can only use the so-called “special 5 email addresses” of the form: admin@, administrator@, hostmaster@, webmaster@ and postmaster@. In some cases, you can use an administrative email from WHOIS - to do this, you must disable hiding domain whois data at the domain registrar.
  • using DNS CNAME records, you need to use hashes that are extracted from the CSR codes submitted by you. It may take up to 24 hours for the domain to be verified; it depends on your DNS server TTL.
  • via HTTP/HTTPS hash - A quick and easy way to pass domain verification as it requires loading a text file (.txt) with a hash extracted from your CSR code. The file must be accessible from the Internet. Use the HTTPS method when SSL is already in use and the website is accessible via HTTPS://
  • using a META tag (GGSSL certificates only) - A simple method for GGSSL SSL certificates only - it requires proof of domain ownership by adding a unique meta tag to the head of the site’s landing page.

In some cases, Additional brand validation is also used - certification authorities may require manual verification if the order is marked as brand validation. Typically, a decision takes about 24-48 hours to issue or reject an application. There are several reasons why an order may be rejected during manual verification: Order from countries such as South Korea, North Korea, Sudan, Afghanistan, Iran or Iraq, the domain name includes a well-known brand, for example, sony-shop.net, dellshop .com or facebook.com. For example, the domain name is “sibmama.com”, but the verification system may read it as “SibMama” and the brand flag “IBM”. The domain name has “stop words”, for example: pay, online, secure, booking, shop, bank, transfer, money, e-payment, payment, protection, violence, and others.

Organization Validation SSL

SSL certificate with organization verification are issued only to legal entities - The organization verification process includes the following stages: domain verification, company verification and verification call. The process takes about 2-5 business days if all documents are submitted on time. The first stage was fully described in paragraph 1. 2nd point - verification of the organization - in order to pass the verification of the organization, you may need to provide some official documents to the certification authority. Basically they require a license/incorporation/statutory documents of the organization. You can send them by fax or email in PDF/JPG format. The real existence of an organization is verified through open state registers, using the company name or unique identification number. The company can also be verified using publicly available electronic directories such as Duns & Bradstreet, Hoovers, Companies House GOV.UK, Lursoft.lv, etc.

You can find the company’s unique Duns & Bradstreet number on the website indicating the English transliteration of [Ukrainian](https://usr.minjust.gov.ua/content/free -search) company name (not translation, but transliteration).

The company address can be verified using one of the following documents:

  • Charter of the company (indicating the address);
  • State license for entrepreneurial activity (indicating the address);
  • A copy of a recent company bank statement;
  • A copy of the latest telephone bill;
  • A copy of the company’s most recent major utility bill (water bill, electricity bill, etc.) or a current lease agreement for the company;

The whois domain output must contain the name of the organization, the name of which must match the name in the unified state register of legal entities.

The last, 3rd stage Verification call - the SSL service provider calls the phone number that is listed in the international database of Dun & Bradstreet organizations (to validate the phone number and company address, you can also use the resources Kompass.com and Infobell) and ask the user who is listed in the domain name’s administrative contact. It is necessary that this person knows the order number provided by the Certification Center and can confirm his order in English.

When issuing an OV certificate to confirm an order by telephone, an email will be sent to the customer’s technical contact address containing a link to the Comodo service provider portal. You will need to follow the specified link and click the Call Me Now button, after which you will receive a 6-digit code to your contact number. You will need to enter the code on the supplier portal and then click Submit to complete the verification procedure.

Important! In all documents, information sources, CSR, WHOIS domain, the company name and contact information about it must be completely identical. To speed up and simplify the certificate issuance process, we recommend registering a DUNS number for your company. DUNS is a kind of electronic passport of a legal entity. This condition is optional and does not provide any guarantee of SSL issue, but having a DUNS number simplifies the CA verification process.

To change the phone number or company name (if your data does not match the Dun & Bradstreet database), you must contact the representative office of this organization in Ukraine.

Extended Validation SSL

SSL with Extended Validation are the most reliable and tested products. The verification takes about 4-7 business days if all documents are completed correctly and on time, so you need to be patient during the verification.

  • You must fill out two forms, available via the links:

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/892 https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/902

  • Examples of completed forms:

https://www.gogetssl.com/docs/ev_request_form_simplified_example2.pdf https://www.gogetssl.com/docs/ssl_certificate_subscriber_agreement_example.pdf

After that, send scanned copies of them to docs@sectigo.com, indicating the order number in the subject line of the letter from the certification center. Sometimes you are asked to notarize completed forms. The order number appears in emails from Comodo, and you can also contact our support team for this information. Other SSL service providers (for example Geotrust or Rapidssl) send all the necessary forms to be filled out to the contact email address of your domain. The subsequent stages of validation are similar to those already described:

  • Stage Checking the organization, described in paragraph 2
  • Stage domain verification, which is described in paragraph 1
  • callback stage, which is described in the 3rd paragraph of the 2nd section