...
- When is SURFnet made a 'Division' available commissioning of the DigiCert service. Such Division is Geant provisions the Trusted Certificate Service to an NREN, an NREN 'division' is created. Simultaneously, a first administrator for the NREN division is invited by the DigiCert service. The NREN division just serves as a container for the subdivisions of its customers. It doesn't do much more. As soon as the NREN decides that a Subscriber (like University X) can start using the service, the NREN creates a sub-divisions for that Subscriber. Such a subscriber division is intended for a single legal entity . In the division by yourself any organization names (such as SURFnet BV) and related domains (such surfnet.nl) imported and thus for endorsement to DigiCert Validation. Wait preferably domains to enter the respective organization has been validated.
There are SURFnet customers who participate in SURFcertificaten and who have more than one legal entity. They can at scs-ra@surfnet.nl request a second division.
(like a foundation or inc). Within a subsciber division, its administrator creates one or more organisation names (like 'SURFnet B.V.') belonging to the legal entity, as well as domains (like 'surfnet.nl'). By introducing organisations and domains in the portal, the subscriber applies for validation by the DigiCert Validation department. Preferably first get your organisation name validated and only when that is done start with domains. - Some NREN customers consists of more than one legal entity, for example when an academic hospital is another legal entity than its university. In that case the customer should apply for a separate division. So one customer can have more than one division.
- For many customers of an NREN a single Organisation suffices. However, some legal entities have very recognisable institutes which present themselves with their own organisation names. A faculty of a university does not qualify for a separate organisation name: that is an Organisational Unit. An example where more than one separate organisation belongs to one legal entity is the Foundation for Fundamental Research on Matter in the Netherlands. Its Nikhef institute belongs to the foundation, but it is widely known under its own name. In such a case the mother-foundation can try to get DigiCert validation for its daughter. That example worked, but your mileage may vary.
- Another reason for validating more that an organisation name within a division For most customers, SURFnet is validated by one organization sufficient. There are organizations that have very recognizable separate units under one legal entity. This is not meant faculties; Units that are Organisational. A few examples are the institutes of FOM (FOM, Differ, Nikhef and AMOLF) and the Foundation VU-VUmc (VU University and VU University Medical Center). You can try validating more in such cases Organizations by DigiCert. If in doubt, just contact us in advance with scs-ra@surfnet.nl.
Another reason for more that an organization wanting within a Division = entity is the existence of more than one common commonly used name or abbreviation. That will be accepted by DigiCert Validation as for example at the Chamber of Commerce more of those names have been registered (eg This certainly works when secondary names are formally registered. For example DigiCert Validation will accept 'Tilburg University' as an alias of 'Tilburg University).
You can hang one domain to more than one of your organizations (already in testing there too troublesome bugs discovered). - For the users of TCS Comodo service eScience Personal Portal (as Atomic and Molecular Physics, LUMC, Nikhef, Groningen, University of Amsterdam, VU and WUR) enjoy a special reason to look for when choosing the Organization name. It is explained below by David Group. As one of the participants referred to SURFcertificaten still happy with the spelling of their name mentioned below, use it exactly the same. If a different spelling is preferred, then validate that the first, and then add a second Organisation increases with the eScience spelling (in 7-bit ASCII).Give eScience grid certificates only from among the eScience Organisation name.
- Universiteit van Tilburg' because both names appear in its Chamber of Commerce file. DigiCert also accepts reasonable presentations in ASCII as organisation names in addition to their real names that contain diacritic characters, like the never to be forgotten (Kent!) Linköping Universitet with alternative name Linkoping Universitet,
- A domain can be validated for use with more than one organization name. So for example tilburguniversity.edu can be validated for O=Tilburg University as well as O=Universiteit van Tilburg.
Organisations participating in the eScience Grid have another important reason to be careful when setting up their organisation names. In the eScience grid, ownership of datasets is assigned to the full Distinguished Name of end users. The O=Organisation is part of the DN. If a TCS subscriber sets up its first organisation name to satisfy the needs of their Communications and Marketing department, it should also set up an Organisation name for eScience if another spelling was historically in use in the grid. The grid always uses 7-bit ASCII organisation names. It is specifically important that the NAME of the eSciense-specific organisation is EXACTLY the SAME as the name that The name of an organization's (pre) validated by DigiCert certificates before you can get for it. The name is based on data provided by the administrator. It has Specifically important That the NAME of the organization is EXACTLY the SAME as the particular tat was set in the Comodo service in the Confusa eScience Personal portal(s) - - including the same capitalization.capitalisation.
Immediately after entering an Organization you submit
schacHomeOrgO =surfnet.nl SURFnet BV lumc.nl Leiden University Medical Center Academic Medical Center, University of Amsterdam wur.nl Wageningen University and Research nikhef.nl Nikhef maastrichtuniversity.nl Maastricht University sara.nl Foundation Academic Computing Centre Amsterdam vu.nl VU University Amsterdam Delft University of Technology rug.nl University of Groningen eur.nl Erasmus University Rotterdam tue.nl Eindhoven University of Technology uva.nl University of Amsterdam amolf.nl AMOLF terena.org TERENA Immediately after entering the Organization would you also for the types of certificates you want to be validated: Open the organization . The wiki page Account mentions in the bullit Users that the administrator who wants to handle Extended Validation will first need to fill in his phone number and his job tiltle. Once that is done, open the organisation and click the 'submit for validation' button. All Entering all five (Organization Validated, eScience Grid, Extended Validation, Code Signing, Document Signing) enter at once is most useful, unless you described has entered a special have defined a separate eScience Organisation name as described above; you give eScience Grid course only to those referred Organisation for eScience.of course request 'Grid' validation only for the eScience organisation.
- After an Organization validated go there for the SSL certificates and associate Grid domains to. Ask only Organization validation you start requesting domain validations. Only ask domain validation for domains that you own is , for which you are the legal holder'registrant'. You want to be well known by DigiCert; therefore verify yourself beforehand who the holderhave a good reputation in the eyes of DigiCert Validation; so before requesting validation verify your ownership of domains, for example in the these whois services:
- https://www.sidn.nl/whois/ .nl
- http://net.educause.edu/edudomain/ for .edu
- http://www.eurid.eu/ for .eu
- http://pir.org/ for .org
- http://www.iana.org/domains/root/db fo more authoritative whois resources
- Domains play no role in Code Signing, Document Signing and Client certificates. So domain validation is about Organisation Validation (OV), Grid Validation (Grid) and Extended Validation (EV). For most domains validate only OV and Grid. The principal domains that you use to present yourself to the world are fine candidates for EV. Don't go for EV validation of domains that are in use at secondary departments not representing the organisation. Don't get EV in the hands of people refusing to read For most domains you just want Organization Validated (OV) and Grid certificates aavragen. For your main domain, which you present yourself to the world that you will want to use Extended Validation. You want EV certainly not available to obscure units within your organization that is not present on behalf of your organization on the web. You would not let EV use by people who have the legal texts, especially the TCS Terms of Use do not want to read. You want to problems does not get into a fight with American liability parties.
. You don't want these people to get you into liability fights with American lawyers.
- Domain validation is currently in principle valid for 36 months; so there is no Domain Control Validation mail per certificate. That's very nice for instance as DCV handling and spam filtering SURFcertificaten participants is rather yuckat participants occasionally goes wrong and generally sucks.
- DigiCert does the one-time validation DCV with a burst its single shot domain validation using mail to (part of) the infamous 7 adressenvan the domain adresses admin, administrator, hostmaster, postmaster, webmaster, whois technical contact and WHOIS administrative contact. There are still opportunities to arrange DCV DNS recordsDigiCert DNS based DCV is available but as yet poorly understood.