You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »


  • When Geant provisions the Trusted Certificate Service to an NREN, an NREN 'division' is created. Simultaneously, a first administrator for the NREN division is invited by the DigiCert service. The NREN division just serves as a container for the subdivisions of its customers. It doesn't do much more. As soon as the NREN decides that a Subscriber (like University X) can start using the service, the NREN creates a sub-divisions for that Subscriber. Such a subscriber division is intended for a single legal entity (like a foundation, inc). Within a subsciber division, its administrator creates one or more organisation names (like 'SURFnet B.V.) belonging to the legal entity, as well as domains (like surfnet.nl). By introducing organisations and domains, the subscriber applies for validation by the DigiCert Validation department. Preferably first get your organisation name validated and only when that is done start with domains.

  • Some NREN customers consists of more than one legal entity, for example when an academic hospital is another legal entity than its university. In that case the customer should apply for a separate division. So one customer can have more than one division.

  • For many customers of an NREN a single Organisation suffices. However, some legal entities have very recognisable institutes which present themselves with their own organisation names. A faculty of a university does not qualify for a separate organisation name: that is an Organisational Unit. An example where more than one separate organisation belongs to one legal entity is the Foundation for Fundamental Research on Matter in the Netherlands. Its Nikhef institute belongs to the foundation, but it is widely known under its own name. In such a case the mother-foundation can try to get DigiCert validation for its daughter. That example worked, but your mileage may vary.

  • Another reason for validating more that an organisation name within a division is the existence of more than one commonly used name or abbreviation. This certainly works when secondary names are formally registered. For example DigiCert Validation will accept 'Tilburg University' as an alias of 'Universiteit van Tilburg' because both names appear in its Chamber of Commerce file. DigiCert also accepts reasonable presentations in ASCII as organisation names in addition to their real names that contain diacritic characters, like the never to be forgotten (Kent!)  Linköping Universitet with alternative name Linkoping Universitet,

  • A domain can be validated for use with more than one organization. So for example tilburguniversity.edu can be validated for O=Tilburg University as well as O=Universiteit van Tilburg

  • Organisations participating in the eScience Grid have another important reason to be careful when setting up their organisation names. In the eScience grid ownership of datasets is assigned to the full Distinguished Name of end users. The O=Organisation is part of the DN. If a TCS subscriber sets up its first organisation name to satisfy the needs of their Communications and Marketing department, it should also set up an Organisation name for eScience if another spelling was historically in use in the grid. The grid always uses 7-bit ASCII organisation names. It is specifically important that the NAME of the eSciense-specific organisation is EXACTLY the SAME as the name that was set in the Comodo service in the Confusa eScience Personal portal(s) - including the same capitalisation.


  • Immediately after entering the Organization would you also for the types of certificates you want to be validated: Open the organization and click the 'submit for validation' button. All five (Organization Validated, eScience Grid, Extended Validation, Code Signing, Document Signing) enter at once is most useful, unless you described has entered a special eScience Organisation name above; you give eScience Grid course only to those referred Organisation for eScience.

  • After an Organization validated go there for the SSL certificates and associate Grid domains to. Ask only domain validation for domains that you own is the legal holder. You want to be well known by DigiCert; therefore verify yourself beforehand who the holder, for example in the whois:
  • For most domains you just want Organization Validated (OV) and Grid certificates aavragen. For your main domain, which you present yourself to the world that you will want to use Extended Validation. You want EV certainly not available to obscure units within your organization that is not present on behalf of your organization on the web. You would not let EV use by people who have the legal texts, especially the TCS Terms of Use do not want to read. You want to problems does not get into a fight with American liability parties.

  • Domain validation is currently in principle valid for 36 months; so there is no Domain Control Validation mail per certificate. That's very nice for instance spam filtering SURFcertificaten participants is rather yuck.

  • DigiCert does the one-time validation DCV with a burst mail to (part of) the infamous 7 adressenvan the domain admin, administrator, hostmaster, postmaster, webmaster, whois technical contact and WHOIS administrative contact. There are still opportunities to arrange DCV DNS records.
  • No labels