JOIN OUR AFFILIATE NETWORK

Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Audit process: All you need to know

one of the main role of a SSL certificate is ti identify its owner. It is done before the certificate issuance via an audit - more or less advanced according to the kind of certificate - (1-, 2-, 3-, 6-factor: what's the difference?). For a standard certificate the audit goes through 4 points of control:

  • the existence of the organization
  • the requester has the agreement from the technical owner of the domain he wants to secure
  • that the organization has a phone number that can be found on a directory
  • that a member of the organization authorizes the issuance of the certificate

Nota : No matter the certification authority selected, the audited data is always the same even though the documents requested and the methods can differ.

Existence of the organization

We make sure the organization is actually a real one (the certificate is always issued under the name of the organization headquaters) by requesting either:

  • A company number
  • A national organization ID number
  • a declaration receipt for an association
  • ...

Logically an organization that does no longer exist cannot own a SSL certificate.

Domain ownership

During the audit we check that the domain to be secured is owned by the organization. Each authority uses its method:

  • Symantec, Thawte and Geotrust: we make sure via the challenge DCV that the domain's owner approves the certificate issuance
  • GlobalSign : we make sure via the challenge DCV that the domain's owner approves the certificate issuance
  • Comodo & TBS X509 : we make sure via the challenge DCV that the domain's owner approves the certificate issuance

How to update your WHOIS information with OVH

Phone number

We have to make sure the organization phone number is listed in a directory (yellow pages or 118 712 for example). The organization address and name must be exactly the same than displayed on the Kbis.

If not:

  • For Comodo and TBS X509 certificates (non EV): request a directory update or use a POL (ask the template to our audit team)
  • For Symantec, Thawte and Geotrust certificates: request a directory update or use a POL (ask the template to our audit team). The authority can also send a "password letter" to the organization by postal mail.
  • For GlobalSign certificates : request a directory update. The authority can also send a "password letter" to the organization by postal mail.

Final vetting call

Once the audit is over, we ask a member of the organization the authorization to issue the certificate and make sure the request has been made by the organization. To do so, we use a phone number that has been certified during the audit.

DCV validation

The DCV challenge helps us make sure the domain manager approves the certificate issuance. See:

PARTICULAR CASE: EXTENDED VALIDATION CERTIFICATES

The audit process for an Extended Validation certificate is way more advanced and the documents requested are different even though it checks the same kind of information.

See an authentication factors comparison

IMPORTANT: This procedure is applied whether for a new request or for a renewal. An entire new audit is done for a renewal. The same way, it is your responsability to signal any name modification, handover or activity termination that would lead to the certificate revocation.

In short: how to optimize your orders?

While placing your order:

  • Provide information about the headquarters (as registered on official documents) of the organization
  • Make sure the organization has the agreement from the technical owner of the domain to secure and that the DCV challenge can be validated
  • Check the exactitude of the information displayed on the yellow pages or create an entry on one of those registries:How to register to a french phone directory
  • Finally, make sure the corporate contact can be reached via the organization switchboard during the days following the order for the vetting call.