Certificate verification

Business Check – verifies the applicant company’s information. We check its official legal name, business ID registration, and whether it is still active or out of business, the address information to check that it’s a legal entity and the company’s still in business. This information is typically found in 3rd party registries, where the company’s name should be officially registered.

Domain Check – verifies the ownership and registration information of a domain. Ownership should be verifiable in one of three ways: email, web server, or DNS.

Authorised Contact Check – verifies that the authorised contact person is actually employed by the company / organisation. We will call this person using a third-party number and check over the phone whether they have genuinely accepted the online subscription, given their consent and will allow the technical contact to perform their stated role.

This check can also be performed by email if the domain part of the contact person’s email is the same as the web page address in the official 3rd party registry.

As EV stands for Extended Validation, it requires a few more verification steps than the OV certificate. The higher authority employment check verifies that the higher authority is genuinely employed by the organisation and authorised to let the people named in the EV application carry out the verification tasks.

This information is retrieved using official business registers or by Wesentra phoning the number – found from a third party source (e.g., BIS, Hoovers, D&B) – of a switchboard or human resources management, where the said person’s position in the organisation can be confirmed verbally. This higher authority can then confirm that the contract signer and contact person are fully authorised to work in their roles, and that their contact details are correct.

In addition, Wesentra will verify the contract signer or contact person authorised by the higher authority to receive and approve the subscription agreement and online consent form which were sent. This verification will also check with the higher authority that the person named in the application to manage and apply for certificates on behalf of the organization (certificate requester) is authorised to act in that capacity.

Once Wesentra has completed this verification procedure, we provide Entrust with all the documents they require to fully audit the information and give their final seal of approval. Only then can the certificates be made.

This information is retrieved using official business registers or by Wesentra phoning the number – found from a third party source (e.g., BIS, Hoovers, D&B) – of a switchboard or human resources management, where the said person’s position in the organisation can be confirmed verbally. This higher authority can then confirm that the contract signer and contact person are fully authorised to work in their roles, and that their contact details are correct.

In addition, Wesentra will verify the contract signer or contact person authorised by the higher authority to receive and approve the subscription agreement and online consent form which were sent. This verification will also check with the higher authority that the person named in the application to manage and apply for certificates on behalf of the organization (certificate requester) is authorised to act in that capacity.

Once Wesentra has completed this verification procedure, we provide Entrust with all the documents they require to fully audit the information and give their final seal of approval. Only then can the certificates be made.

1. Email

To check the domain’s authenticity, an automatic message will be sent to the email address of either the administrator@, admin@, postmaster@, hostmaster@, or webmaster@the domain name to be added. One of the above recipients must open the acceptance link in the email and accept the domain for verification to be approved – at which point the domain is immediately available on the portal.

2. Web Server

In this case, a small file is sent from the portal with instructions on how to upload it to the web server for that domain. The existence and content of the file are automatically checked every 20 minutes and when it is detected and the content found to be correct, the domain is accepted and is made immediately available on the portal. Approval usually takes between one and two hours from uploading.

3. DNS

The domain is approved via a series of numbers and letters retrieved from the portal that must then be added to the TXT record of the domain’s DNS. The DNS record is polled about every 60 minutes and when the correct sequence of numbers and letters is found, the domain is accepted and becomes immediately available on the portal – please note that the _pki-validation is set to a random value.

4. DNS TXT CONTACT

You can add an email address to the DNS TXT record for domain verification. The email address should be added to the TXT record in the format:

• _validation-contactemail.example.com domainowner@example.com

  • ‘_validation-contactemail’ must be added to the TXT record.

• Email addresses on the DNS record are not automatically enabled on the portal. If you want to enable them, please send us a request via email (verification@wesentra.com) and we will add this feature to the portal.

• Compared to the DNS verification method, this method is easier because you only need to add the address to the DNS information once and the information remains there. Once it is there, you will be able to verify your domain using the email address you just added.

5. DNS CAA Contact

This method allows a customer to list an email address in the DNS CAA record of the domain, and this email can be used in the future to verify the domain.

• The email address for a CAA record should be in the format: CAA 0 contactemail domainowner@example.com

  • This ‘contactemail’ must be added to the CAA record

• Email addresses on the DNS record are not automatically enabled on the portal. If you want to enable them, please send us a request via email (verification@wesentra.com) and we will add this feature to the portal.

• Compared to the DNS verification method, this method is easier because you only need to add the address to the DNS information once and the information remains there. Once it is there, you will be able to verify your domain using the email address you just added.