...

• First name, last name, email and preferred user name for the first admin (RAO) of your organization. That person should be a current Administrator in the DigiCert CertCental system.
• Organization name, adress line, postal code, city and county (län)..

We know that Sectigo uses at least https://www.infobel.com/en/sweden and https://proff.se/ to check address and postal code, so please try to find a record there for your organization and use that address line and postal code if it is not obviously wrong (it's not likely that people will rely on the address information in your OV certificates to send you paper mail...) If you try to use other address/postal code information you risk having your organization validation delayed.

...

1. Make sure that you are not having CAA records in your DNS zone that forbids Sectigo from issuing certificates for the domain. If that is the case, domain validation will fail too. Having no CAA records is OK, as is having CAA records mentioning "sectigo.com" as approved.
2. Go to Settings → Domains → Delegations and press the Add button. Fill in the domain name (example.org) and the optional description. Select the type of certificates (SSL, client, CS) that should be enabled for this domain. For your main domain you would typically enable all of them, but for most additional domains you would only enable SSL certificates. If you have set up Departments and this domain should be delegated to the DRAOs of that department, expand the selection line and enable the domain for the right department and the appropriate types too.
3. Use Add again, embrace the cargo cult, and redo exactly the same step for the domain name with "*." prepended to it (*.example.org in our example).
4. Wait for a SUNET MRAO to approve your domain delegations. Unfortunately, this step is necessary at this time, but we have asked Sectigo to remove it. When this is done, the delegation status will be Approved and you can proceed to the next step.
5. Switch from the Delegations to the DCV tab.  Click on the the right line to check it, and use the DCV button that appears to initiate DCV. Select method:
   • Email means that your select one of the five allowed addresses for the domain, and then receive and handle an email sent to that address. For our example, it would be one of "admin@example.org", "administrator@example.org", "hostmaster@example.org", "postmaster@example.org" or "webmaster@example.org".
   • CNAME means that you will be instructed to put a CNAME record with a hash value name in your DNS zone, pointing to another hash value. The system will tell you the values.
   • HTTP/HTTPS means that you will be instructed to put certain contents in a file with a certain name on the web server for your domain name.
6. Follow the instructions for the method you selected. We have noted that when using the email method, it is typical to told that the code was right, but that there was some other error. If the next step is OK, do not get stuck on that.
7. When the validation is OK, you will see Validation Status as Validated in the DCV tab. In the Delegations tab, the domain itself should also be shown as Validated. The extra record with "*." prepended will still show as Not Validated for some time (hours to a day) and will then be updated to be Validated too.
8. You are now ready to use this domain and its subdomains for certificate requests.

Additional organizations

If you need additional organization names (values for the O= part of a certificate), that will have to be added by a SUNET MRAO for you. Follow the same steps as for your first organization (see above under "Getting access to the system"), but instead of providing information about a "first admin", tell us the usernames for the administrators of your "main organization" that should also be RAOs for the new organization.

Note: you will not add an extra organization ("Smorgasboda Hogskola" in addition to "Smörgåsboda Högskola") for a name without non-ASCII characters for grid certificates, as that will be handled differently. We will update this document when Sectigo has provided the details.

Departments

To add a department:

• Go to Settings → Organizations and click on the organization line to check it, then use the Departments button to bring up the listing window and press Add.
• Fill in the desired OU= name component in the Department Name field. The rest of the name components will be as for your organization.
• Select the Client Certificate tab and disable Key Recovery for MRAO and DRAO ("Allow Key Recovery by Master Administrators" and "Allow Key Recovery by Department Administrators", respectively). It will already be disabled for RAOs as that was part of the organization setup done by SUNET.
• Do not fret over other options on the various tabs, as they can be changed later. Do not enable or change things you do not understand. Finish using the OK button.

Admins connected to the department

You can now go on to create admins (see below) that are DRAOs connected to just this department instead of being RAOs for the whole organization.

Domain(s) connected to the department

If you add department admins (DRAOs) that can approve certificates for their department, you will most likely want to limit them to their own domain (department-example.com) or a subdomain of your main domain (department.example.org) if we imagine that your main domain is example.org.

In the first case with a completely new domain for the department, follow the normal domain validation procedure above to add department-example.com and *.department-example.com with delegation to the department and initiate DCV as you did for your main domain.

In the second case with a subdomain of your already validated main domain, you will still add department.example.org and *.departement.example.org with delegation to the department but you will not have to initiate DCV again, as the SCM is smart enough to know that example.org is already validation. As for your main domain, you should expect department.example.org to show as Validated at once, and *.department.example.org with some delay.