Versions Compared

Old Version 40

changes.mady.by.user Kent Engström

Saved on

compared with

New Version 41

changes.mady.by.user Kent Engström

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Make sure that you are not having CAA records in your DNS zone that forbids Sectigo from issuing certificates for the domain. If that is the case, domain validation will fail too. Having no CAA records is OK, as is having CAA records mentioning "sectigo.com" as approved.
  2. Go to Settings → Domains → Delegations and press the Add button. Fill in the domain name (example.org) and the optional description. Select the type of certificates (SSL, client, CS) that should be enabled for this domain. For your main domain you would typically enable all of them, but for most additional domains you would only enable SSL certificates. If you have set up Departments and this domain should be delegated to the DRAOs of that department, expand the selection line and enable the domain for the right department and the appropriate types too.
  3. Use Add again, embrace the cargo cult, and redo exactly the same step for the domain name with "*." prepended to it (*.example.org in our example).
  4. Wait for a SUNET MRAO to approve your domain delegations. Unfortunately, this step is necessary at this time, but we have asked Sectigo to remove it. When this is done, the delegation status will be Approved and you can proceed to the next step.
  5. Switch from the Delegations to the DCV tab.  Click on the the right line to check it, and use the DCV button that appears to initiate DCV. Select method:
    • Email means that your select one of the five allowed addresses for the domain, and then receive and handle an email sent to that address. For our example, it would be one of "admin@example.org", "administrator@example.org", "hostmaster@example.org", "postmaster@example.org" or "webmaster@example.org".
    • CNAME means that you will be instructed to put a CNAME record with a hash value name in your DNS zone, pointing to another hash value. The system will tell you the values. Please verify using an external resolver that the CNAME record is in place and externally visible.
    • HTTP/HTTPS means that you will be instructed to put certain contents in a file with a certain name on the web server for your domain name.
  6. Follow the instructions for the method you selected. We have noted that when using the email method, it is typical to told that the code was right, but that there was some other error. If the next step is OK, do not get stuck on that.
  7. When the validation is OK, you will see Validation Status as Validated in the DCV tab. In the Delegations tab, the domain itself should also be shown as Validated. The extra record with "*." prepended will still show as Not Validated for some time (hours to a day) and will then be updated to be Validated too.
  8. You are now ready to use this domain and its subdomains for certificate requests.

...

Notes on specific certificate types

GÉANT OV SSL

Currently (2020-04-08), if you use the GÉANT OV SSL type and request a certificate for mail.test.example.org, you will get that name put in a DNS Subject Alternative Name, but you will also get a DNS Subject Alternative Name for www.mail.test.example.org . We recommend that you use GÉANT OV Multi-Domain instead if you do not want this, as no extra www-prepended name is added for that type. This has been reported to GÉANT.

EV Certificates

If you need EV certificates, talk to tcs@sunet.se about how to proceed, as the best procedure will not be to just request an individual EV certificate. Also, we would like to work with you to document the process, so we can document it for the benefit of other members.

...