This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Domain Validated Certificate
Domain Validated Certificate

Version management

Difference between version and

At line 1 added 38 lines
!!! Overview
[{$pagename}] the lowest and most common [Certificate Level Of Assurance] issued from a [Certificate Authority] checks the [Control] of the applicant to use a specific [DNS Domain].
__No__ company identity information is vetted and no information is displayed other than encryption information within the Secure Site Seal.
[{$pagename}] is simply for [confidentiality], (e.g. [encryption])
!! [{$pagename}]
[{$pagename}] is the lowest [Certificate Level Of Assurance] and usually consists only of "__Domain Control Validation__"
[Registration Authority] (or [Certificate Authority]) [MUST] only issue a [certificate] after performing Domain Control Validation (DCV). One way of validating domain ownership is through [HTTP] validation, done by uploading a text file to a specific [HTTP] [endpoint] on the [Website] they want to secure. Another DCV method is done using [email] verification, where an email with a validation code link is sent to the administrative contact for the [DNS Domain].
! HTTP Validation
Suppose Alice buys the [DNS Domain] name aliceswonderland.com and wants to get a dedicated [certificate] for this domain. [Alice] chooses to use [Lets encrypt] as their [Certificate Authority]. First, Alice must generate their own [Private Key] and create a [Certificate Signing Request] ([CSR]). She sends the [CSR] to Let’s Encrypt, but the [Certificate Authority] won’t issue a certificate for that [CSR] and [Private Key] until they know [Alice] owns aliceswonderland.com. [Alice] can then choose to prove that she owns this domain through [HTTP] validation.
When Let’s Encrypt performs DCV over HTTP, they require Alice to place a randomly named file in the /.[Well-known]/[acme|ACME]-challenge path for her [website]. The CA must retrieve the text file by sending an [HTTP GET] request to http://aliceswonderland.com/.well-known/acme-challenge/<random_filename>. An expected value must be present on this endpoint for DCV to succeed.
For HTTP validation, Alice would upload a file to http://aliceswonderland.com/.well-known/acme-challenge/YnV0dHNz
where the body contains:
{{{curl http://aliceswonderland.com/.well-known/acme-challenge/YnV0dHNz
GET /.well-known/acme-challenge/YnV0dHNz
Host: aliceswonderland.com
HTTP/1.1 200 OK
Content-Type: application/octet-stream
YnV0dHNz.TEST_CLIENT_KEY
}}}
The CA instructs them to use the [Base64] token YnV0dHNz. TEST_CLIENT_KEY in an account-linked key that only the certificate requestor and the CA know. The CA uses this field combination to verify that the certificate requestor actually owns the domain. Afterwards, Alice can get her certificate for her website!
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [What are the different types of SSL Certificates?|https://www.globalsign.com/en/ssl-information-center/types-of-ssl-certificate/|target='_blank'] - based on information obtained 2017-01-23
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop