News | SwissSign
A data security specialist by Swiss Post

Main section

09.08.2021

Information for SwissSign MPKI customers

The CA/Browser Forum, the regulatory body for public key certificates on the Internet, is constantly adjusting the security requirements for these certificates so that they can withstand the current threats on the Internet. In this regard, increased safety requirements have also been adopted this year, which affect how certificates will be issued in the future. In particular, the requirements concerning the proof of ownership of a domain name for the purpose of issuing SSL/TLS certificates have changed.

Frequency of proof of ownership of a domain name

Until now, proof of ownership of a domain name only had to be provided annually for the issuance of Extended Validation (EV) certificates. Now, this evidence must be provided annually for the issuance of all SSL/TLS certificates.

 

 

Method for providing proof of ownership of a domain name The proof is provided by the customer’s publication of a random value (“secret”) generated by the provider SwissSign. For Managed PKI customers like you, there were previously two possible methods of publication:

 

  1. Publication in the domain name system (DNS)

  2. Publication in a text file. The random value is published on the web server accessible under this domain name.

 

The second method (text file) is now no longer possible for all certificate types. For this reason, only the first method (DNS) will be allowed in the future so that you, as an MPKI customer, can continue to benefit from the full range of services.

 

 

Organizational Unit names: It is no longer possible to include the “Organizational Unit” (OU) attribute in addition to the organization name in certificates. We ask customers who have made use of this option in the past to refrain from doing so in the future. For customers who do not use the OU attribute, no action is required.

 

 

The changes described above may require an adjustment to your practices. However, the requirements only affect future certificate issuances. Any certificates issued previously with correct content will remain valid.