Last updated: 
3 weeks 3 days ago
Group Manager
Welcome to the Jisc Certificate Service group. The service offers a number of different X509 SSL certificates, including Extended Validation certificates that give users the highest possible assurance, as well as S/MIME email certificates for digitally signing emails. Jisc has an agreement with the Certificate Authority, QuoVadis who is the provider of the certificates. The service has been running since 2006 and has issued many thousands of certificates to organisations in UK research and education. This is a Community group where users can obtain relevant information, receive service updates and provide feedback.

FAQ for change to domain validation process

27 June 2018 at 10:29am

WE ENCOURAGE CUSTOMERS TO VALIDATE DOMAINS IN ADVANCE TO AVOID POSSIBLE LENGTHY DELAYS IN PROCESSING CERTIFICATE REQUESTS

Q1) What is the change?

From 1 August, new industry regulation states that Certificate Authorities (CAs) must no longer rely on checking a public WHOIS record to validate domain ownership. Instead, customers requesting a certificate must demonstrate a ‘positive interaction’ to show they have control over/ownership of the domain to be used in a certificate.

Q2) How can Jisc customers demonstrate control over/ownership of a domain?

This can be achieved in two ways. Either, add a random number (provided by Jisc) to the TXT field of the domain's DNS record or respond to an email (sent by Jisc) to the Registrant Contact (Reg-C) email address registered for the domain.

Q3) Is domain validation required for every certificate request?

No. Once a domain has been validated using one of the above methods it remains validated for 13 months. This means when you submit certificate requests there will be no manual intervention required from Jisc or our Certificate Authority, QuoVadis.

Q4) Will existing certificates be affected by this change?

No. All existing certificates are unaffected and will remain valid until their present expiry date.

Q5) What domains are affected by this change?

All .ac.uk and .gov.uk domains are currently validated (by QuoVadis) until 31 July. Therefore, any certificate requests submitted containing those domains up until that date will not yet be affected by the change.

All other domains .e.g. .com and .co.uk etc., require validation using one of the above methods, but such domains have always require some form of manual approval by Jisc staff supporting the service.

Q6) When do customers need to validate a domain?

If a domain isn’t validated by the time you submit a certificate request, a member of the Jisc support team will contact the person requesting the certificate to ask which method you want to use to validate the domain. Since this change affects all certificate requests across the entire industry, delays in processing certificates are expected in the early days unless the domain(s) in question have been validated in advance.

Q7) Can customers have one or more domains validated in advance?

Yes. Customers can request to have their domains validated with immediate effect by contacting the Service Desk directly by emailing certificates@jisc.ac.uk.

WE ENCOURAGE CUSTOMERS TO VALIDATE DOMAINS IN ADVANCE TO AVOID POSSIBLE LENGTHY DELAYS IN PROCESSING CERTIFICATE REQUESTS

Comments