Entrust EV Multi-Domain SSL Certificates
This section provides the answers to the most commonly asked questions about the Entrust contact Entrust support .
- What is ‘Extended Validation’? ‘
- Private Organization. A non-governmental legal entity (whether ownership interests are privately held or publicly traded) whose existence was created by a filing with (or an act of) the Incorporating Agency in its Jurisdiction of Incorporation.
- Government Entity. A government-operated legal entity, agency, department, ministry, or similar element of the government of a country, or political subdivision within such country (such as a state, province, city, county, etc).
- Business Entity. Any entity that is neither a Private Organization nor a Government Entity. Examples include general partnerships, unincorporated associations and sole proprietorships.
Under the new EV model, validation of an entity (e.g. a company or web site operator) requesting an Entrust EV Multi-Domain SSL Certificate will be performed using industry standard guidelines, as defined by the CA/Browser Forum. This is different from current practices in that different Certification Authorities have very different validation standards. Although the majority of Certification Authorities have rigorous validation practices, not all do and this undermines the overall security of SSL for consumer transactions.
Certificates issued using ‘Extended Validation’ will include a reference to an EV-specific certificate policy. Each Certification Authority will have a unique policy and Policy Object Identifier (OID). Browsers supporting EV will behave differently when they encounter a certificate issued under an EV policy OID that they recognize.
Note that at a technical level, Entrust EV Multi-Domain SSL Certificates will not be different from standard X.509 certificates and will be backwards compatible with older browsers. Entrust EV Multi-Domain SSL Certificates will include more information on the subject (the entity the certificate was issued to) – including jurisdiction of incorporation. Are my existing Entrust SSL Certificates still sufficient for securing online transactions? From a cryptographic perspective, yes your current Entrust SSL Certificates are still going to result in encrypted SSL sessions.
However, the greatest threat to online transactions is not cryptographic in nature – it is phishing. Phishing preys on consumer’s inability to discern between trustworthy sites and imposter sites.
The EV initiative is targeted at making it easier for consumers to make that distinction. From a usability perspective, non-EV certificates will have decreasing effectiveness as consumers adopt the new browsers and come to expect the strong trust indicators provided by Entrust EV Multi-Domain SSL Certificates while conducting transactions. Should I switch to Entrust EV Multi-Domain SSL Certificates? If you are operating a website that conducts ecommerce transactions or if you collect sensitive or private information you should be considering switching to Entrust EV Multi-Domain SSL Certificates.
Phishing attacks are a real threat to the trust consumers have placed on the internet and Entrust EV Multi-Domain SSL Certificates can only be part of the solution if they are deployed and used widely. How will older browsers without EV support behave on sites with Entrust EV Multi-Domain SSL Certificates? Browsers without EV support will continue to behave as they do today. As long as the certificate was issued by a CA trusted by the browser, the lock will close as expected.
In most cases, website support for both older browsers and newer EV browsers will require the installation of a cross-certificate on the web server which was issued by a root CA already embedded in older browsers.
The cross-certificate will certify a newer EV specific issuing CA as trusted, and the actual web server site certificate will be issued from that issuing CA. How will browsers respond when they visit a website with an invalid certificate or phishing site? The response may vary depending on the type of browser but, in general, a red address bar could indicate that you that you have accessed a known phishing site.
Red alert blocks immediate access to reported phishing sites, although users can proceed to the site if they wish.
A red address bar could also indicate that there may be a problem with the certificate or that it may not be issued from a trusted Certificate Authority.
Internet Explorer includes prominent warnings to users and will recommend users not visit the page.
If the user ignores the warnings and continues the address bar goes red and red warning ‘security badges’ appear.
I operate my own CA based on Entrust software, can I issue EV certificates myself? Yes, if you own an Entrust-rooted CA, you will be able to issue Entrust EV Multi-Domain SSL Certificates once your CA is recognized by the EV-ready browsers. This will either entail cross-certification with a CA already in the EV root embedding programs of the major browsers or that you submit your own root into those programs. In both cases you will need to undergo an audit under the CA/Browser Forum guidelines. I’m a website operator. How will Entrust EV Multi-Domain SSL Certificates affect me? For website operators some changes to consider include more details about the subscriber will be placed into the certificate including:
- Domain name
- Organization name
- Jurisdiction of Incorporation
- City or town
- State or province (if any)
- Country – mandatory
Some CSR generating tools may not allow you to add this information to your certificates. However, Entrust will be able to add this information to your Entrust EV Multi-Domain SSL Certificates once your certificate order has been placed.
Please note that EV standards do not permit the use of wildcard certificates which can impact the number of certificates you may be required to purchase. “Couldn’t browsers just turn the address bar green with the current Entrust SSL certificates?” While it would be possible to enable more prominent security features in browsers based on current SSL certificates, the problem is with the inconsistent level of validation behind current certificates.
Some CA’s today perform much less rigorous validation checks on companies requesting SSL certificates which introduce the risk that a phishing site could acquire a valid SSL certificate.
With that risk in mind, the CA/Browser Forum set out to establish a consistent, common set of validation guidelines which participating CA’s could follow, and which browser manufacturers could rely on before turning on more prominent security features such as the green address bar. Can I get an Entrust EV Multi-Domain SSL wildcard certificate?
No, the EV SSL guidelines do not permit wildcard certificates. In some cases the use of subjectAltName extensions can provide the same benefits as a wildcard certificate and this is permitted within the EV guidelines. Under what conditions will my Entrust EV Multi-Domain SSL Certificate be revoked? Entrust MUST revoke an Entrust EV Multi-Domain SSL Certificate it has issued upon the occurrence of any of the following events:
- The Subscriber requests revocation of its Entrust EV Multi-Domain SSL Certificate.
- The Subscriber indicates that the original Entrust EV Multi-Domain SSL Certificate Request was not authorized and does not retroactively grant authorization.
- Entrust obtains reasonable evidence that the Subscriber’s Private Key (corresponding to the Public Key in the Entrust EV Multi-Domain SSL Certificate) has been compromised, or that the Entrust EV Multi-Domain SSL Certificate has otherwise been misused.
- Entrust receives notice or otherwise become aware that a Subscriber violates any of its material obligations under the Subscriber Agreement.
- Entrust receives notice or otherwise become aware that a court or arbitrator has revoked a Subscriber’s right to use the domain name listed in the Entrust EV Multi-Domain SSL Certificate, or that the Subscriber has failed to renew it domain name.
- Entrust receives notice or otherwise become aware of a material change in the information contained in the Entrust EV Multi-Domain SSL Certificate.
- A determination, in the CA’s sole discretion, that the Entrust EV Multi-Domain SSL Certificate was not issued in accordance with the terms and conditions of these Guidelines or the CA’s EV Policies.
- If Entrust determines that any of the information appearing in the Entrust EV Multi-Domain SSL Certificate is not accurate.
- Entrust ceases operations for any reason and has not arranged for another EV CA to provide revocation support for the EV Certificate.
- Entrust’s right to issue Entrust EV Multi-Domain SSL Certificate under these Guidelines expires or is revoked or terminated [unless the CA makes arrangements to continue maintaining the CRL/OCSP Repository].
- Entrust’s Private Key for that Entrust EV Multi-Domain SSL Certificate has been compromised.
- Entrust receives notice or otherwise become aware that a Subscriber has been added as a denied party or prohibited person to a blacklist, or is operating from a prohibited destination under the laws of the CA’s jurisdiction of operation.
If you wish to revoke your Entrust EV Multi-Domain SSL Certificate for any of the above reasons, you may contact Entrust by filling in our online complaint form .
In addition to Entrust EV Multi-Domain SSL Certificate revocation, Subscribers, Relying Parties, Application Software Vendors, and other third parties can contact Entrust by filling in our online complaint form for reporting complaints or suspected Private Key compromise, EV Certificate misuse, or other types of fraud, compromise, misuse, or inappropriate conduct related to EV Certificates.
Entrust will begin investigation of all Certificate Problem Reports within twenty-four (24) hours and decide whether revocation or other appropriate action is warranted based on at least the following criteria:
- The nature of the alleged problem;
- Number of Certificate Problem Reports received about a particular EV Certificate or website;
- The identity of the complainants (for example, complaints from a law enforcement official that a web site is engaged in illegal activities have more weight than a complaint from a consumer alleging they never received the goods they ordered); and
- Relevant legislation in force.
Entrust will maintain a continuous 24/7 ability to internally respond to any high priority Certificate Problem Report, and where appropriate, forward such complaints to law enforcement and/or revoke an Entrust EV Multi-Domain SSL Certificate that is the subject of such a complaint.