This page is deprecated. Please see Organisation Assurance
However, since the new documentation is finished you might find some useful information here. But be aware: A lot of things have changed. Maybe you would also like to have a look at the Organization Assurance Manual.
Email & Server Certificates for Organisations
Contents
Important note
If you have knowledge in law and you want to help CAcert org Support, please see HelpingCAcert
Purpose
Having your organisation assured allows you to issue certificates in the name of your organisation, have additional information added to certificates, and issuing certificate for any arbitrary email address in your domain without the need to go through verification every time. You can also delegate (and revoke) the authority to other administrators within your organisation.
Organisation feature benefits
The CAcert Organisational feature is pretty interesting because you can include more details than the simple CAcert user (organisation name, localisation). After the organisation account is created, you have the same easy way to generate email or webserver certificates.
Also, because you're responsible of your organisation, you can generate user certs for any of your employees (including the organisation name) without going thru the whole assurance process (TTP or CAP). Here, CAcert delegates its responsabilities to the owner/executive manager of the organisation.
Because we do not provide any sub-root certificate, we assure the whole CAcert community that the root certificate trust is less likely to be compromised (see SubRoot).
How to request the organisation features ?
CAcert has a general policy for Organisation Assurance. When an Organisation Assurer is available in a country, a specific policy has been written to handle Organisation requests for the country.
Mainly, the following countries have several organisation assurers:
For all other countries, please ask first support (at) cacert.org to know if we can handle a request (and see the table below).
The "organisation Assurers" are similar to the way the Web of Trust assurers are doing their "job". Local Assurers permit to overcome the problem of reading/knowing the local languages & organisation legislations. Also, it's easier to verify the will of the owner/executive manager in case, he/she is not fond of IT and doesn't have a proper & trusted digital certificate & signature.
Also, if you need specific help or questions, you are welcome at IRC channel irc.cacert.org #cacert if you are kind enough we will try to speed-up the procedure.
Additional steps
The person responsible for the organisation needs to appoint 1+ admin(s) in charge of generating/taking care of the certs for the organisation. The admin must have a certain amount of trust and knowledge, so they need to be a current CAcert assurer. The admin can be or not a member/employee of the organisation, so you can ask your usual IT service provider to do the job.
- From the certificate of incorporation, the CAcert support (or Organisation Assurer) can get info about the organisation and add them into the organisation account : its name, its place of incorporation (Town, state, country), then add the owner/executive manager email address for contact, add the admin list (for each admin, the department name in the organisation if applicable), add the list of the domain names of the organisation after a check of one (or more) authoritative email address(es) (like postmaster@domainname).
The domain names that can be included in the account have to match the certificate of incorporation info when looking at the whois database or any accurate document linking the organisation and the domain name.
For precise requirements for different jurisdictions please contact support(at)cacert.org who will gladly put you in contact with an organisation assurer!
Organisation Assurers available
Country |
Policy Available |
Organisation Assurers Available |
Germany |
yes |
yes |
Austria |
yes |
yes |
USA California |
yes |
yes |
USA Colorado |
yes |
yes |
USA Others |
no |
yes |
France |
no |
yes |
In case, there is an assurer but still no specific policy, requests have a far longer processing time and may not be completed as some cases will need a legal advise and at the end pass the CAcert Board review.
Processing the request
Following statements are general and depend heavily on the local policies, contact your local assurer for details.
Common
- Upon request, Email to your local Organisation Assurer scanned cop(ies) of:
Certificate of Incorporation and any means to verify the certificate (like an government internet online register) and the manager or owner
Letter signed (by hand or digitally) by the manager/owner of the organisation requesting CAcert organisational features, mentioning who is/are the admin(s) of the org, the domains names of the org (see below the example)
If the Whois Database doesn't mention info about the Organisation, provide the documents from the Internet domain registrar
- CAcert Support will enter the Organisational details into the system, including domainname(s) and link the account to an initial admin(s), who will then be able to allow others in the organisation to be able to issue certificates.
- Initial organisational admin is required to have a minimum of 50 assurance points.
Also make sure that the documents are fresh (<1 month) to support (at) cacert.org or provide the web address of an online governmental organisation register database
Large organisations
- For big organisations including sub-organisations, or for IT service providers, we will create an organisational account for each entity, and we can attach one admin (or more) for all the organisations.
- Currently, when generating certificates, the system chooses automatically the proper organisation depending on the domain name.
Business Name Only
- The service is intended for incorporated companies. So if you just have registered a Business Name, contact first the local Organisation Assurer or support (at) cacert.org to know if the "Organisation" support is possible for you !
- We'll add a comment like "(Business Name)" or "(Individual Business)" at the end of the Organisation Name.
Non-profit or University-related
- The service is intended for incorporated companies. But we sometimes provide help to register non-profit or university-related "associations", and we're pleased to do so. Please read the following and try to find "official" papers (or ways to make you "trustable") to register. Depending on the class of the association, we may have to add a comment at the end of the Organisation Name.
- Contact first your local Organisation Assurer or support (at) cacert.org
Faster
You're the executive manager/owner (possibly chief technical officer and less likely IT Contractor) of your org and you have >= 50 assurance points
You can provide the link to a government internet online register for organisations in your jurisdiction (example : some countries like Australia, and some US states like Oregon) and the register provides both owner/manager and convenient organisational info free of charge to CAcert. See [OrganisationRegister]
You have already verified the domain names in the admin account.
the processing will likely be faster but you have still have to follow the normal process (like sending the certificate of incorporation for our archives)
- then contact your local Organisation Assurer
Check your datas
Please make a summary of all the datas and send it to support@ with the documents
For each of your admin your can add a different "department" (or organisation unit) or keep the field blank (usually for a single admin)
Example of summary :
Organisation Title : choose one if several are registered Contact Email : Registration organisation address => Town/Suburb : State/Province : if applicable Country : + mention the 2 letter ISO code Used domains are : : : : Admins are : CAcert main email address of admin + org department name if applicable : : :
Example of letter from the executive/owner of the organisation
Required if the name of the requester does not appear on the Certificate of Incorporation. Scan and email the letter to support at cacert.org
The letter is written and signed by the person in charge of the organisation (replace company with association in your case)
Dear Sir,
I am requesting that an organisational account be created for my company, Company Name. This organisational account is associated to the following domains domain name list.
The technical contact for these Internet domains and the administrator for the CAcert organisation account is Admin Name , Admin title who is holding an assured CAcert account mail address
I have attached Company Name 's Certificate of Incorporation. Optionally The following business register will show Company Name 's active filing : web address of register
Add any extra information if needed
Sincerely, ...
Corporate use of organisational client certificates
Question
When I create a org client certificate, how does the user pick up the new certificate that is created?
Answer
The "corporate" use of org client certificates is to put them on a smartcard. So after, you just give each user its usb smartcard with its PIN code and the certificate/private key loaded.
You'll probably need to configure the mail client on the user machine. Also, there is still an "underground" project to generate certs for windows domains.
In this case, if you want to know which smartcard is easy to integrate, we can help you, so just ask support (at) cacert.org. Some people at CAcert support have tested several cards.
For example, there is a special type of card "java smartcard" but it's pretty complicated to use. Anyway, people at CAcert support frequently log-in CAcert website and we're really happy to use smartcards to quickly log-in, as the server safely gets the our id from the card.
Note : the CAcert interface permits to generate the private key directly within the card and properly load the certs after signing.
If you have no smartcard, as a last resort, you can put the client cert from your browser certificate store into a pkcs12 file and transfer it in on a usb memory key and give it to the user but it's not really seamless ;(
Miscellaneous
(to read if you have extra time to spend)
- Main perspective : we do not require that most CEOs/owners (CEO, Prokuristen, ... AKA people who are by law allowed to sign for the company) get their hands dirty in IT problems, they can simply delegate the tasks to some technical staffs on behalf of the company.
- Also, it may be helpful to have 1 or several CAcert Assurers in the company, especially the IT administrators or Human Ressource people who will be responsible to issue certificates inside the company. They should become CAcert assurers, so they can learn best practises and then, they'll help to prevent poor certificate handling for your company.
- So, get your papers ready, once *at least* one person has 50 points, you can proceed to Assure your Organisation. You will need to contact CAcert through support (at) cacert.org, and ask who is responsible for your country (in some countries we have dedicated people to verify the organisation assurance, in the other countries the core team in will handle the verification).
- Then you will have to send the documents of incorporation about your organisation, this not only proves the existance of the organisation, but allows us to see the information contained in the official documentation, we then use that information to add this to your certificates in future.
Accounts are individual not organisational, you or someone in your organisational should be able to change access rights if you or someone else leaves the organisation, you should NEVER EVER give anyone else access to your account as they can impersonate you. If you need help or unsure on how to assign or revoke rights please contact support.
Only the designers of the org support can tell but here's my guess : the idea is to have an admin for one department (one for IT, one for HR, etc...) 2 options : - deleting an admin and putting no Departement or giving the department field (OU) a more "general" sense instead of IT/Support. - delegating cert creation to other "local" admins (only 50 points are needed for an admin AFAIR) you can only generate certs for the domain(s) that is(are) registered for the org
FAQ - Frequently Asked Questions
Q: The technical representative in our company has been changed, and the old one used his personal CAcert account to issue our mission critical certificates. How could we change the login credentials to this site?
A: First, create a new account for yourself if not set up yet. Then do the following steps: 1) Login to the account 2) go to "Dispute" -> "Domain" 3) enter the Domain 4) choose an email address you can reach, and dispute the domain. 5) You’ll get an email you have to approve, then the Domain should be removed from the others account. 6) Afterwards you can add the domain to your own account, and issue a new certificate for it.
After all you should think about doing OrganisationAssurance, so that several people in your company can issue certificates, and it can continue without problems in case you leave the company too.
http://wiki.cacert.org/wiki/OrganisationEntities
Relevant Laws
Switzerland
Schweizerisches Zivilgesetzbuch
United States
Electronic Signatures in Global and National Commerce Act (PDF of the Act, Pub. L. No. 106-229, June 30, 2000)