= This page is deprecated. Please see Organisation Assurance =
[[CategoryOrganisationAssurance|Organisation Assurance]]

<<BR>><<BR>><<BR>><<BR>><<BR>><<BR>>

However, since the new documentation is finished you might find some useful information here. But be aware: A lot of things have changed. Maybe you would also like to have a look at the [[Brain/EducationTraining/OrganisationAssurance/Manual|Organization Assurance Manual]].

= Email & Server Certificates for Organisations =
<<TableOfContents(2)>>

== Important note ==
If you have knowledge in law and you want to help CAcert org Support, please see [[HelpingCAcert]]

== Purpose ==
Having your organisation assured allows you to issue certificates in the name of your organisation, have '''additional information''' added to certificates, and issuing certificate for '''any arbitrary email''' address in your domain without the need to go through verification every time. You can also delegate (and revoke) the authority to other administrators within your organisation.

=== Organisation feature benefits ===
 1. The CAcert Organisational feature is pretty interesting because '''you can include more details''' than the simple CAcert user (organisation name, localisation). After the organisation account is created, you have the same easy way to generate email or webserver certificates.
 1. Also, because you're responsible of your organisation, '''you can generate user certs for any of your employees''' (including the organisation name) without going thru the whole assurance process (TTP or CAP). Here, CAcert delegates its responsabilities to the owner/executive manager of the organisation.
 1. Because we do not provide any sub-root certificate, we assure the whole CAcert community that the root certificate trust is less likely to be compromised (see SubRoot).
==== How to request the organisation features ? ====
CAcert has a general policy for Organisation Assurance. When an Organisation Assurer is available in a country, a specific policy has been written to handle Organisation requests for the country.

Mainly, the following countries have several organisation assurers:

 * [[http://wiki.cacert.org/wiki/OrganisationEntitiesGermany|Germany/Deutschland]]
 * [[http://wiki.cacert.org/wiki/OrganisationEntitiesAustria|Austria/Österreich]]
For all other countries, please ask first support (at) cacert.org to know if we can handle a request (and see the table below).

The "organisation Assurers" are similar to the way the Web of Trust assurers are doing their "job".  Local Assurers '''permit to overcome the problem of reading/knowing the local languages & organisation legislations'''. Also, it's easier to verify the will of the owner/executive manager in case, he/she is not fond of IT and doesn't have a proper & trusted digital certificate & signature.

Also, if you need specific help or questions, you are welcome at IRC channel irc.cacert.org #cacert if you are kind enough we will try to speed-up the procedure.

==== Additional steps ====
 1. The person responsible for the organisation needs to '''appoint 1+ admin(s)''' in charge of generating/taking care of the certs for the organisation.  The admin must have a certain amount of trust and knowledge, so they need to be a '''current CAcert assurer'''. The admin can be or not a member/employee of the organisation, '''so you can ask your usual IT service provider to do the job'''.
 1. From the certificate of incorporation, the CAcert support (or Organisation Assurer) can get info about the organisation and add them into the organisation account : its name, its place of incorporation (Town, state, country), then add the owner/executive manager email address for contact, add the admin list (for each admin, the department name in the organisation if applicable), add the list of the domain names of the organisation after a check of one (or more) authoritative email address(es) (like postmaster@domainname).
 1. The domain names that can be included in the account have to match the certificate of incorporation info when looking at the '''whois database''' or any accurate document linking the organisation and the domain name.
'''For precise requirements for different jurisdictions please contact support(at)cacert.org who will gladly put you in contact with an organisation assurer!'''

==== Organisation Assurers available ====
||<tablewidth="600px">Country ||Policy Available ||<style="vertical-align: top;">Organisation Assurers Available ||
||Germany ||yes ||yes ||
||Austria ||yes ||yes ||
||USA California ||yes ||yes ||
||USA Colorado ||yes ||yes ||
||USA Others ||no ||yes ||
||France ||no ||yes ||
In case, there is an assurer but still no specific policy, requests have a far longer processing time and may not be completed as some cases will need a legal advise and at the end pass the CAcert Board review.

== Processing the request ==
'''Following statements are general and depend heavily on the local policies, contact your local assurer for details.'''

=== Common ===
 * Upon request, Email to your local Organisation Assurer scanned cop(ies) of:
  1. '''Certificate of Incorporation''' and any means to verify the certificate (like an government internet online register) and the manager or owner
  1. '''Letter signed''' (by hand or digitally) by the manager/owner of the organisation requesting CAcert organisational features, mentioning who is/are the admin(s) of the org, the domains names of the org (see below the example)
  1. If the '''Whois Database''' doesn't mention info about the Organisation, provide the documents from the Internet domain registrar
 * CAcert Support will enter the Organisational details into the system, including domainname(s) and link the account to an initial admin(s), who will then be able to allow others in the organisation to be able to issue certificates.
 * Initial organisational admin is required to have a minimum of 50 assurance points.
{{{
Also make sure that the documents are fresh (<1 month) to support (at) cacert.org
or provide the web address of an online governmental organisation register database
}}}
=== Large organisations ===
 * For big organisations including sub-organisations, or for IT service providers, we will create an organisational account for each entity, and we can attach one admin (or more) for all the organisations.
 * Currently, when generating certificates, the system chooses automatically the proper organisation depending on the domain name.
=== Business Name Only ===
 * The service is intended for incorporated companies. So if you just have registered a Business Name, contact first the local Organisation Assurer or support (at) cacert.org to know if the "Organisation" support is possible for you !
 * We'll add a comment like "(Business Name)" or "(Individual Business)" at the end of the Organisation Name.
=== Non-profit or University-related ===
 * The service is intended for incorporated companies. But we sometimes provide help to register non-profit or university-related "associations", and we're pleased to do so. Please read the following and try to find "official" papers (or ways to make you "trustable") to register. Depending on the class of the association, we may have to add a comment at the end of the Organisation Name.
 * Contact first your local Organisation Assurer or support (at) cacert.org
=== Faster ===
 * You're the executive manager/owner (possibly chief technical officer and less likely IT Contractor) of your org and you have >= 50 assurance points
 * You can provide the link to a government internet online register for organisations in your jurisdiction (example : some countries like Australia, and some US states like Oregon) and the register provides both owner/manager and convenient organisational info '''free of charge''' to CAcert. See [OrganisationRegister]
 * '''You have already verified the domain names in the admin account.'''
 * the processing will likely be faster '''but''' you have still have to follow the normal process (like sending the certificate of incorporation for our archives)
 * then contact your local Organisation Assurer
== Check your datas ==
 * Please make a '''summary''' of all the datas and send it to support@ with the documents
 * For each of your admin your '''can''' add a different "department" (or organisation unit) or keep the field blank (usually for a single admin)
 * Example of '''summary''' :
{{{
Organisation Title   : choose one if several are registered
Contact Email        :
Registration organisation address =>
Town/Suburb          :
State/Province       : if applicable
Country              : + mention the 2 letter ISO code
Used domains are     :
                     :
                     :
                     :
Admins are           : CAcert main email address of admin + org department name if applicable
                     :
                     :
                     :
}}}
== Example of letter from the executive/owner of the organisation ==
'''Required if the name of the requester does not appear on the Certificate of Incorporation.''' Scan and email the letter to support at cacert.org

The letter is written and signed by the person in charge of the organisation (replace company with association in your case)

Dear Sir,

I am requesting that an organisational account be created for my company, '''Company Name'''. This organisational account is associated to the following domains '''domain name list'''.

The technical contact for these Internet domains and the administrator for the CAcert organisation account is '''Admin Name''' , '''Admin title''' who is holding an assured CAcert account '''mail address'''

I have attached '''Company Name''' 's Certificate of Incorporation. ''Optionally'' The following business register will show '''Company Name''' 's active filing : '''web address of register'''

''Add any extra information if needed''

Sincerely, ...

== Corporate use of organisational client certificates ==
'''Question'''

When I create a org client certificate, how does the user pick up the new certificate that is created?

'''Answer'''

The "corporate" use of org client certificates is to put them on a smartcard. So after, you just give each user its usb smartcard with its PIN code and the certificate/private key loaded.

You'll probably need to configure the mail client on the user machine. Also, there is still an "underground" project to generate certs for windows domains.

In this case, if you want to know which smartcard is easy to integrate, we can help you, so just ask support (at) cacert.org. Some people at CAcert support have tested several cards.

For example, there is a special type of card "java smartcard" but it's pretty complicated to use. Anyway, people at CAcert support frequently log-in CAcert website and we're really happy to use smartcards to quickly log-in, as the server safely gets the our id from the card.

Note : the CAcert interface permits to generate the private key directly within the card and properly load the certs after signing.

If you have no smartcard, as a last resort, you can put the client cert from your browser certificate store into a pkcs12 file and transfer it in on a usb memory key and give it to the user but it's not really seamless ;(

== Miscellaneous ==
'''(to read if you have extra time to spend)'''

 * Main perspective : we do not require that most CEOs/owners (CEO, Prokuristen, ... AKA people who are by law allowed to sign for the company) get their hands dirty in IT problems, they can simply delegate the tasks to some technical staffs on behalf of the company.
 * Also, it may be helpful to have 1 or several CAcert Assurers in the company, especially the IT administrators or Human Ressource people who will be responsible to issue certificates inside the company. They should become CAcert assurers, so they can learn best practises and then, they'll help to prevent poor certificate handling for your company.
 * So, get your papers ready, once *at least* one person has 50 points, you can proceed to Assure your Organisation. You will need to contact CAcert through support (at) cacert.org, and ask who is responsible for your country (in some countries we have dedicated people to verify the organisation assurance, in the other countries the core team in will handle the verification).
 * Then you will have to send the documents of incorporation about your organisation, this not only proves the existance of the organisation, but allows us to see the information contained in the official documentation, we then use that information to add this to your certificates in future.
 * Accounts are individual not organisational, you or someone in your organisational should be able to change access rights if you or someone else leaves the organisation, you should '''''NEVER EVER''''' give anyone else access to your account as they can impersonate you. If you need help or unsure on how to assign or revoke rights please contact support.
{{{
Only the designers of the org support can tell but here's my guess :
the idea is to have an admin for one department (one for IT, one for HR,
etc...)
2 options :
- deleting an admin and putting no Departement or giving the department field (OU) a more "general" sense instead of IT/Support.
- delegating cert creation to other "local" admins (only 50 points are needed for an admin AFAIR)
you can only generate certs for the domain(s) that is(are) registered for the org
}}}
== FAQ - Frequently Asked Questions ==
Q: The technical representative in our company has been changed, and the old one used his personal CAcert account to issue our mission critical certificates. How could we change the login credentials to this site?

A: First, create a new account for yourself if not set up yet. Then do the following steps: 1) Login to the account 2) go to "Dispute" -> "Domain" 3) enter the Domain 4) choose  an email address you can reach, and dispute the domain. 5) You’ll get an email you have to approve, then the Domain should be removed from the others account. 6) Afterwards you can add the domain to your own account, and issue a new certificate for it.

After all you should think about doing OrganisationAssurance, so that several people in your company can issue certificates, and it can continue without problems in case you leave the company too.

http://wiki.cacert.org/wiki/OrganisationEntities

see OrganisationRegister

= Relevant Laws =
== Switzerland ==
[[http://www.admin.ch/ch/d/sr/210/|Schweizerisches Zivilgesetzbuch]]

== United States ==
[[http://en.wikipedia.org/wiki/Electronic_Signatures_in_Global_and_National_Commerce_Act|Electronic Signatures in Global and National Commerce Act]]  ([[http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=106_cong_public_laws&docid=f:publ229.106.pdf|PDF of the Act]], Pub. L. No. 106-229, June 30, 2000)
----
 . CategoryDeprecated