Allowed domain types and their authentication

• I.CA issues commercial SSL certificates for all domain types except new gTLDs (.company, .bike, .movie, .club, etc.)
• A request for a commercial SSL certificate can only include one second-level domain (ica.cz) and up to 9 additional dnsNames (subdomains - www.ica.cz, neco1.ica.cz, neco2.ica.cz)
• I.CA does not accept requests for commercial SSL certificates containing an IP address and a wildcard domain name, e.g. *.ica.cz

I.CA verifies DNS ownership of a domain in one of the following ways:

• it sends an email containing a random string to the email address specified in the domain contact's WHOIS, the requester sends the string back to I.CA
• I.CA sends a message containing a random string to one of the admin, administrator, webmaster, hostmaster or postmaster@domain emails, which the requester then sends back to I.CA
• the domain administrator creates a new DNS record (CNAME/TXT type) for the requested FQDN, which will contain a random string to be determined by the I.CA

The validity of the random strings is in all cases 30 days.

I.CA also verifies using DNS records that there is no CAA record for the domains listed in the request that specifies CAs that can exclusively issue a certificate for the domain or that I.CA (ica.cz) is listed in this record.

When checking the CAA record, you must wait until the expiration time (TTL) of the current CAA record or 8 hours, whichever is longer. If the record does not exist now, I.CA will wait 8 hours, then perform a new check.