Spojeni s důvěrou

Spojenie s dôverou

Connected with trust

D. Trust
Certifikačná Autorita a.s.

Spojeni s důvěrou

Spojení s dôverou

Connected with trust

 

How to obtain QWAC certificate for contract clients 


To obtain a Qualified Website Authentication Certificate (QWAC), you must first enter into a contract with První certifikační autorita, a.s. The following is a procedure for issuing QWAC certificates to contractors. 

1. Create electronic application

Qualified Certificate for Website Authentication (QWAC) - contains verifiable information about owner / organization, domain name and further verifiable data - items O, OU, L, St, C, ID, TO…) 

2. Transmission of the electronic application

The applicant shall send the application file in PKCS # 10 (.req) format by e-mail to ssl@ica.cz.

  • Its subject must state: "Application for QWAC certificate".
  • Only authorized persons on the basis of a power of attorney who is part of a contractual relationship with I.CA can apply for the issue of a QWAC certificate.
  • The body of the email must state: "I, below, hereby declare that all the information provided in the application for the QWAC certificate is true".
  • The e-mail message must be provided with a qualified electronic signature according to EU Regulation No. 910/2014 - eIDAS.

The applicant shall also include in the e-mail the contact details - telephone, e-mail, postal address of the subject.

3. Verification of certificate request

Verify domain ownership 

I.CA verifies DNS domain ownership in one of the following ways:

  • will send an e-mail requesting approval of the SSL certificate for DNS names contained in the submitted application to the e-mail address of the WHOIS domain contact that contains a random string; the domain contact sends the approval request containing this string back to I.CA (# 2 ), (# number) indicates the subchapter number describing the BR authentication method,
  • I.CA sends to one of the emails admin, administrator, webmaster, hostmaster or postmaster @ domain a message requesting approval of the issue of SSL certificate for DNS names contained in the submitted application and containing a random string; the contact person sends the approval request containing this string back to I.CA (# 4),
  • The domain administrator creates a /.well-known/pki-validation/ directory on the server for the required FQDN, creating the ica.html file and containing the random string provided by I.CA (# 6).
  • The domain administrator creates a new CNAME or TXT DNS record for the requested FQDN containing a random string specified by I.CA (# 7).

The validity of random strings is 30 days in all cases.

I.CA verifies DNS domain ownership in one of the following ways:
• will send an e-mail requesting approval of the SSL certificate for DNS names contained in the submitted application to the e-mail address of the WHOIS domain contact that contains a random string; the domain contact sends the approval request containing this string back to I.CA (# 2 ), (# number) indicates the subchapter number describing the BR authentication method,
• I.CA sends to one of the emails admin, administrator, webmaster, hostmaster or postmaster @ domain a message requesting approval of the issue of SSL certificate for DNS names contained in the submitted application and containing a random string; the contact person sends the approval request containing this string back to I.CA (# 4),
• The domain administrator creates a /.well-known/pki-validation/ directory on the server for the required FQDN, creating the ica.html file and containing the random string provided by I.CA (# 6).
• The domain administrator creates a new CNAME or TXT DNS record for the requested FQDN containing a random string specified by I.CA (# 7).
The validity of random strings is 30 days in all cases.
Checking CAA records1

I.CA shall carry out a first check and:

  • if a set of CAA records was found, then wait for the greater of the values (CAL record TTL time, 8 hours),
  • If there is no CAA record, it waits 8 hours and then performs a recheck.

The next steps of verifying the application and issuing the Certificate will only be continued if it is revealed during a re-inspection that:

  • Either there is no CAA record
  • or a set of CAA records is found and at the same time:
    • none of the set of CAA records contains an unknown tag and is not marked as critical,
    • and the set of CAA records with the "issue" tag is empty or the content of any CAA record with the "issue" tag is "ica.cz".

Otherwise, the application is rejected. 

4. Issue of the certificate

After all the above-mentioned checks of the submitted electronic certificate request have been performed, the QWAC certificate is issued and handed over to the applicant electronically via an e-mail message. 

5. Renewal - issue of a subsequent certificate

When requesting a certificate renewal, you must always send a new QWAC certificate request. QWAC certificates cannot be electronically renewed; QWAC certificates are always issued only for the first time. Information from the electronic QWAC certificate request must always be re-verified.

The same documents can be used for verification if they are up to date and not older than 13 months.

6. Revocation of the certificate

Invalidation can be done as usual (web + revocation password, email + revocation password, signed email, registered mail + revocation password). 



1 CAA records - specify certification authorities that can issue SSL certificates for the specified domain. 

Registration authorities

v

 
separator
separator