Buy a certificate now! Contact us about Thawte certificates

Documents and verification

• What do you need to verify before my SSL123 certificate is issued?
• What do you need to verify before my fully-authenticated server certificate is issued?
• How do Thawte verify these things?
• What documentation do I need to send you to prove my organisation name?
• What documentation do you need to verify a domain?
• Does the domain release letter change the ownership of the domain?
• How do Thawte perform verification by phone?
• Why might Thawte need to perform verification by letter instead of by phone? How do they do this?
• What is a Commissioner for Oaths?
• Where can I send my documentation?
• Help! I have a problem with documentation...

What do you need to verify before my SSL123 certificate is issued?

Verification for SSL123 certificates is done by sending an email to a specified email address; that email has a link in it for the recipient to follow to confirm that the certificate should be issued. The email address to which the mail is sent must be either an email address which appears in a WHOIS lookup for the domain, or alternatively a role account email address at the domain itself. (So, for instance, if you were requesting a certificate for secure.example.co.uk, you could have the email sent to administrator@example.co.uk or info@example.co.uk, but not joe.bloggs@example.co.uk.)

The link in the email MUST be followed, and the certificate request confirmed, before the certificate can be issued. There is NO OTHER WAY to confirm that an SSL123 certificate should be issued. If you cannot use this method, you will need to look at getting a fully-authenticated certificate instead.

What do you need to verify before my fully-authenticated server certificate is issued?

Thawte need to verify three things before your fully-authenticated server certificate can be issued; two things for a developer certificate. Regarding the person or organisation to whom the certificate is going to be issued, they need to verify:

1. That they are entitled to use the name which will be included in the certificate.
2. That they are entitled to use the domain name to which the server name in the certificate belongs (this is not verified for a developer certificate). For instance, if Thawte can verify that Herald Information Systems is entitled to use the domain name herald.co.uk, they will be happy to issue us certificates for test.herald.co.uk, secure.herald.co.uk and so on.
3. That they actually require that the certificate should be issued.

These processes ensure that Thawte can certify that the company details included in the certificate are correct, and that the certificate has been issued to that company, rather than to someone pretending to be them.

How do Thawte verify these things?

Regarding point 1, the name of the company or organisation; this will generally be confirmed with the relevant registration body (e.g. Companies House for UK limited companies/PLCs/LLPs; the KvK for Dutch companies; the Charities Commission for charities in England and Wales). If we cannot look up the information we require online, you will usually need to send us a copy of the relevant documentation, which we will then verify.

Regarding point 2, the domain name; this will be checked via a WHOIS lookup, in the first instance. If no WHOIS lookup is available for the domain, we will require written confirmation from the domain registry, confirming the ownership of the domain. If the domain is not registered to the company or person applying for the certificate, a domain release letter will be needed.

Regarding point 3, the confirmation that the certificate request is legitimate; the request will be confirmed with the corporate contact by phone, if a phone listing or phone bill for the company is available. If this is unavailable, the verification will be done by letter rather than by phone.

More details on all of these points are below.

What documentation do I need to send you to prove my organisation name?

For companies or organisations:

This varies a lot depending on your location and on the type of company concerned. For some companies, we can do all the lookups we need online; for others, we need documentation. We have split the requirements out by country below.

• UK
• Ireland
• Netherlands
• Iceland
• Cyprus
• Isle of Man
• Gibraltar
• Malta

If your country is not listed above, please contact us and we will advise you what we need.

For individuals:

If you want your certificate in the name of an individual, there are a number of documents required to prove his or her identity. These are common across all countries. Please note that issuing certificates to individuals is not covered by the usual maximum working time of 5 working days - it can take longer as the documentation is harder to verify. It is almost always simpler to issue a certificate in a company name rather than that of an individual.

The documentation required for a certificate to be issued to an individual is very variable depending on circumstances. Please contact us for more information.

Please note that Thawte do not issue developer certificates in the name of an individual; at the very least they require a trading name.

What documentation do you require to verify a domain?

Our first step for verifying ownership of a domain will be to do a WHOIS lookup for that domain.

• If the WHOIS shows that the domain is registered to the person or organisation requesting the domain, then this step is complete.

• If the WHOIS shows that the domain is registered to a different person or organisation, we will make further checks:
  • if the domain is registered to a previous name of the organisation requesting the certificate, and we have proof of the link between the two names (e.g. the previous name is shown at Companies House, for UK companies), then this step is complete;

  • if the domain is registered to a organisation which does not currently exist or has never existed, we cannot complete this step until the domain registration details are updated to reflect its current owner;

  • if the domain is registered to an organisation or person who is not the same as that requesting the certificate, we will require a domain release letter (sometimes also called a domain authorisation letter) signed by the domain's owner, and printed on their letterhead (if they are an organisation rather than an individual), before we can complete this step.

• If there is no WHOIS lookup available for the domain, we will require written confirmation of the ownership of the domain from the domain registry concerned. Once we have this in hand, we may also require a domain release letter if the domain is not registered to the organisation or person who require the certificate.

Does the domain release letter change the ownership of the domain?

No, it does not. It only shows that the owner of the domain is happy to let the organisation requesting the domain use it, not that they have transferred ownership or rights to the domain to the organisation concerned.

How do Thawte perform verification by phone?

Once the organisation name and domain name have been adequately verified, Thawte will contact the Corporate Contact to confirm the request for a certificate.

Initially Thawte will make a search of approved online phone directories (typically those provided by state or other authorised telecommunications companies in each country) to find a phone number for the organisation or person concerned.

• If they find such a number, they will call it and attempt to speak to the corporate contact to confirm the request.
  • If the corporate contact confirms that the request is legitimate, the verification is complete, and the certificate will be issued shortly afterwards.

  • If the corporate contact cannot confirm the request, Thawte will generally talk to the technical contact and ask them to inform the corporate contact about the request - they will then try to confirm again with the corporate contact.

  • If the corporate contact is unavailable, Thawte will generally call back.

  • If the corporate contact does not work for the company requesting the certificate, Thawte will inform the technical contact and ask them to find a new corporate contact.

• If they cannot find a phone number for the company concerned, they will request a copy of a land line or mobile phone bill in the company name. This must be issued by a telecommunications company; bills from managed or shared offices are not acceptable.

  Phone bills in the name of an individual, when the certificate request is being made in the name of a business, are not acceptable, except in three situations:

  • If you are using a VAT registration certificate as your proof of an organisation name, and the VAT registration also includes your own name as the sole trader (e.g. Joe Bloggs trading as Bloggsco) then a phone bill in your name (Joe Bloggs) is acceptable.

  • If you are using a bank letter as your proof of an organisation name, and you are the person named on the bank letter, then a phone bill in your name is acceptable.

  • If you are requesting a certificate on behalf of a registered company (e.g. Ltd/PLC/LLP in the UK), and you are the corporate contact for the certificate, and you are listed as a director/partner of the organisation at the relevant company registry (e.g. Companies House in the UK) then a phone bill in your name is acceptable.

If you do not have a phone line in the company name, and none of the three circumstances listed above apply, then the final verification will have to be performed by letter rather than by phone - see below.

Why might Thawte need to perform verification by letter instead of by phone? How do they do this?

If the organisation/person requesting the certificate does not have a phone line in their name, verification must be done by letter rather than by phone call.

Thawte will send an email to the Corporate Contact, containing a standard text for a letter. This must be printed out on the letterhead of the organisation who are applying for the certificate. The corporate contact must then sign the letter in front of a Commissioner for Oaths (UK/Ireland) or a Notary Public (almost everywhere else) who will witness his or her signature and stamp the letter with their stamp. Once that has been completed, the letter should be faxed back to us (we may also ask you to post us the original if the Commissioner's/Notary's stamp does not fax well).

What is a Commissioner for Oaths?

Commissioner for Oaths is a title held by almost all UK and Irish solicitors, some legal executives and Justices of the Peace. Once you have signed the verification letter in front of them, they will sign and stamp your letter for you to confirm that it is your signature. You will be required to provide some form of ID (a passport is usual) which shows your signature on it. They charge a statutory fee of £5 for this service.

You can also get your letter signed by a Notary Public if you wish. Notaries Public will tend to charge considerably more for their services (usually £60 or more) and they use an embossed stamp which does not fax well. If you have had your letter signed by a Notary Public, please post your Notary letter to us as well as faxing it - here is our address.

Please note - most other countries use Notaries in the same way as the UK and Ireland use Commissioners for Oaths, so Thawte often refer to a "notary signature" on a verification letter. If you are in the UK or Ireland, you do not need to have your letter signed by a Notary Public, unless you wish to do so.

Where can I send my documentation?

If you need to post us documentation, here's our address.

Otherwise you can fax it to us on +44 (0) 20 8394 2888, or directly to Thawte on +44 (0) 800 917 5240 (or both, if you prefer).

Help! I have a problem with documentation...

I am not a registered company, nor am I registered for VAT, and I don't have a bank account in my trading name.

In this case you would not be able to obtain a certificate including your trading name, as we would not be able to verify it. You would have to either obtain the certificate in your own name rather than your trading name, or alternatively you may wish to consider opening a bank account in your trading name.

We are a registered company, but our domain is registered to our previous name.

This should not be a problem. In most cases where we can look up documentation online, previous names of a registered company will be shown along with the current company details. Where we need printed documentation such as a certificate of company registration, these, too, usually show previous names. As long as we can tie the current name to the older name, everything should be fine.

Note that if there has been a transfer of assets from Company A to Company B, rather than simply a change of company name, we will probably need a domain release letter from Company A. Generally speaking, if Company A and Company B have different company registration numbers, we will require documentation.

Our domain is registered to a company which no longer exists (or has never existed).

You will need to get the domain records updated to show the current company name to whom it should be registered, as in these circumstances we cannot request a domain release letter for the domain. Contact the company who manage your domain, or alternatively the domain registry concerned, for more details.

We are a registered company (limited/PLC or similar) but we want to obtain a certificate in our trading name, not the registered company name.

UK: Sorry, we cannot do this as there is no legal way of registering a trading name within the UK. The only circumstances in which this could happen would be if the trading name had its own VAT registration or bank account (which usually means it's a separate entity in any case). A trade mark document is not sufficient.

Ireland: If the trading name is registered as a Registered Business Name with the Companies Registration Office, we can issue a certificate in that name, otherwise it will not be possible.

Netherlands: If the trading name appears as an alternative name on your KvK registration, we may be able to issue the certificate in that name - please ask. Otherwise it will not be possible.

Last updated: March 24th 2008
Last checked: October 14th 2009

© Copyright Herald Information Systems, 1999 - 2009.