We want to replace an expired certificate for a subdomain hosted in its own server, for example:
department.area.city.gov
We just have control over that server and subdomain. Because of security reasons (changed recently), there are no *@city.gov email accounts (usual way for verification, e.g.,[email protected]) and there is no way we can persuade them to add files or modify DNS settings in order to verify (COMODO alternatives).
How can this problem be solved? Anyone had experience with such cases?
Get another provider of certificates, one who will accept some other form of documentation proving that you have the authority to get a certificate for your domain.
The standard practice would be for an organization to have a few persons authorized to approve a certificate. Anybody can apply for a certificate, but it will not be issued until those designated persons have approved it. They need not have email addresses within the domain for which the certificate is issued; they just need to be able to prove that the company that owns the domain has authorized them to approve certificates.
After some time, we managed to use Comodo and Geotrust --quick & cheap-- certificates. This is how:
1) Comodo seems to asks for *@city.gov email accounts in its common domain verification method. However, using its alternative methods, you can verify your subdomain adding a text file in it, like: http://department.area.city.gov/HASHFILE.txt
The trick is that the HASHFILE.txt contains another hash, it doesn't work if the HASHFILE.txt is empty -- which is different from Google verifications --. (that was my mistake)
2) GeoTrust certificates (like RapidSSL) can be validated using different level email addresses. This is: you can verify your subdomain if you can receive emails at: *@department.area.city.gov.
We went with Comodo, but Geotrust should work as well.
Thanks for your help.