Signing up for SWITCHpki
Organizations from the SWITCH community (as defined in appendix 1 of the Service Regulations for Services by SWITCH) are welcome to join SWITCHpki. To participate, please submit the following documents, which must be signed by an official representative of your organization (director or department head, who is authorized to legally bind the organization):
- The SWITCHpki RA Agreement - please contact firstname.lastname@example.org to get your copy. By signing this agreement, the applying organization declares its intent to become a SWITCHpki registration authority.
- The SWITCHpki Certificate Applicant Proxy form. This form appoints the representatives of the organization who are authorized to sign subscriber agreements and approve certificate requests on behalf of the organization. We recommend to assign both the Contract Signer and the Certificate Approver role to every representative. The proxy form must be updated/resubmitted whenever information contained therein changes.
As stated in the RA Agreement and the forms, the following documents must be enclosed as well:
- a proof of existence of the organization (excerpt from the register of commerce or another official document, such as a cantonal law or official code reference thereof or similar);
- copies of valid, official photo identification documents of each Contract Signer and Certificate Approver (those appointed on the proxy form - passport or identity card, but no documents with unlimited validity like driver licenses);
Finally, for being able to request Extended Validation (EV) certificates, we also require the following documents:
- if the organization is not listed in the register of commerce: a document proving the date of creation of the organisation, i.e. a copy of the law by which a university was originally established, a copy of the charter or similar;
- a copy of the SWITCHpki QuoVadis Certificate Holder Agreement, signed by one of the authorized Contract Signers (as appointed through the SWITCHpki Certificate Applicant Proxy form, see item 2 above).
Depending on the specific SWITCHpki certificate type, the following documents apply to the service and are considered an integral part of the RA Agreement:
- the QuoVadis CP/CPS (for Root CA and Root CA3 as well as for Root CA2)
- the SWITCHpki QuoVadis Certificate Holder Agreement
- the EV SSL Certificate Guidelines
- the SWITCHpki Identity Validation for Server Certificate Requests document
- the SWITCHpki Identity Validation for User Certificate Requests document
DNS Domain Authorization Process
Organizations declare their willingness to take responsibility over specific DNS domains by the appropriate SWITCHpki DNS Domain Authorization Form. DNS domain names that are to be authorized to receive a certificate must pass through a domain validation process. This procedure is described in detail here.
RA models for SWITCHpki
Organizations participating in SWITCHpki operate under one of two RA models (a new organization always starts under the "Retail" model):
Suitable for organizations requiring a small to medium number of certificates per year. Under this model, the RA operators (PKI contact persons) of the organization will confirm a request to the SWITCH RA, and one of the SWITCH RA operators will subsequently issue the certificate through the CA providers' Web interface.
Suitable for organizations requiring a large number of certificates per year. Under this model, the RA operators of the organization get direct access to the Web interface of the CA provider and are able to approve requests and issue certificates independently of the SWITCH RA.