47 optionally mail or fax copies of your business license, articles of incorporation, or partnership papers along with your request for a code-signing certificate. Once your request, including any appropriate documentation, has been submitted, VeriSign takes it under review. If everything is in order, a code-signing certificate is issued and instructions on how to retrieve the certificate so that you may distribute and use it are provided. Unlike a personal certificate, the request for a code-signing certificate is reviewed and verified by an actual living human being, and so is not made immediately available. Depending on VeriSigns workload, it may take several days for the certificate to be issued, although VeriSign expedites requests for an additional fee.

3.2.3 Web Site Certificates

The process of obtaining a certificate for use in securing a web site, which VeriSign calls a secure server certificate , is similar to the process for obtaining a certificate for a code-signing certificate. Much of the same information is required, although there are some differences worth noting. Obviously, one of the primary differences is in the types of certificates offered. While code- signing certificates differ based on the type of code that will be signed Netscape plug-ins versus Java applets, for example, secure server certificates are one of either 40-bit or 128-bit SSL certificates. That is, web site certificates explicitly restrict the size of the symmetric keys that should be used with the certificate. We recommend you stick with 128-bit certificates, since 40-bit symmetric keys are widely regarded as unacceptably weak. No matter which server software you plan to use, you must follow its instructions on how to generate a Certificate Signing Request CSR. Due to the wide variety of servers available today, it is not practical for us to provide instructions on how to do this here. VeriSign has instructions for many of the more popular servers available on its web site. The CSR you generate will also generate a key pair. While you must submit the CSR to VeriSign to have the certificate issued, you should keep the private key to yourself. It should not be sent to VeriSign or to anybody else. As with code-signing certificates, you must also provide acceptable proof to VeriSign that you have a right to the certificate you are requesting. The options for providing this proof are the same—provide either a D-U-N-S number or a copy of one of the aforementioned acceptable documents. Additionally, a secure server certificate is bound to a domain name. VeriSign will issue certificates only to the registered owner of a domain. This means that if the domain is owned by a corporate entity, you must be an employee of that company. Once your request, including any appropriate documentation, has been submitted, VeriSign takes it under review. If everything is in order, a secure server certificate is issued and the certificate is emailed to the technical contact that was provided when the request was submitted. As with code- signing certificates, an actual living human being reviews the information, so it may take several days for the certificate to be issued, depending on VeriSigns workload. Expedited processing is also available for an additional fee.

3.3 Setting Up a Certification Authority