TLS Certificate

The TLS certificate is primarily intended for the creation of a secure communication channel over the Internet via the TLS/SSL protocol. Enables encrypted data transfer for users accessing the web, email, or other TLS/SSL service on your server. An applicant for a certificate may be:

  1. Legal person
  2. Natural person

Applicant identification

TLS certificate contains mandatory CN (CommonName) data, which is the name of the component or device and C (countryName), which is a two-character country abbreviation, e.g. SK for the Slovak Republic. The fully qualified domain name (FQDN) of the component (eg CN = www.disig.sk) may be used as CN. The condition of issue is to prove that the domain belongs to the entity applying for the TLS certificate. Optional items include City and Organization If the Organization (O) is filled in the request, the Locality (L) shall be also filled. Unless item Organization (O) is completed, item Locality (L) shall not be completed either. The applicant for this type of certificate shall submit:

Legal person

  • Identity Card - Statutory Representative or Plenipotentiary.
  • Power of attorney - submitted in case the statutory body of the certificate holder cannot personally visit the RA branch and had authorized another person to take over the certificate. Only the power of attorney verified by a notary is accepted!
  • Original or officially certified copy of the extract from the trade register not older than three months (to be consulted),
  • An officially certified copy or photocopy of the extract from the trade register (remains on RA Disig))

Natural person

  • Identity Card - Statutory Representative or Plenipotentiary
    1. Citizen of the Slovak Republic - valid identity card
    2. EU citizen - identity card
    3. Third-country national - residence permit on the territory of the Slovak Republic and another document with a photo confirming his / her identity
  • Power of attorney - submitted in case the statutory body of the certificate holder cannot personally visit the RA branch and had authorized another person to take over the certificate. Only the power of attorney verified by a notary is accepted!

Create a request to issue a TLS certificate

TLS certificate is issued on the basis of the electronic request in PKCS#10 or SPKAC formats, which the applicant generates in its own way on its system resources.

The process of issuing a TLS certificate

A TLS certificate can only be issued at the head office of Disig, a.s. The applicant shall send the certificate request by e-mail to radisig@disig. The RA employee checks the formal correctness of the certificate request and verifies the control over all the domains in request as well as other data according to internal regulations. After completing all the necessary verifications he/she shall agree on a date for the meeting with the applicant. At a face-to-face meeting, the RA staff member verifies the compliance of the data in the application with the data in the submitted documents. After verifying the identity of the applicant for the certificate, the RA worker will forward the request to the CA for processing. The process of issuing the TLS certificate is completed by signing the appropriate documentation. At the client's request, the RA worker saves the issued TLS certificate on the device brought by the client. The issuing process takes about 20 minutes.

TLS certificate validity

The TLS certificate validity starts with the date and time of issuing. The TLS certificate can be issued with a maximum validity of 395 days. After this period the TLS certificate expires automatically and can no longer be used for the purpose for which it was issued. A TLS certificate that has expired or has been revoked cannot be renewed. For renewal, the applicant must proceed with the entire process of requesting and verifying identity as in issuing the original TLS certificate.

Conditions for revoking a TLS certificate

In case the TLS certificate must be revoked for one of the following reasons:

  • keyCompromise (RFC 5280 CRLReason #1),
  • privilegeWithdrawn (RFC 5280 CRLReason #9),
  • cessationOfOperation (RFC 5280 CRLReason #5),
  • affiliationChanged (RFC 5280 CRLReason #3) alebo
  • superseded (RFC 5280 CRLReason #4,
the provider must make available to the end user more detailed information about the above-mentioned options together with an explanation of when to choose individual options when requesting certificate revocation and how to proceed in relation to the provider. Detailed information is available here - TLS certificate revocation conditions

Test TLS

In accordance with CA Browser Forum requirements in section 2.2 of the current version of the document "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates", the certification authority is required to provide a website that allows application vendors to test their software using issued TLS certificates that are linked to trusted CA Disig root certificates. In a minimal configuration, must be available pages with the valid, revoked and expired TLS certificates.

Root certification authority CA Disig Root R2
Subordinate certification authority Test page URL
CA Disig R2I2 Certification Service Test SSL - CA Disig R2I2