E-Mail Address Handling in SSL and S/MIME Certificate Orders

When processing SSL Certificate orders, it's crucial to distinguish between the purchaser (the person placing the order via our website or API) and the end user (the person or organization who will be using the SSL Certificate).

These are often different entities, especially in business scenarios where IT administrators order SSL Certificates on behalf of their organizations or clients.

The Purchaser vs End User Distinction

The e-mail address of the person submitting the order represents the purchaser - the person who placed the order, manages the account, and needs to receive all order-related communications. This is typically an IT administrator, web developer, or business owner who is responsible for obtaining and installing SSL Certificates.

An e-mail address associated with the end user represents the SSL Certificate subject - the person or organization whose information will be embedded within the SSL Certificate itself.

For SSL Certificates, this might be the technical contact at the organization.

For S/MIME Digital Certificates, this is the e-mail address that will be secured by the Digital Certificate.

How E-Mail Parameters Are Used

For each SSL Certificate order we generally set four critical e-mail parameters, each serving a specific purpose :

E-Mail Address - This parameter determines where we send the actual SSL Certificate once it's issued. We set this to the purchaser customer e-mail to ensure the purchaser receives the SSL Certificate they ordered. The purchaser is responsible for installing or distributing the SSL Certificate to the appropriate systems or users.

Representative E-Mail Address - This is used for all critical customer communications, including validation instructions for OV/EV SSL Certificates, account setup information, and any security warnings. We set this to the purchaser e-mail address because the purchaser needs to receive and act on these important notifications.

Contact E-Mail Address - This specifies the e-mail address that validation staff will use if they need to contact someone during order processing. We set this to the purchaser e-mail address to ensure any validation queries or issues are directed to the person who placed the order and has the context to respond.

Validation E-Mail Address - This parameter is used by the Certificate Authority (CA) to validate that the end user e-mail address is legitimate, but importantly, there are generally no e-mails sent to this address. Instead, we make contact with the most relevant person if an issue has arisen. We set this to the end user e-mail address - which has been provided by the purchaser via our order form.

S/MIME Specific Considerations

For S/MIME Digital Certificates, there are two additional parameters that specifically relate to the Digital Certificate content :

SAN E-Mail Address and S/MIME Subject E-Mail - These parameters determine what e-mail address is embedded in the S/MIME Digital Certificate Subject Alternative Name field.

This must be the end user e-mail address (the one that will use the Digital Certificate for e-mail encryption and signing), not the purchaser e-mail address. We set both of these to the end user e-mail address from the order form.

Why This Separation Matters

This separation ensures that SSL Certificate delivery and management communications go to the right person - the purchaser who has the technical knowledge and access to handle them.

Meanwhile, the end user information is correctly embedded in the SSL Certificate for validation and usage purposes. This is particularly important in enterprise environments where a single administrator might order dozens of SSL Certificates for different end users across their organization.

Summary

In essence, all operational communications and the SSL Certificate itself are sent to the purchaser, while the end user e-mail address is used only for validation purposes and as the subject of the SSL Certificate.

This ensures smooth order processing while maintaining the correct SSL Certificate ownership and usage rights.