Certificate types
We ensure that the TLS certificates in use are issued by reputable public certificate authorities.
The list of certificate authorities in use for our EPP service is made available through the DNS mechanism called "DNS Certification Authority Authorization (CAA)". A CAA record exists in the DNS zone responsible for publishing our EPP service.
Details
The certificate is sent to the client as part of the TLS protocol at connection. The client then validates the certificate against the rest of the certificate chain.
The certificate authority usually makes their intermediate and root certificates readily available. These certificates make up the rest of the certificate chain. If your software doesn't automatically fetch the root certificate of the issuer, then you'll have to acquire it and put it in use for certificate validation.
Please also note that:
- EPP clients do not have to present a TLS certificate to our EPP servers to be able to use the service.
- Our EPP servers do not require validation of TLS certificates. They present a certificate that the client can choose to validate.