Recently I ordered another SSL certificate, issued via GeoTrust / RapidSSL. I’ve never had any issues before, and the provisioning, authorisation and issuing of the certificate is usually pretty much instantaneous.
HOWEVER, it looks like somethings gone very wrong at GeoTrust / RapidSSL, or perhaps they are having an off day?
I placed my order as usual through the provisioning portal. Go through the usual verification and authorisation processes, all seems fine. I wait all day, send in support tickets to find out what’s going on, no reply.
Then in the afternoon I use the live chat to chase, and I am told the order has been stopped for security reasons and that I need to put a site up on the address I’m trying to buy the cert for.
I explain that it’s for autodiscover on an exchange server, not for a website, so they wouldn’t be able to verify the contents of the site anyway. I just get sent in a loop over and over again, need to put a site up. I provide links to what autodiscover does, its a Microsoft requirement after all, still stuck in the same loop. A simple Google search would have shown them that it’s a genuine requirement. I then put up a redirect to the main website, so there’s at least some content there, that’s not good enough and the security check fails, and the order is cancelled.
The suggested solution is to place the order again, as the probability of being caught out by the random security check again is slim. Seriously, that was the suggestion, so I placed the order again, and everything worked fine, and the certificate was issued.
Talk about ridiculous, retarded, stupid, moronic, and generally badly designed policy.
My suggestion to GeoTrust / RapidSSL would be to;
- Redesign your processes – having content on a site is a very bad way of checking if something is legit – what stops someone putting a spam site up later on?
- An additional hole in the process is that I was able to simply place the order again after security validation had failed the first time – eh, what?
- Train your staff to think for themselves – anyone technical could tell you that needing autodiscover.domain.com is a legitimate requirement