SSL Validation Process Frustration

Hi Everyone,

A couple of weeks ago I purchased a Instant SSL certificate. I am now starting to wish I hadn’t!

I am writing here in the hope of some advice.

Let me start by explaining that I am in Australia and have a domain name. Those of you who aren’t aware the requirements here to hold a domain are

  1. The domain name must be the same as your business name or “closely related”
  2. You must be a registered business
  3. Documentation must be submitted to the registrar proving the above

Anyway that aside, as requested, I have sent in a copy of a bank statement which shows my business name etc and also the invoice for the requested SSL certificate domain (to show ownership).

Now as I understand it that is enough to identify yourself according to the email sent to me by comodo. But now I am been requested to change the whois details on the domain to show my ABN (Australian Business Number)?

Firstly, my ASIC business number is already on the whois registry. I emailed support a link straight to the government website to my registration details but was told that is not enough. So I asked the domain registrar who told me it was totally unnecessary for me to change the details and it would cost me $220 to do so. They said this isn’t a requirement.

Secondly, while it is a requirement to have a registered business (for the domain) it is not a requirement to have an ABN (only if your business turns over more than 70k). For the record my business is registered in Western Australia which entitles me to trade in any state in Australia. The business number is recorded on the whois registry.

Oh and in case your wondering domains can’t be searched through a normal whois query. They must be searched through the governing body website. Thats how they can justify the $220 to change it >:(

So to cut a long story short is a copy of the business bank statement and a domain name payment receipt enough? And for those of you who have been through this process did you have this much trouble.

Any suggestions would be welcome. I feel like I am getting no where and this has gone on for two weeks.


The ASIC number should be sufficient for the validation of your order, as long as the ASIC number on the WHOIS results for the domain matche the number for your company verified with:

I would suggest calling the Comodo help number 703-581-6361 (Int’l) or sending an email explaining that you do not have an ABN number but do have an ASIC number and that it does appear on the WHOIS registry to the validation department at Make sure to include your order number on the email.

Hope this helps.

Ok, so I still don’t have my SSL certificate after 6 weeks. I have called support and they insist I must have an ABN number.

Never thought it would be so hard. So how do I get a refund? If you are thinking about getting a ssl cert from these guys …try someone else because the verification process is a total joke!!

I’m very sorry for the trouble you have had with this. I have just been able to confirm your WA BN on ASIC. I could not search by the business number however, which is the method I think my staff uses in most cases. I finally did find it by your DBA name and am issuing your certificate. I do apologize for the trouble and confusion. I am sending this out as a teaching case to my staff in the hope that this will not happen again. My sincere apologies.

The new validation process which requires one to click on a link in an automatically generated email is somewhat flawed and does not take into account real world.

For Australian .au domains the process is particularly problematic.

Because Comodo’s use a generic Whois look up which does not access the registrant’s email address and NOT the Ausregistry whois which contains the registrant’s email address we have to choose from a list of mostly honeypot email addresses for the validation email to be sent to.

One would think that this should not cause a lot of problems but it does - especially when the domain uses an exchange server. Firstly our clients are often not web savvy - they do not have the ability ti set up a new email address on their server. Or they do not know how to whitelist emails sent from doc[at] or even *[at] There can be other issues such as network admins not being co-operative or on holidays or whatever.

The whole process becomes a farce particularly as most spam filters that I have seen - including the one on Gmail blocks your validation email from the address you send from ie. docs[at] Not that your “support” people know that as they insist it is sent from “support[at] and support[at]”.

I can’t see that the email validation process adds anything especially when the SSL is being purchased via a reseller (ie. not a direct sale).

I see that matter is being studiously ignored by “staff”.

Some whois servers simply do not allow us to pull the information due to the necessity of typing in a code to get to the data. It is for that reason that we allow for a small set of generic admin type addresses to also be used. If you are a reseller, you may also implement your own domain control verification system. We have come up with several different acceptable options for doing so. If you wish to obtain more information, please send a request to customerrelations[at] We will consider these requests on a case by case basis.

The hope that was held out by Rich_S has been snatched away. In mid-November I was told after several emailed requests that the work around was no longer available.

So we still have to go through the ridiculous rigmarole of setting up a special email address and waiting around for hours for the validation email (which inevitably gets blocked in every spam filter known to humankind as must be flagged as spammers everywhere and they are too lame to take themselves off the known spammer lists) and then wait around more hours for the Validation Department (VD - most appropriate) to get off their asses.

Please re-advise your staff of this. In ticket KXI-346573, I advised your staff:
“[on the whois record] You can clearly see however the NSW registered business number, which you can lookup here:

I was assured that there is a strict policy of validation, and this did not satisfy.

Hello ,

It have been the same for me but i have been waiting now more than 2 months. I did provide all the documents more than 1 time . I sent many faxes , many documents and finally after 2 months , they are saying to me that the last thing to verify is the number of our company . but it doesn’t make any sence , its even written anywhere that the number have to be verify and they say to me that my number have to be on the website. My address is showing but not my number . What can i do guys i have been waiting more than 2 months and 3 weeks now. And they cant even verify by calling us on the number provided.

I am desperate. it have been to long now for a ev certificate.

Waiting for your answer asap.

Regards Ltd

I know what you guys are going through…I, right now, am also waiting the never-ending Comodo wait…which is very similar to a few previous experiences. This may be the last one at the rate it’s going, I think I’m going to switch SSL companies for myself and my customers (I own a web hosting company). In my case, the DCV e-mail came, I clicked the link and pasted the code in the box, but all I ever get on the next screen is: “You have entered the correct Domain Control Validation code, but the validation procedure for this certificate has already been completed on a previous occasion. Please close this window now.” I have pasted this in e-mails/tickets to Comodo, I’ve even attached a screenshot of it in the ticket, yet they still haven’t issued my PremiumSSL Wildcard certificate that I have paid for. My old certificate is now expired, I have customers complaining, I can’t take any payments, my business is virtually down…and all I keep getting from them is redundant replies stating that they have reset the e-mail. I keep telling them if it doesn’t work the first 5 times, and nobody does anything but resend an e-mail, it’s not going to work the next 5 times either…and I’ve done it (attempted it) over 10-15+ times now. I don’t know what is wrong with them or their system, to not understand that. Now I"m losing customers, as a few of my customers think I’m going out of business because when they go to login to their control panel, they see the expired certificate warning. My legal dept. is now adding up costs/losses as a result of this…since this is so utterly ridiculous…and not one single apology for the delay, if you read the ticket…it’s as if they don’t even care, they’re like robots…they just keep repeating the same thing over and over and over again, resent e-mail, resent e-mail, etc. They can also verify that I own the domain in any whois database…it’s a .net domain, it’s not like it’s uncommon and not in whois databases everywhere. I even e-mailed them FROM an e-mail address at the domain needing verification, also proving that I own the domain…so I don’t understand where the major malfunction is with them understand that I own the domain. Talk about frustration…


I agree and I would encourage people to look for another SSL certificate provider.

I have just passed through the same annoying process. Using third parties as d& or yellow pages to verify the identity, returning back the forms because they name wasn’t exactly the same and again and again and again… We even had to make an international call!

I actually think that a trustuful verfication would be to call or send an inquiry to the respective registry in the country the company is based. Those archives are normally public and the can be consulted anytime.

I couldn’t be more dissapointed with the process. Let’s see how it goes with the certificate.

Best Regards,


Not sure what’s going on at Comodo, but after years of fairly hassle-free verification, they’ve now switched us to manual verification for certs which involves copy of passport and 2 utility bills. As web hosting provider we just can’t do that, would simply not be worth the money to jump through the hoops. Email is okay as we can handle this on behalf of our clients if they host email with us.

I’ve now signed up with a competitor, just can’t afford to have all my certs stuck in manual validation.

PS: yesterday I was fuming, but today all is sorted with my new provider so I can take a relaxed view & wave good bye to Comodo.

For this moment I think this has something to do with it:

Comodo issues fraudulent Google, Microsoft, Mozilla, Skype, Yahoo certificates


Your company should have been acquiring the items in question as a company as per our RA Validation Guidelines (PDF; which will be updated soon), so this shouldn’t have been a problem for your company to provide us with… That is if your company was doing what it was supposed to do in the first place as per the RA contract your company signed.

We don’t have an RA contract - we are simply resellers and log in as “Existing Comodo CA Customers (including Existing Resellers)”. I’ve got a complete copy of the T&Cs in my reseller account if you need a copy … they are called “Reseller Click-Through Agreement”.

You should have something similar to this PDF…

Here’s our partner (Reseller) portal: