GlobalSign Subscriber Agreement

Digital Certificates and Services - Version 3.0

 


 

PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE CERTIFICATE ISSUED TO YOU OR YOUR ORGANIZATION. BY APPLYING FOR A CERTIFICATE, YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, PROMPTLY CANCEL THE ORDER WITHIN SEVEN (7) DAYS OF THE APPLICATION FOR A FULL REFUND. IF YOU HAVE PROBLEMS UNDERSTANDING THIS AGREEMENT, E-MAIL US AT legal@globalsign.com

 

This GlobalSign Subscriber Agreement (the "Agreement") between GlobalSign and the Applicant or Subscriber is effective as of the date of the application for the Certificate (the "Effective Date").

 


 

1.0 Definitions and Incorporation by Reference

The following definitions are used throughout this Agreement:

 

The following policies and associated guidelines are incorporated by reference into this Agreement:

 


 

2.0 Authority to Use Certificates

2.1 Grant of Authority

From the Effective Date and for the term set forth within the validity period of any issued Certificate (“Valid from” date to “Valid to” date), GlobalSign hereby grants to the Subscriber the authority to use the Certificate in conjunction with Private Key and/or Public Key operations. The obligations of the Subscriber in section 4.0 with respect to Private Key protection are applicable from the Effective Date. Effective April 1, 2015, in no event shall GlobalSign issue an SSL/TLS Certificate with a validity period greater than 39 months whether as initial issue, re-key, re-issue or otherwise.

2.2 Limitations on Authority

The Subscriber shall use the Certificate only in connection with properly licensed cryptographic software.

 


 

3.0 Services Provided by GlobalSign

After acceptance of this Agreement and payment of applicable fees, in addition to the “Grant of Authority”, GlobalSign or a third party provider designated by GlobalSign shall provide the following services from the point of issuance of the Certificate.

 

3.1 Provision of Certificate Revocation Lists (CRL), Online Certificate Status Protocol (OCSP) Services and Certificate Issuing Authority Details

GlobalSign shall use reasonable efforts to compile, aggregate and make electronically available for all Certificates signed and issued by GlobalSign’s CA:

 

3.2 Revocation Services for Certificates: Revocation of a Subscriber Certificate shall be performed by GlobalSign within twenty-four (24) hours under the following circumstances:

  • The Subscriber requests in writing to the GlobalSign entity which provided the Certificate that the Subscriber wishes to revoke the Certificate;
  • The Subscriber notifies GlobalSign that the original Certificate Request was not authorized and does not retroactively grant authorization;
  • GlobalSign obtains reasonable evidence that the Subscriber's Private Key has been Compromised, no longer complies with the requirements for algorithm type and key size of the Baseline Requirements, or that the Certificate has otherwise been misused;
  • GlobalSign receives notice or otherwise becomes aware that the Subscriber violated any of its material obligations under the Subscriber Agreement or Terms of Use;
  • GlobalSign is made aware of any circumstance indicating that used of a Fully-Qualified Domain Name or IP address in the Certificate is no longer legally permitted (e.g. a court or arbitrator has revoked a Domain Name Registrant’s right to use the Domain Name, a relevant licensing or services agreement between the Domain Name Registrant and the Applicant has terminated, or the Domain Name Registrant has failed to renew the Domain Name);
  • GlobalSign is made aware that a Wildcard Certificate has been used to authenticate a fraudulently misleading subordinate Fully-Qualified Domain Name;
  • GlobalSign receives notice or otherwise becomes aware of a material change in the information contained in the Certificate;
  • GlobalSign is made aware that the Certificate was not issued in accordance with the Baseline Requirements or GlobalSign’s CP or this CPS;
  • If GlobalSign determines that any of the information appearing in the Certificate is not accurate or is misleading;
  • GlobalSign ceases operations for any reason and has not arranged for another CA to provide revocation support for the Certificate;
  • GlobalSign’s right to issue Certificates under the Baseline Requirements expires or is revoked or terminated, unless GlobalSign has made arrangements to continue maintaining the CRL/OCSP Repository;
  • GlobalSign is made aware of a possible Compromise of the Private Key of the Subordinate CA used for issuing the Certificate;
  • Revocation is required by GlobalSign’s CP and/or CPS; or
  • The technical content of format of the Certificate presents an unacceptable risk to
  • Application Software Suppliers or Relying Parties (e.g. the CA/B Forum might determine that a deprecated cryptographic/signature algorithm or key size presents an unacceptable risk and that such Certificates should be revoked and replaced by CAs within a given period of time).

Revocation of a Subscriber Certificate may also be performed by GlobalSign within twenty- four (24) hours under the following circumstances:

  • * The Subscriber or organization administrator requests revocation of the Certificate through a GCC account which controls the lifecycle of the Certificate;
  • The Subscriber requests revocation of the Certificate via a OneClickSSL revocation workflow process;
  • The Subscriber requests revocation through an authenticated request to GlobalSign's support team or GlobalSign’s Registration Authority;
  • GlobalSign receives notice or otherwise become aware that the Subscriber has been added as a denied party or prohibited person to a blacklist, or is operating from a prohibited destination under the laws of GlobalSign's jurisdiction of operation; or
  • GlobalSign determines, in its sole discretion, that the continued use of the Certificate may compromise the security, reputation or trust status of the GlobalSign CA or GlobalSign.
  • GlobalSign determines the continued use of the Certificate is harmful to the business of GlobalSign or Relying Parties.

 

When considering whether Certificate usage is harmful to GlobalSign’s business, GlobalSign considers, among other things, the following:

  • The nature and number of complaints received;
  • The identity of the complainant(s);
  • Relevant legislation in force; and
  • Responses to the alleged harmful use from the Subscriber.

 

3.3 Key Generation

If Key Pairs are generated by GlobalSign on behalf of the Subscriber offered as PKCS#12 or AutoCSR options, or OneClickSSL plug-in is installed and executed by the Subscriber, GlobalSign will endeavor to use trustworthy systems in order to generate such Key Pairs, in which case, the following terms also apply:

GlobalSign will generate Key Pairs using a platform recognized as being fit for such purpose and will ensure that Private Keys are encrypted if transported to the Subscriber,

GlobalSign will use a key length and algorithm which is recognized as being fit for the purpose of Digital Signature.

 

3.4 Site Seal Services for SSL/TLS Certificates and OCSP/CRL Responses

GlobalSign permits the Applicant to make use of GlobalSign’s site seal on the Applicant’s web site with a maximum daily rate of five hundred thousand (500,000) impressions per day. GlobalSign reserves the right to limit or stop the availability of the seal if this limit is exceeded.

GlobalSign provides a 24x7 service to check the validity of an issued Certificate either through an OCSP responder or CRL. A maximum daily rate of five hundred thousand (500,000) validations per Certificate per day is set. GlobalSign reserves the right to enforce OCSP stapling if this limit is exceeded.

 

3.5 Timestamping Services for Code Signing Certificate

GlobalSign offers the ability to timestamp code signed with a Code Signing Certificate as a non-chargeable service provided the service is used reasonably. GlobalSign establishes a limit of a reasonable number of timestamps for the validity period of the Code Signing Certificate and reserves the right to withdraw the service or charge additional fees for the service where the volume of timestamps is deemed excessive by GlobalSign.

 

3.6 Timestamping Services for PDF Signing for Adobe CDS Certificate

GlobalSign offers the ability to timestamp Portable Document Format (PDF) documents as a paid GlobalSign service. The number of signatures per year allowed by this service is established during the application process. GlobalSign reserves the right to withdraw the service or charge additional fees for the service where the volume of time stamps is in excess of the agreed limit.

 


 

4.0 Subscriber's Obligations and Warranties

Subscribers and/or Applicants warrant for the benefit of GlobalSign and the Certificate Beneficiaries that:

 

4.1 Accuracy of Information

Subscriber will provide accurate and complete information at all times to GlobalSign, both in the Certificate Request and as otherwise requested by GlobalSign in connection with issuance of a Certificate;

 

4.2 Protection of Private Key

Applicant shall take all reasonable measures to maintain sole control of, keep confidential, and properly protect at all times the Private Key to be included in the requested Certificate(s) and any associated activation data or device, e.g. password or token;

4.3 Acceptance of Certificate

Subscriber shall review and verify the Certificate contents for accuracy;

 

4.4 Use of Certificate

Subscriber shall install the Certificate only on servers that are accessible at the subjectAltName(s) listed in the Certificate, and use the Certificate solely in compliance with all applicable laws and solely in accordance with the Subscriber Agreement or Terms of Use; In the event a Certificate is used to sign a PDF, the Subscriber shall maintain information that permits a determination of who approved the signature of a particular document. Under no circumstances must the Certificate be used for criminal activities such as phishing attacks, fraud, certifying or signing malware.

In the case of EV Code Signing Certificates, Subscriber accepts additional obligations and warrants to not knowingly sign software that contains Suspect Code and to use the EV Code Signing Certificate as follows:

  1. Only to sign code that complies with the requirements set forth in the latest version of the CA/Browser Forum Guidelines for the Issuance and Management of Extended Validation Code Signing Certificates;
  2. Solely in compliance with all applicable laws;
  3. Solely for authorized company business; and
  4. Solely in accordance with this Agreement.

If GlobalSign becomes aware (by whatever means) that it has signed code that contains malicious software or a serious vulnerability, the Signing Authority must immediately inform GlobalSign.

 

4.5 Reporting and Revocation:

Subscriber shall promptly cease use of a Certificate and its associated Private Key, and promptly request GlobalSign to revoke the Certificate, in the event that: (a) any information in the Certificate is, or becomes, incorrect or inaccurate, or (b) there is any actual or suspected misuse or Compromise of the Subscriber’s Private Key associated with the Public Key in the Certificate;

 

4.6 Termination of Use of Certificate:

Subscriber shall promptly cease use of Private Key associated with the Public Key in the Certificate upon revocation of that Certificate;

 

4.7 Responsiveness

Subscriber shall respond to GlobalSign’s instructions concerning Compromise or Certificate misuse within forty-eight (48) hours;

 

 

4.8 Acknowledgement and Acceptance

Applicant acknowledges and accepts that GlobalSign is entitled to revoke the Certificate immediately if the Applicant violates the terms of the Subscriber Agreement or Terms of Use or if GlobalSign discovers that the Certificate is being used to enable criminal activities such as phishing attacks, fraud, or the distribution of malware.

 

4.9 Exclusive Domain Control for SSL/TLS Digital Certificate

The Subscriber acknowledges and asserts that s/he has exclusive control of the domain(s) or IP Address listed in the SubjectAltName(s) for which s/he is applying for the SSL/TLS Certificate. Should exclusive control cease for any domain(s), the Subscriber acknowledges that s/he will promptly inform GlobalSign in accordance with the obligations of the 'Reporting and Revocation' section below.

 

4.10 Exclusive e-mail Control for PersonalSign Digital Certificate

The Subscriber acknowledges and asserts that they have exclusive control of the e-mail address for which they are applying for a PersonalSign Certificate. Should exclusive control cease for any e- mail address(s), the Subscriber acknowledges that they will promptly inform GlobalSign in accordance with the obligations of the 'Reporting and Revocation' section below.

 

4.11 Key Generation and Usage

4.11.1 Where Key Pairs are generated by the Subscriber or the Certificate Requester, trustworthy systems must be used in order to generate Key Pairs, in which case, the following terms also apply:

  • Key Pairs must be generated using a platform recognized as being fit for such purpose. In the case of PDF Signing for Adobe CDS and EV Code Signing, this must be FIPS 140-2 Level 2 compliant,
  • A key length and algorithm must be used which is recognized as being fit for the purpose of Digital Signature, and
  • The Subscriber shall ensure that the Public Key submitted to the GlobalSign correctly corresponds to the Private Key used.

4.11.2 Where Key Pairs are generated in hardware (as required by the CPS):

  • The Subscriber must maintain processes, including, without limitation, changing of activation data, that assure that each Private Key within a hardware security module (HSM) or token can be used only with the knowledge and explicit action of the “Certificate Custodian”,
  • The Subscriber must ensure that the Certificate Custodian has received security training appropriate for the purposes for which the Certificate is issued, and
  • Certificate Custodians undertake to take all reasonable measures necessary to maintain sole control of, keep confidential, and properly protect at all times the Private Key that corresponds to the Public Key to be included in the requested Certificate as well as any associated authentication mechanism to access the key - e.g., password to a token or HSM.

 

4.12 Reporting and Revocation

The Subscriber undertakes to promptly cease use of the Certificate and its associated Private Key, and promptly request GlobalSign to revoke the Certificate, upon the occurrence of any of the events identified in section 3.2. above.

 

4.13 NAESB Obligations

Subscribers for NAESB Certificates acknowledge their understanding of the following obligations of the NAESB Wholesale Electric Quadrant Business Practice Standards WEQ-012 (the “WEQ PKI Standards”):

Subscribers participating in the WEQ PKI Standards shall be required to be registered in the NAESB EIR and furnish proof that they are an entity authorized to engage in the wholesale electricity industry. Entities or organizations that may require access to applications using authentication specified under the WEQ PKI Standards, but do not qualify as a wholesale electricity market participant (e.g., regulatory agencies, universities, consulting firms, etc.) must register.

Registered end entities and the user community they represent shall be required to meet to all end entity obligations in the WEQ PKI Standards.

Each Subscriber organization shall certify to their certification entity that they have reviewed and acknowledge the following WEQ PKI Standards.

  1. Subscriber acknowledges the electric industry’s need for secure private electronic communications that facilitate the following purposes:
    • Privacy: The assurance to an entity that no one can read a particular piece of data except the receiver(s) explicitly intended;
    • Authentication: The assurance to one entity that another entity is who he/she/it claims to be;
    • Integrity: The assurance to an entity that data has not been altered (intentionally or unintentionally) between “there” and “here,” or between “then” and “now”; and
    • Non-Repudiation: A party cannot deny having engaged in the transaction or having sent the electronic message.
  2. Subscriber acknowledges the industry’s endorsement of Public Key cryptography which utilizes Certificates to bind a person’s or computer system’s Public Key to its entity and to support symmetric encryption key exchange.
  3. Subscriber has evaluated GlobalSign’s CPS in light of those industry standards as identified by GlobalSign.

Subscribers shall be obligated to register their legal business identification and secure an “Entity Code” that will be published in the NAESB EIR and used in all Subscriber applications submitted by, and Certificates issued to, that end entity.

Subscribers shall also be required to comply with the following requirements:

  • Protect their Private Keys from access by other parties.
  • Identify, through the NAESB EIR, that they have selected GlobalSign to use as their ACA.
  • Execute all agreements and contracts with GlobalSign as required by GlobalSign’s CPS necessary for GlobalSign to issue Certificates to the end entity for use in securing electronic communications.
  • Comply with all obligations required and stipulated by GlobalSign in its CPS, e.g., Certificate application procedures, Applicant identity proofing/verification, and Certificate management practices.
  • Confirm that it has a Certificate management program, has trained all affected employees in that program, and has established controls to ensure compliance with that program. This program shall include, but is not limited to:
    • Certificate Private Key security and handling policy(ies)
    • Certificate revocation policy(ies)
  • Identify the type of Subscriber (I.e., individual, role, device or application) and provide complete and accurate information for each Certificate Request.

 

5.0 Permission to Publish Information

The Subscriber agrees that GlobalSign may publish the serial number of the Subscriber's Certificate in connection with GlobalSign dissemination of CRLs and possibly OCSP within and outside the GlobalSign hierarchy.

 


 

6.0 GlobalSign Limited Warranty

EXCEPT TO THE EXTENT PROHIBITED BY LAW OR AS OTHERWISE PROVIDED HEREIN, GLOBALSIGN DISCLAIMS ALL WARRANTIES INCLUDING ANY WARRANTY OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.

TO THE EXTENT GLOBALSIGN HAS ISSUED AND MANAGED THE CERTIFICATE IN ACCORDANCE WITH THE BASELINE REQUIREMENTS AND THE CPS, GLOBALSIGN SHALL NOT BE LIABLE TO THE SUBSCRIBER, RELYING PARTY OR ANY THIRD PARTIES FOR ANY LOSSES SUFFERED AS A RESULT OF USE OR RELIANCE ON SUCH CERTIFICATE. OTHERWISE, GLOBALSIGN’S LIABILITY TO THE SUBSCRIBER, RELYING PARTY OR ANY THIRD PARTIES FOR ANY SUCH LOSSES SHALL IN NO EVENT EXCEED ONE THOUSAND DOLLARS ($1,000) PER CERTIFICATE; PROVIDED HOWEVER THAT THE LIMITATION SHALL BE TWO THOUSAND DOLLARS ($2,000) PER CERTIFICATE FOR AN EV CERTIFICATE OR AN EV CODE SIGNING CERTIFICATE.

THIS LIABILITY CAP LIMITS DAMAGES RECOVERABLE OUTSIDE OF THE CONTEXT OF THE GLOBALSIGN WARRANTY POLICY. AMOUNTS PAID UNDER THE WARRANTY POLICY ARE SUBJECT TO THEIR OWN LIABILITY CAPS.

IN NO EVENT SHALL GLOBALSIGN SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES, OR FOR ANY LOSS OF PROFITS, LOSS OF DATA OR OTHER INDIRECT, INCIDENTAL, CONSEQUENTIAL DAMAGES ARISING FROM OR IN CONNECTION WITH THE USE, DELIVERY, RELIANCE UPON, LICENSE, PERFORMANCE OR NON PERFORMANCE OF CERTIFICATES, DIGITAL SIGNATURES OR ANY OTHER TRANSACTIONS OR SERVICES OFFERED OR CONTEMPLATED BY THIS CPS.

THIS LIABILITY LIMITATION SHALL BE THE SAME REGARDLESS OF THE NUMBER OF DIGITAL SIGNATURES, TRANSACTIONS, OR CLAIMS RELATED TO SUCH CERTIFICATE.

 


 

7.0 Term and Termination

This agreement shall terminate at the earliest of:

 


 

8.0 Effect of termination

Upon termination of this Agreement for any reason, GlobalSign may revoke the Subscriber’s Certificate in accordance with GlobalSign procedures. Upon revocation of the Subscriber's Certificate for any reason, all authority granted to the Subscriber pursuant to Section 2 shall terminate. Such termination shall not affect Sections 4, 5, 6, 8 and 9 of this Agreement, which shall continue in full force and effect to the extent necessary to permit the complete fulfillment thereof.

 


 

9.0 Miscellaneous Provisions

9.1 Governing Laws

If the contracting party is GMO GlobalSign Limited, this Agreement shall be governed by, construed under and interpreted in accordance with the laws of England and Wales without regard to its conflict of law provisions. Venue shall be in the courts of England.

If the contracting party is GMO GlobalSign, Inc., this Agreement shall be governed by, construed under and interpreted in accordance with the laws of the State of New Hampshire U.S.A. without regard to its conflict of law provisions. Venue shall be in the courts of the New Hampshire State.

If the contracting party is GMO GlobalSign Pte. Ltd., this Agreement shall be governed by, construed under and interpreted in accordance with the laws of Singapore without regard to its conflict of law provisions. Venue shall be in the courts of Singapore.

If the contracting party is GMO GlobalSign Certificate Services Pvt. Ltd, this Agreement shall be governed by, construed under and interpreted in accordance with the laws of India and the related State laws without regard to its conflict of law provisions. Venue shall be in the courts of India.

If the contracting party is GMO GlobalSign Russia LLC, this Agreement shall be governed by, construed under and interpreted in accordance with the law of Russian Federation without regard to its conflict of law provisions. Venue shall be in the courts of Russian Federation.

 

9.2 Binding Effect

Except as otherwise provided herein, this Agreement shall be binding upon, and inure to the benefit of, the successors, executors, heirs, representatives, administrators and assigns of the parties hereto. Neither this Agreement not the Subscriber's rights in the Certificate shall be assignable by the Subscriber. Any such purported assignment or delegation shall be void and of no effect and shall permit GlobalSign to terminate this Agreement.

 

9.3 Entire Agreement

This Agreement, along with all documents referenced herein, any product or service agreement, and the reseller agreement (if you are a reseller) constitute the entire agreement between the parties and supersedes any prior oral or written agreements, commitments, understandings, or communications with respect to the subject matter of this Agreement.

This Agreement specifically names Microsoft as an express third-party beneficiary for Code Signing and Extended Validation Code Signing Certificates.

 

9.4 Severability

If any provision of this Agreement, or the application thereof, shall for any reason and to any extent, be invalid or unenforceable, the remainder of this Agreement and application of such provision to other persons or circumstances shall be interpreted so as best to reasonably effect the intent of the parties hereto. IT IS EXPRESSLY UNDERSTOOD AND AGREED THAT EACH AND EVERY PROVISION OF THIS AGREEMENT WHICH PROVIDES FOR A LIMITATION OF LIABILITY, DISCLAIMER OF WARRANTIES OR EXCLUSION OF DAMAGES IS INTENDED BY THE PARTIES TO BE SEVERABLE AND INDEPENDENT OF ANY OTHER PROVISION AND TO BE ENFORCED AS SUCH.

 

9.5 Notices

Whenever Subscriber desires or is required to give any notice, demand, or request to GlobalSign with respect to this Agreement, each such communication shall be in writing and shall be effective only if it is delivered by a courier service that confirms delivery in writing or mailed, certified or registered mail, postage prepaid, return receipt requested, addressed to GlobalSign at one of our International offices as listed at www.globalsign.com/company/contact.html , Attention: Legal department. Such communications shall be effective when they are received.

 

9.6 Permission to utilize third party databases.

For natural persons, GlobalSign may validate items such as name, address and other personal information supplied during the application against appropriate third party databases. By entering into this Agreement, the Subscriber consents to such checks being made. In performing these checks, personal information provided by the Subscriber may be disclosed to registered credit reference agencies, which may keep a record of that information. Such check is done only to confirm identity, and as such, a credit check is not performed. The Subscriber’s credit rating will not be affected by this process.

If the contracting party is GMO GlobalSign Russia LLC, GlobalSign may, for natural persons, validate items such as name, address and other personal information supplied during the application. By entering into this Agreement, the Subscriber consents to their personal data being processed by GlobalSign in the following ways: collecting, classifying, processing, storing, editing, using, depersonalizing, blocking and deleting, as stated by Russian Federal Law FZ-No.152 at 27.07.2006, as well as transferring to third parties in cases established by regulations of the higher authorities and the law.

 

9.7 Trade Names, Logos.

By reason of this Agreement or the performance hereof, Subscriber and GlobalSign shall acquire no rights of any kind in any trademark, brand name, logo or product designation of the other party and shall not make any use of the same for any reason except as other wise authorized in writing by the party which owns all rights to such trademarks, trade names, logos or product designation.

 


 

10.0 NOTICE

The Subscriber must notify GlobalSign through any of our international offices listed on www.globalsign.com/company/contact.html immediately if there is an error in the Certificate. If Subscriber fails to do so within seven (7) days from receipt, the Certificate shall be deemed accepted. GlobalSign shall provide refunds pursuant to its “GlobalSign Refund Policy” published at http://www.globalsign.com/repository/

 


 

Back to Top     Back to the GlobalSign Legal Repository