FAQs: Domain Names and SSL Certificates (DOC-20-Domain Names and SSL Certificates)
See information below about the Georgia Technology Authority’s involvement with domain names and SSL certificates. Should you have questions not addressed here, please email GTA’s Steve Nichols or Brent Palladino.
Which domain names does GTA manage?
The second-level domains georgia.gov and ga.gov, along with the legacy domain state.ga.us.
What is GTA’s responsibility related to georgia.gov and ga.gov?
As manager of the two domains, GTA authorizes usage of any third- and subsequent-level domain names (e.g., dor.georgia.gov, gtc.dor.georgia.gov) under the georgia.gov and ga.gov second-level domains. Any such sub-domains must be registered and approved through GTA.
What’s the difference (generally) between georgia.gov and ga.gov domains?
georgia.gov -- Used for public facing websites.
ga.gov – Used for internal applications, including email.
That said, not all agencies follow this convention, and constituents will not likely differentiate between georgia.gov and ga.gov. So, if you were setting up a gateway.georgia.gov domain, for example, it would be advisable to also set up gateway.ga.gov and have it point to gateway.georgia.gov.
Who can request a subdomain of georgia.gov and/or ga.gov?
State of Georgia government entities only. Further, any of those entities might request a subdomain for a statewide program (e.g., eligibility for assistance programs at medicaid.georgia.gov, the state broadband program at broadband.georgia.gov).
How do you request a subdomain of georgia.gov and/or ga.gov?
Contact your Agency Relationship Manager (ARM). A listing of ARMs by agency is available at https://gta.georgia.gov/find-your-agency-relationship-manager .
Can you request other second-level .gov domains through GTA?
No, the .gov domain is administered by the federal General Services Administration (GSA). Requests for other second-level .gov domains must be routed through the GSA at dotgov.gov. The GSA requires approval from the state CIO or the governor before granting a second-level .gov domain. GTA’s policy is not to approve any new second-level .gov domains.
Can you request a new domain on state.ga.us?
Generally we discourage this, but we will consider such requests on a case-by-case basis.
What is GTA’s role in SSL certificates for georgia.gov and ga.gov domains?
GTA doesn’t resell certificates or hold any contracts with certificate authorities. All certificate authorities (e.g., DigiCert, Verisign, GoDaddy) must verify legitimacy of a certificate requestor before issuing an SSL certificate by contacting the domain owner. That requires the certificate provider to secure signoff from domain owner GTA.
How do SSL certificate authorities verify legitimacy of certificate requestors?
The certificate provider will contact the .GOV Helpdesk at 877-734-4688 to learn the Administrative Point Of Contact information for the domain of interest. That helpdesk is operated by the General Services Administration, which provides POC information verbally, not in writing. Then, the certificate provider contacts the Administrative Point of Contact to seek signoff for issuing an SSL certificate. See the verification process outlined at https://www.dotgov.gov/portal/web/dotgov/domain-guidelines.
Would a certificate authority ever try contacting GTA without having gone through the .GOV Helpdesk?
Occasionally a certificate provider will simply guess at the likely domain owner contact information and send emails to addresses like admin@, administrator@, hostmaster@, postmaster@, or webmaster@ requesting signoff for an SSL certificate. Be aware that if you’re dealing with a certificate provider who is guessing, you’ll want to get in touch with GTA and let us know where to look for the validation email.
How can you help expedite your request for an SSL certificate?
Notify GTA’s Steve Nichols or Brent Palladino you have requested an SSL certificate from a particular certificate provider. GTA can then be on the lookout for a request for signoff from that provider.
Is https preferred to http for any new third- or fourth-level georgia.gov and ga.gov domains?
Yes. The SSL certificate that accompanies https provides needed security through encryption. Best practice is to default all traffic to https. Browsers now flag http traffic as dangerous and prompt warning messages for end users (example: https://www.blog.google/products/chrome/milestone-chrome-security-marking-http-not-secure/). The federal government has set a policy that “all publicly accessible Federal websites and web services only provide service through a secure connection.” (https://https.cio.gov/)
What naming conventions apply for new domains?
- The requesting entity is responsible for ensuring it has a right to use the requested domain name.
- Permissible characters are letters (all lowercase) and digits. No hyphens.
- Obscene names are not permitted.
- Names should take the form "yourorg.georgia.gov" and “yourorg.ga.gov” where "yourorg" is a string of characters (usually an acronym). Also, “yourorg” should be fewer than 10 characters.
- Third- and subsequent-level domain names may not use “georgia” again. For example, georgia.dot.georgia.gov would not be permitted.
- Fourth-level domains are usually reserved for divisions and offices within the entity registering the third-level domain, and should be used for entire portions of websites.
- Individual webpages should have specific addresses (e.g., https://gta.georgia.gov/gta-services) and should not be represented by an entire sub-domain.
Can an agency manage its own DNS and still have a ga.gov or Georgia.gov subdomain?
No. For any DNS servers that are not managed by GTA or GTA’s service providers, no third-level or subsequent-level domains or zones will be delegated and no zone transfers will be allowed.
For an application managed by a third party, can it use a ga.gov or Georgia.gov subdomain?
Yes. Use of DNS CNAME records will be allowed on the GTA-managed DNS servers that have an alias name pointing to domain name space that is not registered or managed by GTA. Note that zone root names such as agency.georgia.gov may be incompatible for CNAME usage if they are also zone apex (aka root domain, bare domain). This is referenced in the DNS standard (RFC1033). In those cases it is recommended to use a server name (e.g., www.agency.georgia.gov) and not rely on the bare root name.
How do you order and validate an SSL certificate for a fourth-level domain (of the form service.agency.ga.gov or service.agency.georgia.gov)?
For fourth level domains, speak to someone about validation options first. If you choose domain (email validation), being fourth-level may cause verification delays since the certificate authority (CA) won’t be able to use a WHOIS query to determine the domain owner at the third (parent) level. Common practice among CAs is to guess email addresses commonly used at the third-level domain for generic website addresses. For example, the CA might email email@example.com or firstname.lastname@example.org to validate ownership for a certificate request for service.agency.georgia.gov. To avoid delays, either adjust the validation process per order so a named user will receive the domain validation request, or create the generic mailboxes likely to be used by your CA.
Who at GTA can address additional questions about domain names and SSL certificates?