A licensed certification authority may issue a certificate to a subscriber only after all of the following conditions are satisfied:
(1) the certification authority has received a request for issuance signed by the prospective subscriber;
(2) the prospective subscriber or the prospective subscriber's duly authorized agent must appear before the licensed certification authority to present the request; and
(3) the certification authority has confirmed that:
(i) the prospective subscriber is the person to be listed in the certificate to be issued;
(ii) if the prospective subscriber is acting through one or more agents, the subscriber duly authorized each agent to have custody of the subscriber's private key and to request issuance of a certificate listing the corresponding public key;
(iii) the information in the certificate to be issued is accurate;
(iv) the prospective subscriber rightfully holds the private key corresponding to the public key to be listed in the certificate;
(v) the prospective subscriber holds a private key capable of creating a digital signature;
(vi) the public key to be listed in the certificate can be used to verify a digital signature affixed by the private key held by the prospective subscriber; and
(vii) the certificate provides information sufficient to locate or identify one or more repositories in which notification of the revocation or suspension of the certificate will be listed if the certificate is suspended or revoked.
The requirements of this subdivision may not be waived or disclaimed by either the licensed certification authority, the subscriber, or both.
If the subscriber accepts the issued certificate, the licensed certification authority shall publish a signed copy of the certificate in a recognized repository, as the certification authority and the subscriber named in the certificate may agree, unless a contract between the certification authority and the subscriber provides otherwise. If the subscriber does not accept the certificate, a licensed certification authority shall not publish it, or shall cancel its publication if the certificate has already been published.
Nothing in this section precludes a licensed certification authority from conforming to standards, certification practice statements, security plans, or contractual requirements more rigorous than, but nevertheless consistent with, this chapter.
After issuing a certificate, a licensed certification authority shall revoke it immediately upon confirming that it was not issued as required by this section. A licensed certification authority may also suspend a certificate that it has issued for a reasonable period not exceeding 48 hours as needed for an investigation to confirm grounds for revocation under this subdivision. The certification authority shall give notice to the subscriber as soon as practicable after a decision to revoke or suspend under this subdivision.
The secretary may order the licensed certification authority to suspend or revoke a certificate that the certification authority issued if, after giving any required notice and opportunity for the certification authority and subscriber to be heard in accordance with the Administrative Procedure Act, chapter 14, the secretary determines that:
(1) the certificate was issued without substantial compliance with this section; and
(2) the noncompliance poses a significant risk to persons reasonably relying on the certificate.
Upon determining that an emergency requires an immediate remedy, and in accordance with the Administrative Procedure Act, chapter 14, the secretary may issue an order suspending a certificate for a period not to exceed 96 hours.