This is not a technical issue.
We are doing business in Mongolia.
However, there are certain documents that banks in Mongolia require in order to add payment services to our site.
One of them is to prove that the SSL certificate applied to the site is trusted. It asks for "paper proof" from the certificate authority.
Can you help me with this?
Also, what do they mean by "trusted"? Trusted by browsers and/or OS? Let's Encrypt cannot directly influence that. Let's Encrypt requests addition of their root certificates into browser/OS root certificate stores, but in the end it's the discretion of the browser/OS to add the root cert or not.
As I said in the text, this isn't a technical issue- it's not about whether a web browser or OS can be trusted, it's about legal liability - it's about getting documentation that "Let's Encrypt" vouches for the our site's SSL certificates.
There is no insurance that I know of, but you should read the subscriber agreement about that. If there's an issue, you won't be the only one impacted. But if you need insurance you would need to get your own.
That also depends on what they actually require, but I think a copy of Let's Encrypt CPS could be what they're looking for.
That doesn't exist from LetsEncrypt. It may exist from commercial providers.
As to what this could mean...
LetsEncrypt only offers DV - domain validation - certificates, which only validate control of the domain. Some countries have required financial sites to have EV or OV certificates, which validate the organization as well. The country may want a paper statement saying the EV or OV work was done.
Because LetsEncrypt is a free, non-profit, automatic system - their staff do not have the resources to generate compliance documents for subscribers. Requests like this often come up and are ignored or rejected.
I would contact the regulatory agency and speak with them to go over options and explanations from their point of view.
There may also be something getting lost in translation.
(I mean, even if you're just talking about people who share a native language, it wouldn't be the first time that by the time the requirements got to the engineers, they didn't look anything like what was actually needed. Add possible language barriers to that and it gets even more challenging)