We use cookies to ensure you get the best experience.By using our website you agree to our Cookie Policy.
Accept cookie policy
    •
      Search
    •
    Menu
    Account

    Extended Validation

    Who doesn’t like to have a GREEN ADDRESS BAR branded with his organization name or trade name? Everyone wants to see their organization name in the address bar as it provides the assurance to visitors that the company is trustworthy and authenticated to deal with.

    But before Extended Validation (EV) Certificate issued, one need to go through the most rigorous validation process. For EV Certificate an essential part of the validation process is paperwork. At first, this will look little confusing and vague, but don’t fret…

    We've put together a detailed step-by-step guild to assist customers, which will walk you through the Extended Validation Certificate enrollment and validation requirements. This EV Validation guide will describe the essential information that must be collected and the verification process that must be followed.

    We recommend you read thoroughly this EV guide carefully to familiarize yourself with the EV SSL enrollment and validation requirements.

    But, before we jump over to EV enrollment and validation, we are going to shed some light on what validation is.

    What is Validation?

    This is a process followed by Certificate Authorities where they authenticate applicant's domain and business or individual identity before issuing an SSL Certificate. This validation process is like a Driver's License, or any official documents that provides the proof of your identity. The validation duration, procedures, and the documents required for validation may vary depending on the SSL Certificate type (DV, OV or EV).

    What is Extended Validation?

    Extended Validation or EV is the highest business level validation requires a company to comply with the rules and regulations set by the CA/B Forum - an association of Certificate Authorities and Web Browser vendors. It is a standard and rigorous way of verifying identity and information of the certificate requester.

    EV Certification Authorities

    In order to issue an EV Certificates an EV Certification Authorities must meet the requirements set by the CA/Browser Forum EV Guidelines.

    The CA/Browser Forum will do a pre-issuance audit in order to ensure that the CA knows and employs the procedures and processes required to issue EV Certificates.

    The CA must compliance to the issuance guidelines every year to issue Extended Validation Certificates. To be compliance with the guidelines, the EV CA must go through 3 audits, which are: WebTrust for CA, SSL Baseline Requirements, and WebTrust for EV.

    What are the EV Validation Process Steps?

    According to the EV guidelines, the Certificate Authority (CA) verifies the organization/company applying for the EV Certificate in a multi-step process. The following are the high-level requirements for EV Certificate enrollment and validation. We recommend you check the list carefully.

    Step 1:Subscriber Agreement (Acknowledgement Agreement/Certificate Enrollment Form)

    Step 2:Organization Authentication

    Step 3:Operational Existence

    Step 4:Physical Address Verification

    Step 5:Telephone Verification

    Step 6:Organizational Contact Employment and Authority Verification

    Step 7:Domain Authentication

    Step 8:Final Verification Call

    For Steps 2-6 :

    Recommended method:

    Online Government Database - The CA will attempt to check the official government website of your local municipality, country, state or city to verify information that publicly displayed about your organization. Please note that the information must match exactly as with enrollment details.

    Alternative method:

    The verification of steps 2-6 can be satisfied using a legal opinion letter (aka professional opinion letter) signed by a Lawyer/Attorney, a letter from a CPA (Certified Public Accountant), a letter from chartered accountant as an alternate method, in case if CA won't be able to verify the company details using the government/independent directory or database.

    Please remember, the CPA and Attorney whoever signs the letter should have a verified valid license with a valid phone number within the country, state or city where your organization is registered or where the organization have a physical operational office. The letter should have following details:

    • Legal name of the organization
    • Trade name or DBA name (if required)
    • Street address
    • Telephone number
    • Bank account – “Bank Name”, “Account Number”
    • Manual or digital signature
    • First and last name of the person who signed the letter

    To ensure your EV Certificate request is processed quickly by CA, we recommend you read each validation requirement steps carefully.

    Step 1: Subscriber Agreement (Acknowledgement Agreement/Certificate Enrollment Form)

    After enrollment, the organization contact listed in the certificate must accept and sign the EV Subscriber Agreement (aka "Acknowledgement Agreement"). This Acknowledgement Agreement is a must require document for the certificate issuance. There are two methods to do.

    Recommended method:

    Submit online - You will receive an email from CA containing a link to complete and submit it online.

    Alternative method:

    Email/Fax Paper version - You can sing and send it via an email to the CA or you can fax the paper version.

    Step 2: Organization Authentication

    During the verification, the CA will verify the identity of the organization that the applying business is real. They will verify the organization name and registration listed in the CSR (Certificate Signing Request) with the appropriate Government Registration Agency within your country, state, or city of jurisdiction. If your company runs under any trade name, assumed name or a DBA (doing business as) you will have to make sure that all the registrations are accurate and up to date.

    If CA unable to validate the organization details, additional documents may be required to verify the organization.

    Recommended method:

    Online Government Database – Normally, the CA verifies organization information via online Government databases. The CA checks at the authorized website of your country, state or city that openly shows your business registration status. It is very crucial that the details listed on that database must match the details you fill in your enrollment form.

    Alternative method:

    Official Registration Documents – You can submit official business registration documents that were issued by your local government, such document includes Articles of Incorporation, Chartered License, DBA Statement.

    Step 3: Operational Existence

    At this stage, the CA must verify that the enrolling organization has been operational for at least 3 years. If the organization has been registered and confirmed by the resource, you will satisfy the operational existence requirement. If CA fails, they may ask you to provide some other additional documents to prove operational existence of your organization. The following details can be accepted by the CA.

    Qualified Independent Information Source -

    The organization is registered with QIIS (Qualified Independent Information Source) such as Dun & Bradstreet database or Qualified Government Tax database

    Bank Statement -

    The enrolling organization has a current active demand deposit account with a regulated financial institution.

    Professional Opinion Letter -

    A POL (Professional Opinion Letter) aka Legal Opinion Letter from you attorney or a professional accountant.

    Step 4: Physical Address Verification

    Your organization must have physical presence in the registered country, state or city. The CA will verify the business address provided by the certificate requester in the enrollment form. The Certificate Authority checks a qualified independent information sources (e.g. D&B etc.) and a public phone directory to verify your place of business from where it conducts business operations.

    Please note that CA must verify the street address, city, state and country, the CA will not accept a Virtual Office, PO Box, Lock Box, an address for an agent of the Organization or "care of" address.

    Legal letter can be accepted if organization physical address information cannot be found through a qualified independent information sources and a public phone directory.

    Step 5: Telephone Verification

    Telephone Verification is rather a straightforward step of this entire process. All you need to really have is an active telephone number listing verifiable by any third-party directory accepted by the CA.

    As per the EV guidelines, the organization main telephone number can be verified through one of the independent information sources listed below:

    • Government database
    • A third-party public telephone listing (Dun and Bradstreet, Hoovers, Bloomberg, etc.)
    • A professional opinion letter (legal opinion letter signed by a CPA or attorney)

    If your organization main telephone number is not verified by CA through Government database or reliable third-party databases as mention above, we recommend you provide a legal opinion letter signed by your CPA or an attorney to the Certificate Authority.

    Step 6: Organizational Contact Employment and Authority Verification

    The CA will check and verify certificate requester employment check using the third-party sources. This verifies that the certificate applicant is a full-time employee of the certificate acquiring organization and is authorized to obtain a an EV Certificate on the behalf of the organization.

    The organizational contact employment and authority can be verified through one of the following:

    • A Lawyer’s opinion letter
    • A Corporate Resolution
    • Confirming the authority of the organizational contact by directly contacting the CEO, COO or similar executive. The CA will contact HR (Human Resources) department of organization in case they fail to contact CEO, COO, or similar executive.

    If the organizational contact is identified and verified with the government records online listing, then CA approves employment check without verifying the information described above.

    Step 7: Domain Authentication

    A domain authentication or domain control validation (DCV) is easy and simple process in EV validation. During this process, the CA checks and verifies that the Certificate Requester (Applicant) controls the domain(s) listed on the certificate. The domain control validation can be done via any of the one method listed below.

    Recommended method:

    Email based DCV -the CA sends an authorization email with instructions to the domain WHOIS listed email address, If the details in your WHOIS record are outdated or incorrect, or if a privacy setting is enabled, as an alternative, the CA will send the authentication link via email to any one of the five pre-approved email addresses (i.e. admin@, administrator@, webmaster@, hostmaster@, postmaster@) associated with the domain.

    Alternative method:

    CNAME based DCV -In this method, the CA will provide you a CNAME value and you're asked to add a CNAME record to your domain DNS settings. Once you add the provided DNS record, the CA will verify the domain control.

    HTTP/HTTPS file based DCV -This method requires you to upload a authentication file provided by the CA to domain's "/.well-known/pki-validation” folder. Once you upload the file the CA will verify the domain control.

    Step 8: Final Verification Call

    During this, the CA calls verified business telephone number registered with your organization. All the details acquired during the certificate enrollment are verified during this call.

    Recommended method:

    The CA speaks with the Certificate requester using the verified business telephone number. This is verified via a phone call to the person who signed the Subscriber Agreement.

    Alternative method:

    If the verified business telephone number is not the certificate requester's direct number, The CA will be able to work through your phone system if it uses extensions or IVR (Interactive Voice Response) to connect directly to you, or can either be transferred or obtain another telephone number from a colleague after initiating the call using the verified telephone number.

    Avoid Common Mistakes

    • Do not leave the correct organizational identifiers such as Inc, Corp, LLC, Ltd, Pty Ltd, etc. in the certificate organization name
    • Do not abbreviate any part of the organization name
    • Do not use PO Box address for your organization, use physical location address
    • Appointing an organizational contact who is unavailable to respond to inquiries in a timely manner.
    • Not specifying a FQDN (Fully Qualified Domain Name) in the Common Name field. (Remember, an EV Certificate can't be issued to intranet site or IP addresses)

    Tips to Make Validation Easier

    • Use the legal registered organization name. Do not use the trade name or DBA (Doing Business As) as the legal name of the organization
    • A DBA/trade name can be listed on the certificate with the legal organization name, but it must be legally registered in a government agency
    • Use the actual physical address (not PO Box, Lock Box, "care of" address, virtual office address, or an agent address) where the organization conducts business

    Pass Validation Quickly - Golden Rules

    We have know-how of doing validation quickly and easily since we have significant practical knowledge and experience in business validation.

    • Get a DUNS number, it is FREE. Having a DUNS number will satisfy most of the validation requirements (e.g. verify an address, company legal existence, and even phone verification).
    • Get your FREE listing on Yellow Pages digital network.

    Validation Processing Time

    Normally, EV Certificates are issued within 2-3 business days without requiring submitting any additional documents, if valid organization details are listed in a verifiable and reliable database (government, D&B etc.) or a Legal/Professional Opinion Letter.

    Nevertheless, extended validation certificate issuance time may increase based on the additional document requirement and availability of the organization information. The CA usually takes around 1-2 business day to process each email, document submission or fax received from a customer.

    Having all this handy, you should be all set to proceed with Certificate activation. If you feel stuck and need any help with the validation process, please contact us.

    We always welcome feedback or comments from our customers and site visitors. Let us know, if your questions or doubts are not covered here.