Who doesn’t like to have a GREEN ADDRESS BAR branded with his organization name or trade name? Everyone wants to see their organization name in the address bar as it provides the assurance to visitors that the company is trustworthy and authenticated to deal with.
But before Extended Validation (EV) Certificate issued, one need to go through the most rigorous validation process. For EV Certificate an essential part of the validation process is paperwork. At first, this will look little confusing and vague, but don’t fret…
We've put together a detailed step-by-step guild to assist customers, which will walk you through the Extended Validation Certificate enrollment and validation requirements. This EV Validation guide will describe the essential information that must be collected and the verification process that must be followed.
We recommend you read thoroughly this EV guide carefully to familiarize yourself with the EV SSL enrollment and validation requirements.
But, before we jump over to EV enrollment and validation, we are going to shed some light on what validation is.
This is a process followed by Certificate Authorities where they authenticate applicant's domain and business or individual identity before issuing an SSL Certificate. This validation process is like a Driver's License, or any official documents that provides the proof of your identity. The validation duration, procedures, and the documents required for validation may vary depending on the SSL Certificate type (DV, OV or EV).
Extended Validation or EV is the highest business level validation requires a company to comply with the rules and regulations set by the CA/B Forum - an association of Certificate Authorities and Web Browser vendors. It is a standard and rigorous way of verifying identity and information of the certificate requester.
In order to issue an EV Certificates an EV Certification Authorities must meet the requirements set by the CA/Browser Forum EV Guidelines.
The CA/Browser Forum will do a pre-issuance audit in order to ensure that the CA knows and employs the procedures and processes required to issue EV Certificates.
The CA must compliance to the issuance guidelines every year to issue Extended Validation Certificates. To be compliance with the guidelines, the EV CA must go through 3 audits, which are: WebTrust for CA, SSL Baseline Requirements, and WebTrust for EV.
According to the EV guidelines, the Certificate Authority (CA) verifies the organization/company applying for the EV Certificate in a multi-step process. The following are the high-level requirements for EV Certificate enrollment and validation. We recommend you check the list carefully.
Step 1:Subscriber Agreement (Acknowledgement Agreement/Certificate Enrollment Form)
Step 2:Organization Authentication
Step 3:Operational Existence
Step 4:Physical Address Verification
Step 5:Telephone Verification
Step 6:Organizational Contact Employment and Authority Verification
Step 7:Domain Authentication
Step 8:Final Verification Call
Online Government Database - The CA will attempt to check the official government website of your local municipality, country, state or city to verify information that publicly displayed about your organization. Please note that the information must match exactly as with enrollment details.
The verification of steps 2-6 can be satisfied using a legal opinion letter (aka professional opinion letter) signed by a Lawyer/Attorney, a letter from a CPA (Certified Public Accountant), a letter from chartered accountant as an alternate method, in case if CA won't be able to verify the company details using the government/independent directory or database.
Please remember, the CPA and Attorney whoever signs the letter should have a verified valid license with a valid phone number within the country, state or city where your organization is registered or where the organization have a physical operational office. The letter should have following details:
To ensure your EV Certificate request is processed quickly by CA, we recommend you read each validation requirement steps carefully.
After enrollment, the organization contact listed in the certificate must accept and sign the EV Subscriber Agreement (aka "Acknowledgement Agreement"). This Acknowledgement Agreement is a must require document for the certificate issuance. There are two methods to do.
Submit online - You will receive an email from CA containing a link to complete and submit it online.
Email/Fax Paper version - You can sing and send it via an email to the CA or you can fax the paper version.
During the verification, the CA will verify the identity of the organization that the applying business is real. They will verify the organization name and registration listed in the CSR (Certificate Signing Request) with the appropriate Government Registration Agency within your country, state, or city of jurisdiction. If your company runs under any trade name, assumed name or a DBA (doing business as) you will have to make sure that all the registrations are accurate and up to date.
If CA unable to validate the organization details, additional documents may be required to verify the organization.
Online Government Database – Normally, the CA verifies organization information via online Government databases. The CA checks at the authorized website of your country, state or city that openly shows your business registration status. It is very crucial that the details listed on that database must match the details you fill in your enrollment form.
Official Registration Documents – You can submit official business registration documents that were issued by your local government, such document includes Articles of Incorporation, Chartered License, DBA Statement.
At this stage, the CA must verify that the enrolling organization has been operational for at least 3 years. If the organization has been registered and confirmed by the resource, you will satisfy the operational existence requirement. If CA fails, they may ask you to provide some other additional documents to prove operational existence of your organization. The following details can be accepted by the CA.
The organization is registered with QIIS (Qualified Independent Information Source) such as Dun & Bradstreet database or Qualified Government Tax database
The enrolling organization has a current active demand deposit account with a regulated financial institution.
A POL (Professional Opinion Letter) aka Legal Opinion Letter from you attorney or a professional accountant.
Your organization must have physical presence in the registered country, state or city. The CA will verify the business address provided by the certificate requester in the enrollment form. The Certificate Authority checks a qualified independent information sources (e.g. D&B etc.) and a public phone directory to verify your place of business from where it conducts business operations.
Please note that CA must verify the street address, city, state and country, the CA will not accept a Virtual Office, PO Box, Lock Box, an address for an agent of the Organization or "care of" address.
Legal letter can be accepted if organization physical address information cannot be found through a qualified independent information sources and a public phone directory.
Telephone Verification is rather a straightforward step of this entire process. All you need to really have is an active telephone number listing verifiable by any third-party directory accepted by the CA.
As per the EV guidelines, the organization main telephone number can be verified through one of the independent information sources listed below:
If your organization main telephone number is not verified by CA through Government database or reliable third-party databases as mention above, we recommend you provide a legal opinion letter signed by your CPA or an attorney to the Certificate Authority.
The CA will check and verify certificate requester employment check using the third-party sources. This verifies that the certificate applicant is a full-time employee of the certificate acquiring organization and is authorized to obtain a an EV Certificate on the behalf of the organization.
The organizational contact employment and authority can be verified through one of the following:
If the organizational contact is identified and verified with the government records online listing, then CA approves employment check without verifying the information described above.
A domain authentication or domain control validation (DCV) is easy and simple process in EV validation. During this process, the CA checks and verifies that the Certificate Requester (Applicant) controls the domain(s) listed on the certificate. The domain control validation can be done via any of the one method listed below.
Email based DCV -the CA sends an authorization email with instructions to the domain WHOIS listed email address, If the details in your WHOIS record are outdated or incorrect, or if a privacy setting is enabled, as an alternative, the CA will send the authentication link via email to any one of the five pre-approved email addresses (i.e. admin@, administrator@, webmaster@, hostmaster@, postmaster@) associated with the domain.
CNAME based DCV -In this method, the CA will provide you a CNAME value and you're asked to add a CNAME record to your domain DNS settings. Once you add the provided DNS record, the CA will verify the domain control.
HTTP/HTTPS file based DCV -This method requires you to upload a authentication file provided by the CA to domain's "/.well-known/pki-validation” folder. Once you upload the file the CA will verify the domain control.
During this, the CA calls verified business telephone number registered with your organization. All the details acquired during the certificate enrollment are verified during this call.
The CA speaks with the Certificate requester using the verified business telephone number. This is verified via a phone call to the person who signed the Subscriber Agreement.
If the verified business telephone number is not the certificate requester's direct number, The CA will be able to work through your phone system if it uses extensions or IVR (Interactive Voice Response) to connect directly to you, or can either be transferred or obtain another telephone number from a colleague after initiating the call using the verified telephone number.
We have know-how of doing validation quickly and easily since we have significant practical knowledge and experience in business validation.
Normally, EV Certificates are issued within 2-3 business days without requiring submitting any additional documents, if valid organization details are listed in a verifiable and reliable database (government, D&B etc.) or a Legal/Professional Opinion Letter.
Nevertheless, extended validation certificate issuance time may increase based on the additional document requirement and availability of the organization information. The CA usually takes around 1-2 business day to process each email, document submission or fax received from a customer.
Having all this handy, you should be all set to proceed with Certificate activation. If you feel stuck and need any help with the validation process, please contact us.
We always welcome feedback or comments from our customers and site visitors. Let us know, if your questions or doubts are not covered here.