Validation Requirements for Getting EV SSL Certificate Issued

To Get an EV SSL Certificate Issued, You Have to Complete Mandatory Vetting Process

EV SSL Certificate is an excellent way to secure sensitive financial details of the customer like credit card details and bank account information. However, websites like banking or e-commerce dealing with customers' sensitive information must comply with PCI-DSS (Payment Card Industry Data Security Standard). Therefore, according to their policy, it's mandatory to have an EV SSL certificate installed.

Before an EV (Extended Validated) SSL certificate is issued for your website, you've to go through specific processes, one of which is to complete the mandatory vetting process. In this vetting process, your business legitimacy is verified by going through different details of your company. And once the validation process is completed, which takes around 1 to 5 business days, your EV SSL certificate is issued.

What's the Requirement to Get an EV SSL Certificate?

No matter which Certificate Authority you choose to buy an SSL certificate from, whether it's Sectigo, Comodo, or someone else, some basic requirement for validating an EV SSL certificate remains the same among all the certificate authorities of the world. The validation requirement isn't defined by the CA (Certificate Authority). Instead, it's defined by the CA/B (Certificate Authority and Browser) forum.

The CA/B Forum is a regulatory body of the CAs and companies that are behind popular web browsers. Likewise, they ensure SSL certificates behave and interact similarly with all the browsers. Likewise, they also have some baseline requirement which is mandatory for getting an EV SSL certificate issued.

Some of the requirements that you are required to satisfy are:

Filling Enrollment Form

The first requirement to get an EV SSL certificate is filling out and providing the Enrollment Form to the CA (Certificate Authority). The Enrollment Form, also called the Acknowledgement of Agreement, is for information about the company or organization for which an EV SSL certificate is purchased. It asks for information like the company name and the person's full name who has applied for an EV SSL certificate. Likewise, the person whose name is provided should be working in the company or should have the authority to buy an EV SSL certificate, the signature of that organizational person, and the place & date of signing.

However, stamped signatures or digital signatures aren't accepted. Instead, you'll require to take its printout, and after filling it, you'll need to either scan or fax the filled Enrollment form and send it back to the CA (Certificate Authority). Likewise, you can even send it through postal mail, but we recommend sending it through email for the fast issuance process.

Authentication Organization

Once you submit that Enrollment form, CA moves to another step of verifying your company or organization detail, called Organization Authentication. Likewise, CA (Certificate Authority) checks whether your company is a legal entity registered and in a working condition within your local municipality.

Usually, CA verifies all your company information via online government databases of your country or state, which shows the registration status of your business. Likewise, all the details mentioned in that government database must be similar to the submitted Enrollment Form, or your EV SSL certificate issuance will get delayed.

However, if the certificate authority fails to verify your company details through online government resources, then you've other options to get your organization verified, and they are:

  • POL (Professional Opinion Letter)
  • Official Company Registration Documents

Operational Existence

Once your organization/company is authenticated, CA will move to the next step of confirming whether your company has been operating for three years or more than that or not. Nonetheless, if your company has been operational for more than three years, it won't create any issues. Furthermore, if it isn't operational for three years or more, then there are some other alternatives you can count upon.

Here below are the four other alternatives that you can go for to prove the Operational Existence of your company if it's less than three years:

  • Official registration documents of the company
  • Dun & Bradstreet report
  • POL (Professional Opinion Letter)
  • Confirmation Letter of the Bank

Physical Address

Here, CA, like Sectigo and Comodo, verifies your company has an established and registered physical address within your state and country. Firstly, the certificate authority tries to verify that the Online Government Database has your company address publicly listed in your local municipality, state, or country. Then, if all the details match your provided Enrollment Form, CA will move to the next step. Likewise, if details don't match your enrolment form, you'll need to go with another alternate method to verify your physical address.

Go through below alternative methods to get your physical address verified:

  • Dun & Bradstreet Report
  • Official Registration Document of Your Company
  • POL (Professional Opinion Letter)

Verification of Telephone Number

Verifying your company's telephone number is another vetting requirement to issue your EV SSL certificate. You're required to have an active telephone number listed in a recognized telephone directory. Similarly, your telephone number should also match precisely with an Enrollment Form's information you gave, which is the business name, physical address, telephone number, and corporate identifier.

Some of the alternative methods you can try to get your telephone number verified are:

  • Dun & Bradstreet
  • POL (Professional Opinion Letter)
  • Third-Party Telephone Listing

Domain Authentication

Here CA verifies your Domain to make sure it belongs to you, and you're purchasing an EV SSL certificate for the Domain getting verified. The certificate authority ensures your company legally owns the Domain for which an order is submitted. Likewise, the CA will go through records of WHO.is records and look for if the record shows the domain registrar information. CA will quickly move to another step if the publicly available "Who.is" record is correct and matches with the details you gave. Likewise, if it doesn't match, you'll need to use an alternate method to fulfill this requirement step.

Below are the alternatives to get the domain authentication verification step completed:

  • Domain Confirmation Email
  • POL (Professional Opinion Letter)
  • File-Based Authentication

Final Verification Call

As the name implies, it's the final step. Once the above steps are completed, CA makes one final verification call, and after completing that, it issues your EV SSL certificate. CA calls your company's verified telephone number in this verification step and speaks with the person whose name is mentioned in an enrollment form.

Likewise, it'll ask some of the questions to ensure you've ordered an EV SSL certificate for the authenticated domain name:

  • Is the CA talking to the person who has the right to purchase an EV SSL certificate?
  • Does the person have the authority to delegate responsibilities regarding the SSL certificate?
  • Does the person have the right to use the company's Domain?
  • Does the person accept the request for an EV SSL certificate?
  • Does the person acknowledge the signature of the Subscriber Agreement?

Furthermore, if you're running a real business, these mentioned requirements shouldn't be a problem for you. Likewise, if you can't complete any of the steps above, then you have an alternate option for each.

Alternatives to Complete EV SSL Certificate Validation Process

Let's understand these alternative methods and find out what they are, and helps in completing which verification processes:

POL (Professional Opinion Letter)

Professional Opinion Letter, also known as a Legal Opinion Letter, is a document given as an alternative figure that declares your organization or a company is a legal entity. So, for instance, you can get such a document issued by an attorney or an accountant with their signature and notarize it. Though it's isn't easy to get, if you can get it, it'll be helpful for multiple validation steps.

For instance, POL (Professional Opinion Letter) is accepted for the below-mentioned validation steps:

  • Authentication of Organization
  • Operational Existence
  • Physical Address
  • Telephone Number
  • Domain Authentication

Official Company Registration Documents

CA accepts official business registration documents issued by your local government. It should include documents such as articles of incorporation, DBA statements, or chartered licenses. Likewise, it helps complete the below validation steps:

  • Authentication Organization
  • Operational Existence
  • Physical Address

Dun & Bradstreet Report

America-based Dun and Bradstreet is a reputed company that offers credit reports. Henceforth, if your company has a Dun and Bradstreet (D&B) credit report, then the certificate authority will accept completing some of your business's validation steps. Likewise, below are the mentioned validation steps where you can use the Dun & Bradstreet credit report as an alternative:

  • Operational Existence
  • Physical Address
  • Verification of Telephone Number

Confirmation Letter of the Bank

If you have an active account of your company with your local bank, you can get a letter that tells you about the Operational Existence of your business. Furthermore, an issued confirmation letter of the bank can work as an alternative, as CA like Sectigo accepts it for completing the operational existence step of the EV SSL validation process.

  • Operational Existence

Third-Party Telephone Listing

You can use an acceptable third-party telephone listing directory like YellowPages, 192.com, and Scoot to verify your telephone number. However, you should ensure that all the mentioned details within the listing directory match the information you gave in an enrollment form.

Note: Comodo only accepts Better Business Bureau or Dun and Bradstreet telephone listing for US businesses.

  • Verification of Telephone Number

Domain Confirmation Email

If your Who.is record isn't updated, then you've got another option to get an email in some of the pre-approved email addresses by the CA. And once you click on the link you get in that email, your Domain will get verified.

Likewise, some of the pre-approved email addresses you can use as an alternative to getting your domain authenticated are as below:

This alternative helps in completing the verification step:

  • Domain Authentication

File Based Authentication

It's an alternative method used by Comodo for completing your Domain Authentication step. Here, CA sends you a text file that you're required to upload to the company website root directory. Likewise, CA will verify it, and if it's correctly placed, CA will complete this verification step.

This alternative helps to complete:

  • Domain Authentication

Our Trusted Clients

vanguard
universityofco
tivo
tiffany
thermo fishers cientific
petrolink