SSLTrust

Extended Validation (EV) Process and Requirements

While at first the Extended Validation process may seem a bit daunting—it can actually be a breeze if you come prepared. This section will cover everything you need to know about Extended Validation.


What are the Extended Validation Requirements?

Regardless of what Certificate Authority you choose to get your SSL certificate from, the requirements for extended validation are the same. This is because of the CA/B (Certificate Authority and Browser) forum. The CA/B forum is essentially a regulatory body, run by the CAs and the companies behind the largest web browsers, that governs SSL and makes sure the certificates behave the same across all browsers. They’ve determined the simple baseline requirements for issuing an EV SSL Certificate.

  • Enrollment Form
  • Domain Authentication
  • Organization Authentication
  • Operational Existence
  • Physical Address
  • Telephone Verification
  • Final Verification Call

The more prepared you are, the faster validation goes.

If you’re a legitimate business this process is a breeze. Remember, part of the reason there are so many checks is to differentiate the legitimate businesses from the rest of the crowd. Nothing the CA is going to ask for should be difficult for a legitimate business to furnish.

Typically, the industry likes to say issuance takes 1-5 business days—that’s to give the CAs some time. But if your information is listed publicly and you’re persistent, you can have one issued in as little as one day.

Extended Validation Enrolment Form

One of the very first checks for Extended Validation is the Enrolment Form. You simply complete the form and return it to the Certificate Authority. The form is a single page, requiring only basic information about you, your organisation and, sometimes, a contact in HR that can verify your employment with the company you’re applying for.

What is an Organisational Contact?

Throughout the Extended Validation process, you – the individual applying for the certificate – will be known as the Organisational Contact. That just means that you are the point of contact for your company.

The enrolment form is the first check that needs to be met in the EV process. The idea behind it is to verify that you, the Organisational Contact, have the right to act on your organisation’s behalf in the first place.

An employee in good standing has nothing to worry about. This check is meant to weed out someone impersonating an employee, looking to commit an act of fraud by getting a certificate for an imposter website. Nobody wants this to happen, so it’s in everyone’s best interest to verify that you’re authorised to be applying for this SSL certificate in the first place.

What Information Does the Enrolment Form Ask For?

The Enrolment form, sometimes known as the Acknowledgement of Agreement, focuses on getting information about the Organisational Contact. It asks for the organisation’s name, the full name of the Organisational Contact, the Organisational Contact’s official title, the Organisational Contact’s signature and the date and place of signing.

Unfortunately, digital signatures or stamped signatures are not accepted, so you’ll have to print the form out, sign it and then either scan it or fax it back to the CA. You could also mail it. But keep in mind, this will delay issuance.

Extended Validation Domain Verification

The Domain Verification check for an Extended Validation SSL Certificate is a fairly straightforward one—it’s just like the one performed for DV and OV. The Certificate Authority simply confirms that your company owns the registered domain.

Completing Domain Verification

The first way that the Certificate Authority will try to verify that your company owns the domain in question is to check Who.is . Who.is, is a database that displays domain registrar information. Unfortunately, the EU’s GDPR has closed many of the WHOIS books and made it more difficult to perform this check.

However, some registrar’s WHOIS data is still visible and in use. If the CA is able to locate an email address from the WHOIS, they’ll send an email to that address. Once the steps listed in the email have been completed, you’ve satisfied this requirement.

  • Proof of Right Email
  • File-Based Authentication
  • DNS CNAME-Based Authentication
  • DNS TXT-Based Authentication

Domain Confirmation Email

You can have the email sent to one of these five pre-approved alias emails:

  • Admin@yourdomain.com
  • Administrator@yourdomain.com
  • Webmaster@yourdomain.com
  • Hostmaster@yourdomain.com
  • Postmaster@yourdomain.com

File-Based Authentication

The CA provides you with a text file that contains a unique value. You just need to add 2 sub-folders to the publicly accessible directory for your domain and then put the text-file into those folders.

  • Folder #1: Must be named exactly “.well-known”
  • Folder #2: Must be created inside of Folder #1 and named exactly “pki-validation”

The goal of this validation method is to see the contents of your text file when you navigate to the following URL in your browser:
http:// yourdomain.com/.well-known/pki-validation/unique_filename.txt

Once the file is publicly accessible, the CA’s system will detect the file and issue out your certificate!
They check roughly every 30 minutes, if you do not get validated after the file is live for some time please contact our support team.

DNS CNAME-Based Authentication

Comodo will provide you with two unique hash values that will make up your CNAME record. You must use the following format:

  • Hostname Value: unique_value_1.yourdomain.com
  • Points To Value: unique_value_2.certificateauthority.com

Once the CNAME record is publicly visible, Comodo’s system will detect the CNAME record and use it to satisfy the Domain Validation requirement.

DNS TXT-Based Authentication (GeoTrust/Thawte/RapidSSL/DigiCert)

The CA provides you with a unique value that you will input into your DNS settings as a TXT record. The TXT record must use the following format:

  • The Host Name Value: Left blank or insert the @ symbol.
  • The TXT Value: The unique value as given by the CA.

Extended Validation Organisation Authentication

Much like with Organisation Validation, one of the checks during the Extended Validation process is called Organisation Authentication.

What is Organisation Authentication?

The Organisation Authentication requirement is straightforward – This is where the Certificate Authority verifies that your company is a legitimate legal entity that is registered and active in its registered location.

Note: If your organisation operates under any trade names, assumed names or DBA’s, all of that registration information needs to be up to date and accurate as well.

In most cases the Certificate Authority will be able to verify everything via the use of online government databases:

For Australia, that means the Australian Business Register or Australian Securities and Investments Commission (ASIC) .

For New Zealand, that means the New Zealand Companies Office Companies Register .

It’s extremely important that the details listed in the register match the details you put down on the Enrolment Form and CSR or the CA will run into trouble and issuance will be delayed.
If the CA can’t authenticate your organisation using available online resources, you’re not out of luck. There are two other ways to complete the EV Organisation Authentication requirement.

  • Official Registration Documents
  • Legal Opinion Letter

Official Registration Documents

You can provide the CA with official registration documents that were issued by your local government—this includes items like articles of incorporation, chartered licenses or DBA statements. These all show that your organisation is a real business, and that it’s recognized by your local government.

You can also get a Legal Opinion Letter, sometimes call a Professional Opinion Letter or POL. This is a document in which an Attorney or Accountant (that is licensed and in good standing with the governing body in your location) vouches for your company’s legitimacy. It carries a lot of weight in the eyes of the CA’s. If your company has in-house legal – this is the most convenient method to earn an Extended Validation SSL Certificate. A POL can be used to satisfy 5 out of the 7 requirements for EV SSL.

Extended Validation Operational Existence

One of the most important checks for Extended Validation SSL certificates is verifying Operational Existence. The CA needs to confirm that your company has been operational for three or more years.

Now, if your company has not been operational for three years, it’s still possible to have your Operational Existence verified—but it’s going to require a little more work on your part.

Proving Operational Existence

For a well-established company that has been around for longer than three years, proving Operational Existence is simple. In fact, much like with Organisational Authentication, there’s a chance you won’t have to provide any documentation at all and the CA will be able to verify your company’s Operational Existence just by checking an online database.

For Australia, that means the Australian Business Register or Australian Securities and Investments Commission (ASIC) .

For New Zealand, that means the New Zealand Companies Office Companies Register .

It’s extremely important that the details listed in the register match the details you put down on the Enrolment Form and CSR or the CA will run into trouble and issuance will be delayed.
If the CA can’t authenticate your organisation using available online resources, you’re not out of luck. There are two other ways to complete the EV Organisation Authentication requirement.

  • Official Registration Documents
  • Dun & Bradstreet
  • Professional Opinion Letter

Official Registration Documents

If your company has been operating for more than three years you simply need to forward along documentation. This can be done with almost any document issued by your local government, for example, articles of incorporation, a charter license or a DBA statement.

Dun & Bradstreet

Dun and Bradstreet is a firm that provides credit reports on businesses. In Australia it also operates as Hoovers. Regardless of how long your company has been operating, if there is a Dun & Bradstreet credit report on your organisation the CAs can use it to verify Operational Existence.
D-U-N-S Number Information

Professional Opinion Letter

If you have a Professional Opinion Letter – a notarised letter from a lawyer or accountant vouching for your company’s legitimacy – you can use it to prove your operational existence.

Extended Validation Physical Address

The Physical Address check for an Extended Validation SSL Certificate is just what it sounds like—you must prove your organisation has an established physical presence in the country or state that it’s registered in.

Proving your Company’s Physical Address

To prove your company’s physical address, the Certificate Authority will verify your company’s street address, city, state and country.

The first way the CA is going to attempt to complete this check is by searching an Online Government Database – For Australia, that means the Australian Business Register or Australian Securities and Investments Commission (ASIC) .

For New Zealand, that means the New Zealand Companies Office Companies Register .

Unfortunately, the CA’s will not accept PO Boxes or companies registered off-shore.

You might also run into problems with the fact that some government databases do not list a business’s physical address. However, if you do run into any issues – as with all of these requirements – there is a relatively simple workaround that will still allow you to get your Extended Validation SSL Certificate.

  • Official Registration Documents
  • Dun & Bradstreet
  • Professional Opinion Letter

Extended Validation Telephone Verification

Just like with Organisation Validation, Telephone Verification is a required check for an Extended Validation SSL Certificate. You need to have an active telephone number listed in an acceptable telephone directory. The listing should match the exact information given on your Enrolment Form and CSR (i.e. business name with corporate identifier and physical address).

Completing Telephone Verification

The Certificate Authorities will try to verify this information using an Online Government Database first.

For Australia, that means the Australian Business Register or Australian Securities and Investments Commission (ASIC) .

For New Zealand, that means the New Zealand Companies Office Companies Register .

Unfortunately, some online government databases do not display this information. Don’t worry, there are still two other ways to satisfy this requirement.

  • Third-Party Directory
  • Legal Opinion Letter

Third-Party Telephone Listing

You can use an existing telephone listing in a third-party directory. Globally acceptable directories for all CAs include:

Please contact our Support Team for a list of all accepted directories in your country.

Extended Validation Final Verification Call

The final requirement for Extended Validation SSL Certificates is the Verification Call. The Certificate Authority must speak with the Admin Contact using the verified business telephone number to confirm the details of your order.

Completing the Verification Call

This is very simple, the CA is just going to call the number it verified earlier in the process to confirm your order. It takes five minutes, tops.

If the listed telephone number doesn’t ring directly to the Admin Contact’s desk – as is often the case – don’t worry. The CA will attempt to work through the phone system and contact them using the below alternative methods.

  • Extension or IVR
  • Transfer or Alternative Number

Extension or IVR

If the phone system uses extensions or Interactive Voice Response (IVR), then the CA will work through the phone system to connect to the Admin Contact. So, if their extension is listed (or they’ve previously provided it to the CA) or their phone can be reached by the IVR, it’ll be alright.

Transfer or Alternative Number

If they don’t have an extension or IVR, the CA can also have the receptionist (or whoever answers the business phone number) transfer the CA to them or provide the CA with their direct number.

Please Note: Mobile numbers can be used, but ONLY if they are given to the CA when they call the verified business phone number on the verified listing.


Helpful Guides

View more Guides, FAQs and information to help with your Certificate purchases.

Learning Center

View more resources on cyber security, encryption and the internet.