Extended Validation (EV) Process and Requirements

Regardless of what Certificate Authority you choose to get your SSL certificate from, the requirements for extended validation are the same. This is because of the CA/B (Certificate Authority and Browser) forum. The CA/B forum is essentially a regulatory body, run by the CAs and the companies behind the largest web browsers, that governs SSL and makes sure the certificates behave the same across all browsers. They’ve determined the simple baseline requirements for issuing an EV SSL Certificate.

The more prepared you are, the faster validation goes.

If you’re a legitimate business this process is a breeze. Remember, part of the reason there are so many checks is to differentiate the legitimate businesses from the rest of the crowd. Nothing the CA is going to ask for should be difficult for a legitimate business to furnish.

Typically, the industry likes to say issuance takes 1-5 business days—that’s to give the CAs some time. But if your information is listed publicly and you’re persistent, you can have one issued in as little as one day.

One of the very first checks for Extended Validation is the Enrolment Form. You simply complete the form and return it to the Certificate Authority. The form is a single page, requiring only basic information about you, your organisation and, sometimes, a contact in HR that can verify your employment with the company you’re applying for.

Throughout the Extended Validation process, you – the individual applying for the certificate – will be known as the Organisational Contact. That just means that you are the point of contact for your company.

The enrolment form is the first check that needs to be met in the EV process. The idea behind it is to verify that you, the Organisational Contact, have the right to act on your organisation’s behalf in the first place.

An employee in good standing has nothing to worry about. This check is meant to weed out someone impersonating an employee, looking to commit an act of fraud by getting a certificate for an imposter website. Nobody wants this to happen, so it’s in everyone’s best interest to verify that you’re authorised to be applying for this SSL certificate in the first place.

The Enrolment form, sometimes known as the Acknowledgement of Agreement, focuses on getting information about the Organisational Contact. It asks for the organisation’s name, the full name of the Organisational Contact, the Organisational Contact’s official title, the Organisational Contact’s signature and the date and place of signing.

Unfortunately, digital signatures or stamped signatures are not accepted, so you’ll have to print the form out, sign it and then either scan it or fax it back to the CA. You could also mail it. But keep in mind, this will delay issuance.

The Domain Verification check for an Extended Validation SSL Certificate is a fairly straightforward one—it’s just like the one performed for DV and OV. The Certificate Authority simply confirms that your company owns the registered domain.

The first way that the Certificate Authority will try to verify that your company owns the domain in question is to check Who.is . Who.is, is a database that displays domain registrar information. Unfortunately, the EU’s GDPR has closed many of the WHOIS books and made it more difficult to perform this check.

However, some registrar’s WHOIS data is still visible and in use. If the CA is able to locate an email address from the WHOIS, they’ll send an email to that address. Once the steps listed in the email have been completed, you’ve satisfied this requirement.

You can have the email sent to one of these five pre-approved alias emails:

The CA provides you with a text file that contains a unique value. You just need to add 2 sub-folders to the publicly accessible directory for your domain and then put the text-file into those folders.

The goal of this validation method is to see the contents of your text file when you navigate to the following URL in your browser:
http:// yourdomain.com/.well-known/pki-validation/unique_filename.txt

Once the file is publicly accessible, the CA’s system will detect the file and issue out your certificate!
They check roughly every 30 minutes, if you do not get validated after the file is live for some time please contact our support team.

Comodo will provide you with two unique hash values that will make up your CNAME record. You must use the following format:

Once the CNAME record is publicly visible, Comodo’s system will detect the CNAME record and use it to satisfy the Domain Validation requirement.

The CA provides you with a unique value that you will input into your DNS settings as a TXT record. The TXT record must use the following format:

Much like with Organisation Validation, one of the checks during the Extended Validation process is called Organisation Authentication.

The Organisation Authentication requirement is straightforward – This is where the Certificate Authority verifies that your company is a legitimate legal entity that is registered and active in its registered location.

Note: If your organisation operates under any trade names, assumed names or DBA’s, all of that registration information needs to be up to date and accurate as well.

In most cases the Certificate Authority will be able to verify everything via the use of online government databases:

For Australia, that means the Australian Business Register or Australian Securities and Investments Commission (ASIC) .

For New Zealand, that means the New Zealand Companies Office Companies Register .

It’s extremely important that the details listed in the register match the details you put down on the Enrolment Form and CSR or the CA will run into trouble and issuance will be delayed.
If the CA can’t authenticate your organisation using available online resources, you’re not out of luck. There are two other ways to complete the EV Organisation Authentication requirement.

You can provide the CA with official registration documents that were issued by your local government—this includes items like articles of incorporation, chartered licenses or DBA statements. These all show that your organisation is a real business, and that it’s recognized by your local government.

You can also get a Legal Opinion Letter, sometimes call a Professional Opinion Letter or POL. This is a document in which an Attorney or Accountant (that is licensed and in good standing with the governing body in your location) vouches for your company’s legitimacy. It carries a lot of weight in the eyes of the CA’s. If your company has in-house legal – this is the most convenient method to earn an Extended Validation SSL Certificate. A POL can be used to satisfy 5 out of the 7 requirements for EV SSL.

One of the most important checks for Extended Validation SSL certificates is verifying Operational Existence. The CA needs to confirm that your company has been operational for three or more years.

Now, if your company has not been operational for three years, it’s still possible to have your Operational Existence verified—but it’s going to require a little more work on your part.

For a well-established company that has been around for longer than three years, proving Operational Existence is simple. In fact, much like with Organisational Authentication, there’s a chance you won’t have to provide any documentation at all and the CA will be able to verify your company’s Operational Existence just by checking an online database.

For Australia, that means the Australian Business Register or Australian Securities and Investments Commission (ASIC) .

For New Zealand, that means the New Zealand Companies Office Companies Register .

It’s extremely important that the details listed in the register match the details you put down on the Enrolment Form and CSR or the CA will run into trouble and issuance will be delayed.
If the CA can’t authenticate your organisation using available online resources, you’re not out of luck. There are two other ways to complete the EV Organisation Authentication requirement.

If your company has been operating for more than three years you simply need to forward along documentation. This can be done with almost any document issued by your local government, for example, articles of incorporation, a charter license or a DBA statement.

Dun and Bradstreet is a firm that provides credit reports on businesses. In Australia it also operates as Hoovers. Regardless of how long your company has been operating, if there is a Dun & Bradstreet credit report on your organisation the CAs can use it to verify Operational Existence.
D-U-N-S Number Information

If you have a Professional Opinion Letter – a notarised letter from a lawyer or accountant vouching for your company’s legitimacy – you can use it to prove your operational existence.

The Physical Address check for an Extended Validation SSL Certificate is just what it sounds like—you must prove your organisation has an established physical presence in the country or state that it’s registered in.

To prove your company’s physical address, the Certificate Authority will verify your company’s street address, city, state and country.

The first way the CA is going to attempt to complete this check is by searching an Online Government Database – For Australia, that means the Australian Business Register or Australian Securities and Investments Commission (ASIC) .

For New Zealand, that means the New Zealand Companies Office Companies Register .

Unfortunately, the CA’s will not accept PO Boxes or companies registered off-shore.

You might also run into problems with the fact that some government databases do not list a business’s physical address. However, if you do run into any issues – as with all of these requirements – there is a relatively simple workaround that will still allow you to get your Extended Validation SSL Certificate.

Just like with Organisation Validation, Telephone Verification is a required check for an Extended Validation SSL Certificate. You need to have an active telephone number listed in an acceptable telephone directory. The listing should match the exact information given on your Enrolment Form and CSR (i.e. business name with corporate identifier and physical address).

The Certificate Authorities will try to verify this information using an Online Government Database first.

For Australia, that means the Australian Business Register or Australian Securities and Investments Commission (ASIC) .

For New Zealand, that means the New Zealand Companies Office Companies Register .

Unfortunately, some online government databases do not display this information. Don’t worry, there are still two other ways to satisfy this requirement.

You can use an existing telephone listing in a third-party directory. Globally acceptable directories for all CAs include:

Please contact our Support Team for a list of all accepted directories in your country.

The final requirement for Extended Validation SSL Certificates is the Verification Call. The Certificate Authority must speak with the Admin Contact using the verified business telephone number to confirm the details of your order.

This is very simple, the CA is just going to call the number it verified earlier in the process to confirm your order. It takes five minutes, tops.

If the listed telephone number doesn’t ring directly to the Admin Contact’s desk – as is often the case – don’t worry. The CA will attempt to work through the phone system and contact them using the below alternative methods.

If the phone system uses extensions or Interactive Voice Response (IVR), then the CA will work through the phone system to connect to the Admin Contact. So, if their extension is listed (or they’ve previously provided it to the CA) or their phone can be reached by the IVR, it’ll be alright.

If they don’t have an extension or IVR, the CA can also have the receptionist (or whoever answers the business phone number) transfer the CA to them or provide the CA with their direct number.

Please Note: Mobile numbers can be used, but ONLY if they are given to the CA when they call the verified business phone number on the verified listing.