• Organization Validation SSL Overview

    Organizaition Validation SSL: Fast & Easy Approval

    So you've purchased an Organization Validation SSL certificate -now what? How does one get their organization validated? It may seem like a tall order, but don’t worry. It’s really quite simple. And you’ve got us in your corner. Trust us, this will be easy.

    What are the Organization Validation Requirements?

    The requirements for an Organization Validation SSL certificate are the same regardless of which CA you go with. These requirements are:

    • Organization Authentication
    • Locality Presence
    • Telephone Verification
    • Domain Authentication
    • Final Verification Call

    As long as you’re a legitimate organization this process will go smoothly. Remember, part of the reason this process even exists is to differentiate the legitimate businesses from the pretenders—including scam artists and cybercriminals. So, if you’re working for an actual business, then you have nothing to worry about.

    Plus, we’ll be here helping you the whole way. You’ll have the benefit of our many years of experience behind you. Typically, the CA’s like to tell you issuance takes 1-3 business days—that’s to give themselves some cushion. But if you’re in a hurry, we can even expedite the process for you.

    So what are you waiting for? Let’s get started!

  • Organization Authentication

    Enrollment Forms

    The first requirement for an Organization Validation SSL certificate is called Organization Authentication. This is where the Certificate Authority (CA) will attempt to verify that your organization is a legitimate legal entity.

    What is Organization Authentication?

    The Organization Authentication requirement is perhaps the most involved of all the OV requirements. The CA will be checking that your organization is registered and active within your state or country. It’s absolutely vital that all of the listed information from your organization’s registration matches the details that you supplied during enrollment. It’s also worth noting that if your organization operates under any trade names, assumed names or DBAs, that all of that registration information needs to be up to date and accurate as well.

    The primary way that the CAs will attempt to verify this information is by checking the Online Government Database in your local municipality, state or country—whatever government site publically displays your business entity registration status. You can check on your registration information here .

    If all the details match up, then you’ll have satisfied this requirement. If not, don’t worry. There are alternative methods your CA and you can utilize to authenticate your organization. .

    • Official Registration Documents – You can use the business registration documents that have been issued by your local government to satisfy this requirement. Examples of these types of documents include articles of incorporation, chartered licenses and DBA statements—anything from the government showing your company is a legitimate legal entity.
    • Dun & Bradstreet – You can use a comprehensive DUNS Credit Report to verify specific details associated with your business entity. Dun & Bradstreet is an organization that does financial reporting on other businesses. Their credit reports are held in high esteem by the CAs and can be used to satisfy multiple requirements.
    • POL – Though Legal Opinion Letters, often called Professional Opinion Letters or POLs, can be a hassle to obtain, they are exceptionally useful during the validation process. They satisfy four of the five requirements for Organization Validation. Essentially you are having an attorney or accountant vouch for the legitimacy of your organization by signing a letter from your CA. You can learn more about POL’s here.
  • Locality Presence

    Locality Presence

    After Organization Authentication , the next requirement for an Organization Validated SSL certificate is proving Locality Presence. For this requirement, the Certificate Authority (CA) will try to verify that your organization or company has an active legal presence in its registered location.

    What is Locality Presence

    To fulfill the Locality Presence requirement, the Certificate Authority needs to verify that your organization has a legitimate physical presence within the country or state it’s registered in. The CA doesn’t need to verify the actual street address, just the city, state or country in the address.

    Usually the CA will attempt to verify this information by searching an Online Government Database . It will look in the relevant database and check the registration details – the city/state/country in your address – against the details you provided at the outset of the process.

    If everything checks out, you’re good to go—you have satisfied this requirement. However, if everything doesn’t match exactly, you’ll need to utilize another method to prove your locality presence.

    Fortunately, there are three other ways to satisfy this requirement.

    Other Methods for Organization Authentication

    There are two other methods for satisfying the Organization Authentication requirement.

    • Official Registration Documents – The CAs will accept documents from your local government (city, state or country) that verify the information you provided them during enrollment. This includes documents such as articles of incorporation, chartered licenses and DBA statements.
    • Dun & Bradstreet – Providing a comprehensive DUNS Credit Report will allow the CA to verify the physical address associated with your organization. Dun & Bradstreet credit reports are incredibly useful for the purpose of validation as they can satisfy both this requirement and the Organization Authentication requirement.
    • POL – A legal opinion letter, which is sometimes called a POL or professional opinion letter, is a document in which an accountant or attorney (they must be in good standing) verifies the legitimacy of your business. They can be used to satisfy four of the five requirements for an OV SSL Certificate.
  • Telephone Verification

    Telephone Verification

    One of the more straightforward requirements in the Organization Validation process is Telephone Verification. Do you have a telephone number listed? Is it verifiable by a third-party directory? Boom. Done.

    What is Telephone Verification?

    In order to satisfy the Telephone Verification requirement, you must have an active telephone listing that’s verifiable by an acceptable online telephone directory. The listing must display the exact same business name and physical address as you’ve already had verified.

    To check this, the first place the CAs will go are the Online Government Databases. If your number is listed and the organization name and address match up, you’re good to go—you’ve satisfied this requirement.

    Unfortunately, the majority of government databases don’t display the phone number. This complicates things a bit for the CA, but not for you, as long as your organization does have a number listed.

    • Third-Party Directory – The CAs can use an existing or new telephone listing from an acceptable third-party directory. Examples of these accepted directories include the Yellow Pages,  192.com, etc. But keep in mind, the business name and physical address must be exactly the same.
    • Dun & Bradstreet – Providing a comprehensive DUNS Credit Report will allow the CA to verify the physical address associated with your organization. Dun & Bradstreet credit reports are incredibly useful for the purpose of validation as they can satisfy both this requirement and the Organization Authentication requirement.
    • POL – A legal opinion letter, which is sometimes called a POL or professional opinion letter, is a document in which an accountant or attorney (they must be in good standing) verifies the legitimacy of your business. They can be used to satisfy four of the five requirements for an OV SSL Certificate.
  • Domain Verification

    Domain Verification

    The next requirement for Organization Validated SSL is Domain Verification. This is where the Certificate Authority (CA) will attempt to verify that your organization owns the domain in question.

    What is Domain Verification?

    To satisfy the Domain Verification requirement you need to prove that your organization owns the domain that was registered for.

    There are several ways to do this, but the CA is going to start by looking at the WHOIS registry. If your domain's WHOIS record is public and includes a valid contact email, the CA may be able to send the Domain Authentication email to the address listed on your WHOIS record. 

    However, some WHOIS records require human verification via CAPTCHA, which means the CA's system cannot access the record or pull the email. There are also some international privacy laws that prevent WHOIS records from publishing website ownership information.

    If the WHOIS email address cannot be used for Domain Validation, you can use one of the alternative methods:

    Alternative Methods to Complete Domain Verification

    • Updating your WHOIS Record – If the details in your WHOIS record are outdated or incorrect, or if a privacy setting is enabled, you can update the record and request that the CA check your WHOIS details again.
    • Pre-Approved Alias Email - If your WHOIS email cannot be used, the CA can instead send a domain approval email to one of the following pre-approved alias email addresses registered to your domain:
    • File-Based Authentication - To validate by file upload, the CA will provide a unique text file containing a code generated based on your CSR. You will host this file in a specific directory on your website so it can be accessed by the CA and verified. 
    • DNS-Based Authentication - Depending on your CA, to validate your domain by DNS, you will receive instructions to create either a TXT record (DigiCert) or a CNAME record (Sectigo) in your website's DNS manager to verify ownership.
  • Final Verification Call

    Final Verification Call

    The Final Verification call is the last requirement for an Organization Validated SSL certificate. It’s simple, the Certificate Authority (CA) will call the telephone number associated with your organization to verify the details of the order.

    What is the Final Verification Call?

    To finish the Organization Validation process and issue your SSL certificate, the Certificate Authority will need to call and speak with you or your specified applicant (your site admin) via your organization’s verified telephone number in order to confirm the details of your order.

    This really is as simple as it sounds. Just make sure you (or your site admin) are available to pick up the phone and answer the questions. They’re not hard questions, either. Just generally things like, “did you order this?” or “what is the name of your company?” Simple. And it takes less than five minutes.

    Now, if the listed telephone number doesn’t ring directly to your desk – as does sometimes happen – do not worry. The CA will attempt to contact you a couple of different ways.

    • Extension or IVR – If your phone system uses extensions or Interactive Voice Response (IVR), then the CA will work through the phone system to connect to you. So as long as your extension is listed (or you have provided it) or your phone can be reached by the IVR, you’ll be alright. .
    • Transfer or Alternative Number – If you don’t have an extension or IVR, the CA can also have the receptionist (or whoever answers your phones) transfer them or provide them with your direct number.

    From there, just answer the CA’s questions (like we said, they’re not trying to trick you with anything too challenging) and you’ll have satisfied the final requirement.

    Now all that’s left is for the CA to issue you the SSL certificate. Then you’ll need to install it. For more help installing your SSL Certificate, click here.