Extended Validation Overview
Extended Validation SSL: Fast & Easy Approval
So you've purchased an Extended Validation SSL certificate. Nice move! On its face the process may seem a bit daunting. It's not. And we're here every step along the way. We've even outlined everything for you to make approval fast and easy.
What are the Extended Validation Requirements?
For the most part, regardless of what Certificate Authority you choose to get your SSL certificate from, the requirements for extended validation are the same. This is because of the CA/B (Certificate Authority and Browser) forum. The CA/B forum is essentially a regulatory body, run by the CAs and the companies behind the largest web browsers. And they make sure SSL certificates interact and behave the same across all browsers. They've also determined the simple baseline requirements necessary to obtain a valid EV SSL certificate. The requirements everyone must satisfy are:
- Enrollment Form
- Organization Authentication
- Operational Existence
- Physical Address
- Telephone Verification
- Domain Authentication
- Final Verification Call
Real businesses have no problem!
If you're a legitimate business – and you mostly have your ducks in a row – this process is a breeze. Keep in mind, part of the reason it is so involved is to differentiate the legitimate business from the rest of the crowd. Therefore, if you're trying to pull a fast one or you're not a real company—extended validation isn't going to work for you. But if you're working for an actual business (you know, one with an office, phone lines and maybe even business cards) then you have nothing to worry about.
Plus, you have us in your corner. Not to toot our own horn but we've been doing this for a while. Some might even call us experts. We'll be here to guide you through every step of the process. Typically, the industry likes to say issuance takes 1-5 business days—that's to give the CA's some time. But if you're in a pinch, we can even help expedite the process for you. We've gotten EV certificates issued in as little as 20 minutes before…say what?!
So what are you waiting for? Extended Validation is absolutely the best decision for your business and with us helping, the process for getting validated will be painless. Let's do this!
The first requirement for getting an Extended Validation SSL certificate might just be the easiest. You simply fill out the Enrollment Form and return it to the Certificate Authority. The form is a single page, it only requires some basic information about you, your organization and possibly a contact in HR that can verify that you are indeed employed with the company you're applying for.
Throughout the Extended Validation process, you – the individual who is applying for the certificate – will be known as the Organizational Contact. This just means that you are the point of contact for your company.
Keep in mind that the reason Extended Validation even exists is to authenticate real companies, thus differentiating their websites from other websites and allowing them to provide their customers or clients with a greater degree of trust. The enrollment form is the first requirement that needs to be met in this process. The idea behind it is to verify that you, the Organizational Contact, have the right to act on your organization's behalf in the first place.
This may sound severe, but it's for your company's own good. An employee in good standing has nothing to worry about. This is to weed out someone impersonating an employee, looking to commit an act of fraud by getting a certificate for an imposter website. Nobody – not your organization, nor the CA – wants this to happen, so it's in everyone's best interest to make sure that you're authorized to be applying for this SSL certificate before the process goes any further.
What Information Does the Enrollment Form Ask For?
The Enrollment form, sometimes known as the Acknowledgement of Agreement, focuses on getting information about the Organizational Contact. It asks for the organization's name, the full name of the Organizational Contact, the Organizational Contact's official title, the Organizational Contact's signature and the date and place of signing.
Unfortunately, digital signatures or stamped signatures are not accepted, so you'll have to print the form out, sign it and then either scan it or fax it back to the CA. You could, of course, mail it too. But we wouldn't advise that—it will seriously delay getting your certificate issued.
The next requirement in the Extended Validation process is called Organization Authentication. This is the point where the Certificate Authority verifies that your company is a legitimate legal entity that is registered and active in your local municipality.
What is Organization Authentication?
The Organization Authentication requirement is pretty straightforward – the CA is going to check to make sure your company is a legally registered business – though if your company operates under any trade names, assumed names or a DBA you will need to make sure that all of those registrations are accurate and up to date as well.
In most cases the Certificate Authority will be able to verify everything via the use of online government databases—the CA will check the official website in your country or state that displays business entity registration status. It's extremely important that the details listed on that database match the details you put down on the Enrollment Form or the CA will be forced to double back and a delay in the issuance of your certificate will ensue.
If the CA can't authenticate your organization using available online resources, you're not out of luck. There are other ways to complete the Organization Authentication requirement.
Other Methods for Organization Authentication
There are two other methods for satisfying the Organization Authentication requirement.
- Official Registration Documents – You can provide the CA with official registration documents that were issued by your local government—this includes items like articles of incorporation, chartered licenses or DBA statements. These all show that your organization is indeed a real business, and that it's recognized as such by your local government.
- POL – You can also get a Legal Opinion Letter, sometimes call a Professional Opinion Letter or POL. In some cases – for instance, if your company has in-house legal – this is actually the most convenient method to earn an Extended Validation SSL Certificate. A POL can be used to satisfy every single requirement for EV SSL, except for the Enrollment Form. A POL is essentially a document in which an attorney (one that is licensed to practice law in your location) or a professional accountant vouches for your company's legitimacy. It carries a lot of weight in the eyes of the CAs.
Either one will satisfy the Organization Authentication requirement.
Can anything else go wrong with Organization Authentication?
As long as your company is legitimate and has all of its registration information up to date with its local government—everything should go smoothly. But there are a few common mistakes which can hold up the process.
For instance, if your official registration details are outdated/expired or your company operates under multiple names and you didn't accurately list the names on your certificate or in the Enrollment Form—you may have to go back and clean things up on your end before the CA will move forward.
The next requirement for an Extended Validation SSL certificate is proving Operational Existence. The CA must confirm that your company has been operational for three or more years. If your company has not been operational for three years, it's still possible to have your Operational Existence verified—but it's going to require a little more work on your part.
Proving Operational Existence
For a well-established company that has been around for longer than three years, proving Operational Existence should be a breeze. In fact, much like with getting Organizational Authentication, there's a chance you won't have to provide any documentation at all and the CA will be able to verify your company's Operational Existence just by checking online.
In this case the CA will check the Online Government Database – either in your local municipality, state or country – that displays your incorporation date. If you're located in a place that keeps good records and you've been around for long enough, this requirement will be met easily.
Other Ways to Prove Operational Existence
If your company resides in a place that doesn't keep good online records, or if your company is younger than three years old, then proving Operational Existence is going to require a little more work on your part. But don't be worried, it's still not all that labor-intensive (or scary).
There are four alternative ways to prove Operational Existence:
- Official Registration Documents – If your company has been operating for more than three years you'll simply need to forward along documentation. This can be done with almost any document issued by your local government, for example, articles of incorporation, a charter license or a DBA statement.
- Dun & Bradstreet – Dun & Bradstreet is a company that provides credit reports on businesses. Regardless of how long your company has been operating, if there is a Dun & Bradstreet credit report on your organization the CAs can use it to verify Operational Existence.
- Bank Confirmation Letter – No matter how long your organization has been operating, if you have an active checking account at a local financial institution all you have to do is supply a letter verifying this information to the CA and you can check the Operational Existence box off.
- POL – If you have a Professional Opinion Letter – a notarized letter from a lawyer or accountant vouching for your company's legitimacy – you can use it to prove your operational existence.
Any of these options will satisfy the Operational Existence requirement and get you one step closer to being issued an Extended Validation SSL Certificate.
The Physical Address requirement for an Extended Validation SSL Certificate is just what it sounds like—you have to prove your organization has an established physical presence in the country or state that it's registered in.
Proving your Company's Physical Address
In order to prove your company's physical address, the Certificate Authority will have to verify your company's street address, city, state and country.
The first way the CA is going to attempt to do this is by checking an Online Government Database – be that in your local municipality, your state or your country – for your company's publicly listed address. Everything must match the details on your certificate and enrollment form exactly. Unfortunately, the CAs will not accept PO Boxes or companies registered off-shore.
You might also run into problems with the fact that some government databases do not list a business's physical address. However, if you do run into any issues – as with all of these requirements – there is a relatively simple workaround that will still allow you to get your Extended Validation SSL Certificate.
Alternative Methods to Prove your Company's Physical Address
There are three ways to prove your company's physical address if the CA's search of the online government databases fails to satisfy the requirement.
- Official Registration Documents – You can send in any official registration documents issued by your local government – articles of incorporation, chartered license, DBA statement – and the CAs will accept them as proof of a physical address.
- Dun & Bradstreet – You can use a comprehensive Dun & Bradstreet credit report to verify the physical address of your company. Dun & Bradstreet is a large company that does credit reports on businesses, the CAs view DUNS as an unimpugnable source of information when vetting organizations.
- POL – Finally, you can use a Legal Opinion Letter, sometimes called a Professional Opinion Letter or POL, which is signed by an attorney or an accountant, to prove your company's physical address. Unless you have in-house legal or easy access to an accountant getting a POL can be a pain, but it's benefits are undeniable—outside of the Enrollment Form a POL can be used to satisfy every requirement in the Extended Validation SSL process.
Any of these methods can be used to prove your company's physical address, should the CA's attempts to verify that information via an online government database fail.
Telephone Verification is yet another requirement for an Extended Validation SSL Certificate. You must have an active telephone number listed in an acceptable telephone directory. The listing must match the exact information given on your certificate and Enrollment Form (i.e. business name with corporate identifier and physical address).
Completing Telephone Verification
As with many of the other requirements (Physical Address, Operational Existence, Organization Authentication) the Certificate Authorities will first attempt to verify this information using an Online Government Database. If the database in your local municipality, state or country has your company's phone number listed along with all of its other information then you'll complete this requirement easily.
Unfortunately, the majority of online government databases do not display this information.
Don't worry, there are still multiple ways to satisfy this requirement.
Alternative Ways to Complete Telephone Verification
If the CA can't verify your telephone number online, there are three other methods you can use to satisfy this requirement.
Third-Party Telephone Listing – You can use an existing telephone listing in a third-party directory. Acceptable directories include the YellowPages, Scoot and 192.com. But keep in mind, all the details in the listing must match the information on your company's certificate and Enrollment Form.
Note: Comodo will no longer accept third-party directories for this requirement, failing a search of an Online Government Database, Comodo will only accept POLs, Dun & Bradstreet reports or BBB listings.
- Dun & Bradstreet – You can also use a Dun & Bradstreet credit report to verify the telephone number associated with your company. Dun & Bradstreet is a large company that does credit reports on businesses and the CAs are willing to use the information they compile in order to verify specific details during the Extended Validation vetting process. DUNS Credit Reports can also be used to verify Physical Address and Operational Existence.
- POL – Finally, you can use a Legal Opinion Letter – sometimes called a Professional Opinion Letter, or POL – to verify your company's telephone number. This is especially useful if your company doesn't publically display its phone number in any directories or listings. A POL is a document signed by an attorney or accountant that vouches for the legitimacy of your company. It can be used to satisfy every requirement except the Enrollment Form.
- Third-Party Telephone Listing – You can use an existing telephone listing in a third-party directory. Acceptable directories include the YellowPages, Scoot and 192.com. But keep in mind, all the details in the listing must match the information on your company's certificate and Enrollment Form.
The Domain Authentication requirement for an Extended Validation SSL Certificate is a fairly straightforward one. The Certificate Authority simply confirms that your company does indeed legally own the domain that was submitted with the order.
Completing Domain Authentication
The first way that the Certificate Authority will try to verify that your company owns the domain in question is to check Who.is. Who.is, is a database that displays domain registrar information.
In order for the CA to verify site ownership, the record must be publicly available and it must display the correct information. For instance, the verified business name and physical address must match the information listed on the certificate and Enrollment Form.
If the information does not match up, or is not publically available, you may need to update the Who.is record, then request that that CA check the details again.
Alternative Methods for Satisfying the Domain Authentication Requirement
If checking Who.is doesn't verify domain ownership, there are still other ways for your company to satisfy the requirement.
- Domain Confirmation Email – If you can't update your Who.is registry, you can still satisfy the Domain Authentication requirement by having an email sent to the listed address on the Who.is entry for your domain. Alternatively, you can also have the email sent to one of five pre-approved alias emails ([email protected], [email protected], [email protected], [email protected] and [email protected]).
- File-Based Authentication – For this method the CA (Comodo only) will send you a text file, which you (or your web admin) then upload to the root directory of your company's website. The CA will then verify this and the Domain Authentication requirement will officially be satisfied.
- POL – As with most other requirements, a Legal Opinion Letter (also known as a Professional Opinion Letter or POL) will satisfy this requirement. You need only get an attorney or an accountant to sign one for you and the CA will accept it as proof of domain ownership.
Final Verification Call
Final Verification Call
The Final requirement for Extended Validation SSL Certificates is the Verification Call. The Certificate Authority must speak with you or the Organization Contact using the verified business telephone number in order to confirm the details of your order.
Completing the Verification Call
This step is fairly simple, the Certificate Authority has already received your Enrollment Form, gone through Organization Authorization and confirmed Operational Existence, your company's Physical Address, Telephone Number and Domain Ownership.
Now all that's left is for the CA to call your company's verified phone number and speak with you or the Organization Contact. The CA will use the call to verify the details of the order so they can then issue the certificate to the technical contact or web admin that will be installing the certificate (we can also help you install the certificate in lieu of an admin).
Unless you have severe social anxiety about taking a phone call—this requirement is absolutely painless.
Possible Issues with Taking the Verification Call
That being said, there are a few potential hiccups that can occur when you're getting ready to take the Final Verification Call. Namely, there's a good chance that your company's verified telephone number – the one that appears in public listings – doesn't connect directly to your desk.
Don't worry, the CA can enter your extension or connect with you through Interactive Voice Response (IVR). Alternatively, the CA can also be transferred to your line from your company's phone receptionist or operator, or it can obtain your number from a colleague after initiating the call using the verified telephone number.
The CA will make every effort to reach you. Just make sure you answer the phone. Seriously. Don't let it go to voicemail. Otherwise you'll just be delaying the issuance of your EV SSL Cert. And nobody wants that.
After the Verification call, the CA will issue your SSL Certificate. Then you'll need to install it. For more help installing your SSL Certificate, click here.