Overview of the EV SSL Certificate Validation Process
Help with the EV SSL Certificate Validation Process
EV (Extended Validation) SSL Certificates are the next generation of SSL certificates. These certificates are meant to combat emerging online threats that continue to erode trust online. Specifically, these certificates will provide a new way for merchants to prove that their site has been verified as an authenticated business. EV SSL Certificates are designed to provide visitors with the green "good to go" browser indicator when visitors go to a secure page.
In Internet Explorer, an EV SSL Certificate will turn your customer's address bar green and display the name of your business next to your web address. All major browsers (e.g. Microsoft, Mozilla, Opera etc) are integrating new displays in order to provide consumers with a visual indicator of a web site's security. Visitors of an EV SSL Certificate-protected web site can quickly and easily be assured that the site is a safe place to shop.
The EV SSL Certificate Validation Process
The EV SSL Certificate vetting process will validate the requestor's domain control and verify the requesting entity's legal existence and identity. The EV SSL validation process is the most extensive and rigorous in the industry. This process ensures that the green trust indicator will only be awarded to trustworthy and non-fraudulent web sites.
Unlike other validation processes in the SSL industry, a Certification Authority issuing EV SSL Certificates cannot rely on any kind of self-reported data (such as address and phone numbers) during the validation process. This means that all data provided by a company hoping to obtain an EV SSL Certificate will be checked against reliable third-party sources.
Before an EV SSL Certificate can be issued, three important steps need to be performed by the EV SSL Certificate vendor.
The steps are:
- Confirm the existence of the company through third-party sources
- Verify that the request has been made on behalf of the company
- Obtain mutual confirmation of the request between the Certificate Authority and the requesting party
Typically this is a contract that will be sent at the end of the validation process to the requesting party. The contract must be signed by an authorized person. For all three steps listed above, special guidelines outline in detail what background checks should be performed by all Certificate Authorities issuing EV SSL Certificates.
A customer wishing to obtain an EV SSL Certificate must own and control the domain name that will utilize the EV SSL Certificate. A Certificate Authority will check web site registration records (Whois database) or may ask the customer to make a change to the web site under the domain name.
The Certification Authority must verify that the individual requesting the certificate is acting as a legitimate agent for the requesting company. One way that a Certificate Authority may verify this data is by contacting the requesting company's human resource department. The Certificate Authority will also verify the identity of the contract signer (in most cases this will be a C level management person). Usually this is
verified with written documentation.
Legal Existence and Identity
A Certificate Authority will check to make sure that the business is legally recognized and that the formal name matches the official government records. In cases where a trading name is used, the Certificate Authority must verify any alternative names that differ from the legal name of the customer in qualified databases.
The Certification Authority is required to cross-check the address listed in the certificate application against a qualified government database. If the listed address cannot be verified by consulting the government database, an on-site visit may be necessary to investigate the discrepancy. Investigators may need to take photos of business operations or speak with company personnel.
The Certificate Authority will confirm that the telephone number listed on the certificate application is the primary telephone number for the requesting organization. This is accomplished by calling the number directly or by checking phone directory listings.
Comodo only accepts third-party telephone listings from Dun and Bradstreet or the Better Business Bureau (US businesses only).