Obtaining an extended validation certificate does involve an extensive validation process. There are many hoops to jump through, and this is a good thing.
You want to be assured all organisations displaying an Extended Validation SSL certificate have undertaken the same rigorous verification process.
Why Would I Want an EV SSL?
The presence of an EV SSL (Extended Validation SSL Certificate), where the browser URL field contains a green padlock and organisation’s name, is one of the strongest guarantees you’re using a legitimate business.
To obtain the EV SSL the website owner has undertaken, and passed, a global standardised verification process. This verification process proves the organisation’s existence, confirms their physical location, verifies they’re a legal entity, confirms they’re business is fully operational and they have exclusive rights to use the domain displayed in your browser.
The documents submitted in the process to obtain an Extended Validation SSL Certificate proves an organisation’s details are correct and they’re not a fraudulent brand.
This process to obtain an EV SSL is extensive and can take several days to complete.
For information about EV SSL, see the earlier article – What is an EV SSL Certificate and Do I Need an EV SSL for My Website?
Who Sets the Rules for Validating EV SSL Certificates?
TheCA/Browser Forum sets the rules and guidelines for obtaining an EV SSL. The CA/Browser Forum (https://cabforum.org/) (CABF) is a voluntary group of certification authorities and browser software vendors that began in 2005. The group was formed in an effort to provide greater assurance to internet users about the websites they visit by using SSL/TLS certificates. In June 2007, the CA/Browser Forum adopted version 1.0 of the Extended Validation (EV) Guidelines.
What are the Extended Validation (EV) Guidelines
The extended validation guidelines set out by the CA/Browser Forum (https://cabforum.org/), relate to the operations of the certification authorities, such as Comodo, Symantec, Thawte, GeoTrust, that issue and verify EV certificates.
These CABF guidelines govern the process of validating the identifying information that appears in an EV certificate.
For a company like Comodo, known as a Certificate Authority (CA), to be qualified to issue an EV SSL they must adopt the CABF extended certificate validation practices and pass a WebTrust audit. See WebTrust for Certification Authorities program managed by the Chartered Professional Accountants of Canada (http://www.webtrust.org/item64428.aspx).
The CABF extended validation guidelines for Comodo and other certificate authorities, also covers other areas of their operations. These include adherence to requirements for their insurance coverage and encryption standards.
Does My Organisation Qualify for an EV SSL Certificate?
According to the CA/Browser Forum guidelines, the Certification Authorities (CAs) can issue Extended Validation (EV) SSL Certificates to:
- Private Organisations
These are organisations with corporate entities behind them, such as entities with suffixes like Pty, Ltd, LLC, Inc, etc.
- Government Entities
These are government organisations like schools, universities, local councils, etc.
- Business Entities
These businesses entities include general and limited partnership companies and sole proprietors.
See definition section – Entities Eligible to Obtain an EV SSL.
What Verification Do I Need to Get an EV SSL Certificate?
The leading issuing certificate authorities are Comodo, Symantec, Thawte and GeoTrust and in all cases you will purchase the certificate and then you prove that you’re entitled to use that EV SSL for your organisation.
Whichever Certificate Authority you choose for your EV SSL Certificate, the processes they use for validation are very similar. Since they all use the Extended Validation guidelines the documents and process should be consistent.
The verification process from your selected certificate authority will generally include the following steps.
1. Verify Organisation
The CA will confirm your organisation’s validity and registration from the following sources.
Official Government Source
Official government agency records will be obtained that include:
- The organisation’s registration number.
- The organisation’s date of registration/incorporation.
- The organisation’s registered address.
Non-Government Data Source
A non-government data source, such as Dun & Bradstreet, will also be used to verify the organisation and the organisation’s place of business address.
2. Verify Operational Existence
The CA must verify the organisation is actually conducting business operations. Generally this means the organisation will have to provide details of an active deposit account with a regulated financial institution. In other words, an active business account with your bank.
If your business is new or registered for less than 3 years then it will need to be verified using a bank letter from a regulated financial institution.
Additionally, for new organisations in particular, the CA may request a legal opinion letter to verify operational existence and also confirm the organisation’s registration, address, telephone number and domain name ownership.
3. Verify Physical Address and Phone Number
The CA will generally verify your organisation’s physical existence with the use of a third party database system such as Dun & Bradstreet.
They will verify your telephone number using directory assistance or telephone directories. The CA will also call the number to ensure they can get through to the organisational contact.
4. Verify Domain Ownership
For domain ownership the CA will request domain registrar information. If the domain registrar information is hidden most CA’s will cancel the EV request so domain privacy should be suspended until the domain ownership verification process is completed.
5. Verify Organisational Contact
The contact identified in the EV certificate request should be employed by the organisation and have authority to provide documents and the verification requirements for the Extended Validation certificate.
The certificate authority will verify the organisational contact listed in the EV SSL order. The contact should be employed by the organisation and have authority to provide documents and information required for the Extended Validation certificate.
If the organisational contact is listed in government records as a corporate officer (such as Secretary, President, CEO, CFO, COO, CIO, CSO, Director, or equivalent) then the organisational contact authentication can be approved.
Where the organisational contact is not listed as a corporate officer the CA will require other information for verification. The CA may:
- Verify the organisational contact’s identity and employment through an independent source.
- Verify the organisational contact is authorised to obtain and approve EV certificates on behalf of the organisation by a professional or legal opinion letter.
6. Verify Order
The certificate authority will verify the order and all certificate details with the organisational contact identified in the EV SSL certificate request.
The CA will usually contact the organisational contact using the independently-verified telephone number.
During the verification call, the CA will generally request the following information from the listed contact:
- The name of the certificate requestor identified in the certificate request and his or her authority to obtain the Extended Validation certificate on behalf of the organisation.
- Knowledge of the company’s ownership and right to use the domain identified in the certificate request.
- Approval of the Extended Validation SSL Certificate request.
- Acknowledgement of signature of the CA’s Extended Validation SSL certificate subscriber agreement that includes all Extended Validation terms and conditions.
7. Additional Verification
If a certificate authority is unable to verify any of the required information on your certificate application, they may request for you to provide a professional opinion letter from a lawyer or accountant to verify the information.
Certificate Authorities That Issue EV SSL Certificates
Here are four of the main EV SSL Certificate issuing authorities and links to information on their websites about their EV SSL offerings.
Entities Eligible to Obtain an EV SSL
Private Organisation Definitions
- The private organisation must be a legally recognised entity whose existence was created by a filing with (or an act of) the incorporating or registration agency in its jurisdiction of incorporation or registration (e.g. by issuance of a certificate of incorporation) or is an entity that is chartered by a state or federal regulatory agency.
- The private organisation must have designated with the incorporating or registration agency either a registered agent, or a registered office (as required under the laws of the jurisdiction of incorporation or registration) or an equivalent facility.
- The private organisation must not be designated on the records of the incorporating or registration agency by labels such as “inactive,” “invalid,” “not current,” or the equivalent.
- The private organisation must have a verifiable physical existence and business presence.
- The private organisation’s jurisdiction of incorporation, registration, charter, or license, and/or its place of business must not be in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA’s jurisdiction; and the private organisation must not be listed on any government denial list or prohibited list (e.g. trade embargo) under the laws of the CA’s jurisdiction.
Government Entity Definitions
- The legal existence of the government entity must be established by the political subdivision in which such government entity operates.
- The government entity must not be in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA’s jurisdiction.
- The government entity must not be listed on any government denial list or prohibited list (e.g. trade embargo) under the laws of the CA’s jurisdiction.
Business Entity Definitions
- The business entity must be a legally recognised entity whose formation included the filing of certain forms with the registration agency in its jurisdiction, the issuance or approval by such registration agency of a charter, certificate, or license, and whose existence can be verified with that registration agency.
- The business entity must have a verifiable physical existence and business presence.
- At least one principal individual associated with the business entity must be identified and validated.
- The identified principal individual must attest to the representations made in the subscriber agreement.
- Where the business entity represents itself under an assumed name, the CA must verify the business entity’s use of the assumed name pursuant to the requirements of Section 15 herein.
- The business entity and the identified principal individual associated with the business entity must not be located or residing in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA’s jurisdiction.
- The business entity and the identified principal individual associated with the business entity must not be listed on any government denial list or prohibited list (e.g. trade embargo) under the laws of the CA’s jurisdiction.
What is a Legal Opinion Letter?
Sometimes a certificate authority may request a Legal Opinion Letter. This is simply an opinion from lawyers issued in letter form that expresses legal conclusions or legal analysis of a matter which is relied on by the addressee of the opinion letter (the certificate authority in this instance). The main purposes of a legal opinion letter are:
- To inform the addressee of the legal effect of a transaction or matter.
- To identify legal risks that the addressee should consider further and evaluate.
If a legal opinion letter is requested, here is an example that Comodo have put together as a guide to the information the letter should contain.
These are the common points a legal opinion letter should cover:
- That[exact company name of Client] (“Company”) is a duly formed [corporation, LLC, etc.] that is “active,” “valid,” “current,” or the equivalent under the laws of the state/province of[name of governing jurisdiction where Client is incorporated or registered] and is not under any legal disability known to the author of this letter.
- That Company conducts business under the assumed name or “dba”[assumed name of Applicant] and as registered such name with the appropriate government agency in the jurisdiction of its place of business below.
- That [name of Client’s Representative] has authority to act on behalf of Company to: [select as appropriate] (a) provide the information about Company required for issuance of the EV Certificates as contained in the attached Application, (b) request one or more EV Certificates and to designate other persons to request EV Certificates, and (c) agree to the relevant contractual obligations contained in the Subscriber Agreement on behalf of Company.
- That Company has a physical presence and its place of business at the following location:
- That Company can be contacted at its stated place of business at the following telephone number:
- That Company has an active current Demand Deposit Account with a regulated financial institution.
- That Company has the exclusive right to use the following domain name in identifying itself on the Internet.