One of the most important elements of the SSL certificate process is validation. When you purchase a SSL certificate, the Certificate Authority (CA) that's issuing it will put your website or organization through a process called validation. The validation process depends on the type of SSL certificate you purchased and has a direct impact on the level of trust that certificate inspires.
In browsers like Microsoft Edge, Internet explorer, Safari and Opera, full business authentication displays your organization’s name and/or domain name in green color on the address bar, which is formerly known as the 'green address bar'. In Chrome and Firefox, EV SSL displays the organization’s legal operating name and all the details including the name of the certificate authority who issued the certificate when you click on the padlock sign and view the certificate.
Here’s how to validate and get your EV SSL:
1. Domain Control Validation
Domain Validation is fairly simple. You need to prove to the CA that you own and control the domain(s) that you’re requesting.
a. Proof of Right Email
Vendor will also send the authentication to one of five pre-approved email addresses. If you can answer the email on one of these addresses Comodo will consider that proof of ownership. The addresses are:
b. Professional Opinion Letter
Sometimes called a Legal Opinion Letter, is a document that authoritatively declares your company or organization is a legitimate legal entity. If you have an accredited accountant or attorney close by you can get them to fill out and notarize a form that states you own the domain, which is supplied by the CA. This also works for satisfying this requirement.
Keep in mind, the information contained the Professional Opinion Letter needs to be 100% accurate and up to date. Any mistakes will cause delays in issuance of your SSL certificate and could even affect the accreditation of the professional that signed it. The CPA/Attorney needs to be registered with the applicable board/authority for their location and CA needs to be able to locate their phone number to do a verification check.
2. EV Enrolment Forms and Other Legal Documents
The enrollment form (sometimes referred to as an Acknowledgement of Agreement) is just a single page and just requires a little bit of information about your organization, as well as you and a designated contact that can verify your employment. It wants information like the contact's official title, their signature, the date and the place of signing. And despite the digital nature of the product you're purchasing, digital signatures are not accepted. Stamped signatures aren't either. Instead, you'll have to print the forms below and sign them for real. Then, you can scan and return completed forms to CA via email.
a. Certificate Subscriber Agreement
Accept the Certificate Subscriber Agreement provided by CA, reading the information carefully, filing out all necessary information.
b. EV Certificate Request
The request form that you need to submit for EV SSL Certificates.
3. Locality Presence
The Locality Presence requirement is a part of Organization Validation. CA will attempt to check your registration information in your local online government database. It will check the details listed in the government database against the details you provided and make sure they match. Again, that's why it's so important to make sure everything is correct in your CSR. Any mistake will cause a delay in issuance.
Not all online directories are accepted and the certificate authorities don’t publicly disclose a list of all of their acceptable online directories. However, you can also utilize another method to prove your locality presence:
a. Official Registration Documents
The CAs will accept documents from your local government (city, state or country) that verify the information you provided them during enrollment. This includes documents such as articles of incorporation, chartered licenses and DBA statements.
b. Dun & Bradstreet
Financial organization that does financial reporting on other businesses. Providing a DUNS credit report will satisfy the Locality Presence requirement.
c. Professional Opinion Letters
Sometimes called a Legal Opinion Letter, is a document in which an accountant or attorney (they must be in good standing) verifies the legitimacy of your business.
4. Telephone Verification
Telephone verification is easy-just make sure you have an active telephone listing that’s verifiable by an acceptable online telephone directory. The listing must display the exact same business name and physical address as you’ve already had verified. The first way CA is going to attempt to verify your telephone number is by checking your local online government database. This way they can verify that the request for the SSL was made by someone from your company and is legitimate.
Unfortunately, the majority of government databases don’t display the phone number. This complicates things a bit for the CA, but not for you, as long as your organization does have a number listed. If you don't have your number listed in one of those directories and it's not publicly available in a government database, you still have other options:
a. Third-Party Directory
The CAs can use an existing or new telephone listing from an acceptable third-party directory. Examples of these accepted directories include the Yellow Pages, Scoot, 192.com, etc. But keep in mind, the business name and physical address must be exactly the same.
Kindly take note that Sectigo is no longer accept third-party directories for this requirement, failing a search of an Online Government Database, Sectigo will only accept POLs, Dun & Bradstreet reports or BBB listings.
b. Professional Opinion Letters
A legal opinion letter, which is sometimes called a POL or professional opinion letter, is a document in which an accountant or attorney (they must be in good standing) verifies the legitimacy of your business.
5. Organization Authentication
CA is going to take a look at your registration information and try to verify that your business is registered and active in your location. So, when you fill out your CSR and provide CA details before validation, it's really important that you double-check that everything is correct. Even a single typo can cause a delay in issuance. Additionally, if you operate under any trade names, assumed names or DBAs, all of that registration information needs to be up to date and accurate, too. CA will check your local government's online databases and check the details you supplied against the details that are listed.
If your company's registration information isn't listed online, you may provide anything that has been issued by your government, whether it's articles of incorporation, a chartered license or a DBA statement. You may also get a Professional Opinion Letter or use a Dun & Bradstreet listing.
6. Final Verification Call
The Final Verification phone call is the final validation step. CA simply needs to call either the person that made the order, or the specified company contact to verify some details. It's really just a matter of answering your phone.
If you don't answer the company phone line, CA understands that this is going to be case most of the time. Basically you just need to make sure that CA can connect with you via the company phone line. Whether that means having a co-worker put his hand over the receiver and call your name down the hall or working through the phone system, CA will attempt it.
a. Extension or Interactive Voice Response
If you have an extension, CA will dial it. So make sure that your extension is either listed or you need to provide it to CA.
b. Transfer or Alternative Number
The person who answers your company's listed phone number can also connect CA with your phone, or else provide an alternative number.
Now just answer the CA's questions and your certificate will be emailed to you in no time.