Understanding the SSL Validation Process with FAQs

Understanding the SSL Validation Process with FAQs

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Explore what the three types of SSL validation are, and learn how to verify whether your certificate’s validation was successful on your site and how to validate an SSL certificate through a trusted CA

“Hey, I just bought an SSL certificate for my domain name, but my website is still not showing the padlock sign. Is there a technical error in my certificate?”

We hear this every day from customers who are buying SSL/TLS certificates for the first time. When we inform them about the certificate signing request (CSR) generation, SSL validation and installation processes, they get flustered — which is quite normal. That’s because they think it’s going to be a painful and drawn-out process, but it’s really not (as you’ll soon discover).

So, whether you’ve already purchased an SSL certificate and looking for its activation procedures or are planning to buy new one, this article will help you navigate the entire SSL validation and authentication process. For other two parts of the SSL activation steps, check out these two resources on CSR generation and SSL certificate installation.

What Is SSL Validation?

There’s going to be a two-part answer to this particular question.

First, some people who search for answers to this question online are looking for something that’s known as an SSL certificate checker. This tool is useful for trying to validate that a certificate is properly installed and that there aren’t any issues from the installation process. For example, here’s what it looks like when you search for a website using our SSL certificate checker:

Graphic: A screenshot from the SSL validation certificate checker website.
You can use SectigoStore.com’s SSL certificate checker tool to verify whether your SSL certificate was installed properly.

The second reason why people ask this question is typically because they’re trying to learn more about what SSL validation is in terms of the certificates themselves.

When you buy an SSL certificate, it doesn’t get installed on your server automatically. You must prove the certificate authority (CA) you control the domain for which you have applied the certificate.

For a business authenticated SSL certificate, the CA also verifies whether your website is backed by and belongs to a genuine business. The process of validating the domain ownership and business’s genuineness is called SSL validation (also known as SSL authentication) process.

To know the technical side of it, scroll down to the FAQ section.

The 3 Types of SSL Validation Levels

An SSL certificate can be classified into the three categories according to their validation requirements:

1) Domain Validation (DV): This process enables you to prove domain ownership (and nothing else).

2) Organization Validation (OV): This process involves both DV and business authentication.

3) Extended Validation (EV): This process involves both domain and organization validation, plus your organization must be at least three years old and in good standing

If you’re not sure which SSL certificate (DV, OV, EV) you bought, please contact your certificate provider and ask them. In general, if there isn’t any validation information stipulated on the certificate, it’s a basic DV SSL certificate.

How to Complete the SSL Authentication Process

Let’s understand the steps involved in each type of SSL validation process.

Breaking Down the Domain Validation Process

This basic SSL validation type enables you to prove your domain ownership. The SSL certificates that require only domain validation are known as DV SSL certificates. Here, the CA verifies whether the public key (CSR code) you sent to the CA actually belongs to the server where the claimed website is hosted. There are two ways the CA verifies your ownership:

1. Email Verification

The CA sends you an email with a verification link on the email address that can be accessible to the legitimate person only. The link can be sent on one of these five (chosen by you) email addresses.

  • Admin@yourdomain.com
  • Administrator@yourdomain.com
  • Webmaster@yourdomain.com
  • Hostmaster@yourdomain.com
  • Postmaster@yourdomain.com

They don’t send emails to generic Gmail, Yahoo, Hotmail email addresses. Once you receive the email, you just need to click on the verification link, and you’re done!

2. File Verification

Here, the CA will send some files and instruct you to upload them to a specific folder within the root directory. If you can’t get or afford an email address with your domain name from hosting company or Google suite, you can choose this option in lieu of the email SSL validation process.

Breaking Down the Organization Validation Process

If you buy an OV SSL certificate, you must follow all the steps of DV SSL certificate, plus go through an additional business verification process. This helps you to assert identity in a more profound way to help gain the trust of your site users.

The OV requirements are as follow:

1. Complete the Enrollment Form

After purchasing an OV SSL certificate, the CA will send you an enrollment form via email. You need to fill out the following details on the form:

  • The company’s registration information.
  • The organization’s name, if your organization is working under trade names, assumed names, or DBAs, you must clarify the same in the form.
  • The organization’s locality information (same as in registration papers) that shows it has a physical presence in a specific city, state or country.
  • An official phone number to contact the organization directly.
  • The full name of the organizational contact and their official title.
  • The organizational contact’s signature and the date and place of signing.

You’ll have to print the form out, sign it, and then either scan or fax the document back to the CA. (No electronic transfer is allowed)

2. Await Organization Authentication:

The CA’s staff will manually check whether your organization is registered and active within your territory. They will check online government databases in your local municipality, state, or country that publicly displays your business entity’s registration status. If all the details match and that CA is satisfied, you’re good to go.

3. Prove Locality Presence:

The CA will verify whether your company has an active legal, physical presence in its registered location. They will check the relevant online government database to verify the registration details – the city/state/country of your company.

4. Complete Telephone Verification

CA will verify the phone number that you have listed in the enrolment form by checking online government databases. If they can’t verify your number from there, they will check online phone directly or third-party directory such as Kompass, Infobel, Yellow Pages, etc. The listing must display the exact same business name and physical address as they have already had verified.

5. Await Domain Authentication

By this time, you’ve completed all the steps of domain verification (email or file verification). However, there are some additional steps involved with organization validation. Here, the CA will check the WHOIS records to verify that your company owns the domain.

However, most of the hosting companies offer a service named “domain privacy” for a small fee to hide your information from WHOIS records. If you have opted for that service, you must request your hosting provider to keep your WHOIS records open until your SSL authentication is completed.

Important Note: If there’s any discrepancy in the information — if the CA finds something fishy while SSL authentication process in the above three verifications — or If you want to keep WHOIS records private, you will be asked to provide one of the following.

  • Official registration documents
  • Dun & Bradstreet credit report
  • Legal Opinion Letters, or Professional Opinion Letters (POLs) obtained by a lawyer or an accountant

6. Complete the Final Verification Call

The CA will call on your office number and talk to an authorized person (or the one that applied for the SSL certificate) to confirm the details of the order. If you don’t have a direct number and use extensions or Interactive Voice Response (IVR), the CA will reach out to you using them, too.

If all these 6 SSL verification steps are completed successfully, the CA will issue you an OV SSL certificate.

Breaking Down the Extended Validation Process

There is a thin line between organization validation and extended validation as far as the verification process is a concern. You need to go through all the steps of DV and OV — but after that, you must prove your organization’s operational existence.

What We Mean by ‘Operational Existence’

The CA must confirm that your company has been operating in the market for three or more years. Once again, the CA will verify your company’s operational existence just by checking an online government database — either in your local municipality, state, or country — that displays your incorporation date.

  • If your company is situated in a place whose municipality doesn’t keep online records, you need to provide official registration documents in which the date of incorporation is mentioned.
  • If your company is younger than three years but it’s well-established and in good standing, you can still get an EV SSL certificate. All you need to do is provide additional documents such as:
    • Dun & Bradstreet credit report,
    • A legal opinion letter, or a
    • Confirmation letter from the bank in which your organization has an active checking account.

Note: You don’t need to provide all the documents. Generally, the CA will let you know which documents you need to provide. The requirement varies on a case-by-case basis.

SSL Validation FAQs

Now, we’d like to take a few moments to answer some of the most commonly asked questions relating to SSL validation.

Which type of SSL certificate should I buy?

Domain validation: DV SSL validation certificates are ideal for blogs, personal websites, small-business websites, and informative sites. Basically, any website that doesn’t deal with customers’ financial information (payment card numbers) or sensitive details.

Organizational validation: OV SSL validation certificates are best suited for non-profits, educational institutes, medium scale businesses, and ecommerce websites as a minimum. Basically, any businesses or organizations that deal with their users’ sensitive information.

Extended validation: EV SSL validation certificates are best suited for healthcare institutions, eCommerce websites, military/government websites, large scale enterprises with high traffic, etc. If you’re dealing with your customers’ financial information or sensitive healthcare information, transferring internal information such as trade secrets, employee’s personally identifiable information (PII), sensitive political and government-related information, then you should be using an EV SSL certificate to provide the highest level of validation and authentication.

What if I’m running an online store but don’t qualify for an OV or EV SSL certificate?

These days, people start and operate their online businesses from home. It’s quite common for businesses that deal in homemade products, designer clothes, artwork, accessories, etc. These businesses frequently have neither an office nor registration with the government. If that is the case, you have to go for domain validated (DV) SSL certificates only. It would be risky, but it’s not illegal (yet) to use DV certs for websites handling users’ financial information. But as soon as you register your business, don’t forget to switch your SSL certificate from DV to OV.

What is the price difference among all three SSL authentications?

DV SSL certificates are the cheapest. They cost as little as $8.78/year.

OV has a medium-priced range, with a starting price of $30.80/year.

EV SSL certificates are the most expensive ones, which starts from $79.84.

Is there any hidden SSL authentication cost for business validated SSL certificates?

No. CAs aren’t going to charge you anything extra for the validation process. The cost of SSL authentication is, by default, included in the certificate’s price. That’s why they are more expensive than DV SSL certificates. Even if your data is not up to date on the online government directories and the CA needs to go the extra mile to request and vet the physical documents, there’s no additional charges or penalties. This responsibility is just par the course for CAs, and they understand that and calculate that in their SSL certificate prices.

How much time does SSL validation take?

Domain validation: Within minutes. (Basically, as soon as you click on the verification link or place the files on the root directory.)

Organization Validation: 1-3 days.

Extended Validation: 1-5 days.

How long is SSL authentication valid?

You must renew your SSL certificate after two years and go through the SSL validation process again at the time of renewal — although this changes to one year starting Sept. 1, 2020. So, for example, even if you have bought an SSL certificate for five years, according to the CA/B Forum‘s guidelines, you must reissue it after two years (i.e., you must go through CSR generation, SSL validation, and installation process once again).

However, it’s important to note that if you haven’t changed your certificate authority and business information (physical address, phone numbers, etc.), this second OV/EV process will be way quicker than the first time around. Of course, using a reliable certificate manager also can help enterprises with managing all of their SSL certificates (and other digital certificates) at scale.

Also, the same rule applies to all the CAs regardless of which brand you choose. So, if a CA, reseller, or hosting site tells you different, they’re providing you with the wrong information that can result in downtime or costly non-compliance penalties.

Will I get a green address bar with an extended validated SSL certificate?

Yes and no! Some browsers, such as Internet Explorer, Safari, Microsoft Edge, and Opera, are still showing a green bar (organization’s legally registered name on the address bar in the green color).
Graphic: Screenshot of the SSL validation security padlock for the official Wells Fargo website
Google Chrome and Firefox have recently changed their policies for the green bar, and now they are showing the organization’s name on the certificate itself. Anyone can see it after clicking on the padlock sign:
A screenshot of SSL validation information for Wells Fargo as an organization using an EV SSL certificate

What happens if my business can’t pass the business validation process?

If a CA finds anything fishy while validating your company’s information, they won’t issue an SSL certificate to your website. But that happens only in rare cases for legitimate businesses. If your business is genuine and all the information you have provided is accurate, you don’t need to worry about anything.

The general rule is that if a CA denies issuing you the certificate, you generally lose your money. But if you have bought your certificate from SectigoStore, we will give you 100% money-back if you encounter any issues within 30 days of the purchase. 

Who should I contact if I run into some issues during the SSL validation process?

If you have bought a Sectigo SSL certificate from SectigoStore.com, you can either contact our customer care team or Sectigo CA directly. At SectigoStore.com, we provide 24/7 live customer support via chat, phone, and emails.

What if the CA makes any errors in the validation process?

If that happens, the SSL warranty comes handy. The below is Sectigo’s policy for warranty:

“Should we fail to properly validate the information contained in a digital certificate and our failure causes the end-user to lose money (in connection with a fraudulent online credit card transaction), then the end-user may have a claim to recovery under our certificate warranty.”

For more details, check out Sectigo’s Warranty Guidelines.

Is SSL validation compulsory? Can I omit the authentication step?

According to the CA/B Forum’s regulations, SSL authentication is mandatory, and hence, no legit CA can issue you an SSL certificate before you complete the validation process.

What role does SSL validation play in website security?

Anyone can buy an SSL certificate for any domain they want! It’s the SSL authentication process where you have to prove that you actually control the domain and represent a genuine business to the CA.

When a CA issues an SSL certificate to your domain name, it ties your server’s public key to a hostname (i.e., a domain name). So, for example, when a CA issues an SSL certificate for amazon.com, it attaches Amazon’s server’s public to the certificate and writes “hostname” as “amazon.com” on it. Now, when someone tries to open amazon.com, their browser simply checks the website’s SSL certificate and redirects all the traffic to amazon’s server. Only Amazon’s server can decrypt the traffic because it has the unique corresponding private keys.

As you can see, attaching the right public key to the right hostname is a crucial thing. If the CA ties the wrong server’s public key, all the traffic will be redirected to the wrong server. Now how would the CA know your domain’s public key? Because you’ll send it to the CA during the CSR generation process.

So, how would CA know whether the public key provided by you actually belongs to the domain you control? Here’s where the SSL validation comes into the play. It’s only through the validation process that the CA gets an idea of whether you are providing them the right public key.

What is the CA’s risk in the SSL validation process?

Once the CA attaches the public key to a hostname, it signs the SSL certificate with its own intermediate root certificate’s private key. This means that the CA vouches for the authenticity of the SSL certificate. The web browser simply checks the CA’s signature from its trusted root store and trusts the certificate and the details it contains.

Hence, if the CA makes a mistake in attaching the keys, and if someone suffers from the financial loss due to such a mistake, the CA must reimburse the legal penalty up to the warranty amount to the victim.

Final Thoughts

SSL cert validation is there for your domain and website visitors’ security reasons. No browsers will trust your website’s SSL certificate if you buy a certificate that doesn’t require any sort of validity for example: self-signed certificates. And as we said earlier, you will receive all the needed support from us if you got stuck at any part of the SSL validation process.

About the author

Medha is a regular contributor to InfoSec Insights. She's a tech enthusiast and writes about technology, website security, cryptography, cyber security, and data protection.