Are you planning to buy an SSL/TLS certificate for your website? The first question you might face is the level of SSL validation you want for yourself. It’s natural to have questions about the validation process for your SSL certificate. This is a brief SSL validation guide for EV, DV, and OV SSL certificates that will assist you to glide by the process swiftly.
What Are the Benefits of Having an SSL Certificate?
SSL certificates are not so much a “recommendation” as they are a necessity for a successful website. SSL certificates basically serve two purposes:
- Encryption. SSL certificates (or, more accurately, TLS certificates) encrypt data while it’s in transit between your customer’s computers and your servers.
- Authentication. Having an SSL/TLS certificate for your site authenticates the identity of your business website. It does this through the use of a trusted third party known as a certificate authority (CA).
An SSL certificate is easy to spot on the address bar. The padlock and “HTTPS” in your web address bar, as well as a site seal are a few of the signs indicating that a CA has validated your website. When a client see at these signs, it becomes obvious that the site is verified and is genuine. This helps the customers to place their trust in and promote your business.
SSL Validation for Domain Validation (DV) Certificates
This is the basic SSL certificate, which only verifies that the domain belongs to you. The client sends the certificate signing request (CSR) code or the public key to their chosen certificate authority for verification. This kind of SSL certificate validates online automatically, which means that the certificate is issued within minutes. The CA verifies that this key is actually coming from the server on which the website is hosted. There are three methods that a CA can use to verify this fact:
1. Email Verification
The CA sends a link to an email address that is accessible to a legitimate person only. The registered email address should be hosted on the domain for which the certificate is being requested and not generic email hosting accounts like Gmail, Yahoo, etc. The email address also should be listed on the WHOIS record of your domain. The CA will accept one of the five pre-defined email addresses that you can select:
Once you click on the link sent by the CA, your verification will be complete.
2. File Verification
If your web host plan or your domain does not offer you an email address, you will not be able to complete the email verification step. The alternative is to go for file verification. In this process, the CA will send you one or more files that you will have to upload to a specific place within your site’s root directory. Once you do this, your verification will be complete.
3. CNAME-Based Verification
A canonical name (CNAME) record is a type of record in your DNS (Domain Name System) that specifies one domain name (an alias) to another (the canonical name).
To clarify the above, suppose you have the same application and the same server host for yoursite.com and www.yoursite.com. You can create a record for yoursite.com that points to the server and a CNAME record for www.yoursite.com that point to the yoursite.com. This will help you get rid of duplication of records. This will lead to both the addresses point to the same IP address.
For CNAME based verification, the CNAME records should be created in your domain name system, which points back to the CA for the verification. The CA will share two hashes with you, namely MD5 and SHA-256. You can enter the two hashes in your CNAME DNS record, which will lead the CA to complete the verification.
Any one of the above verification methods is sufficient for the domain validation process. If you think domain validation is the right option for you, you can get your DV SSL certificate within a matter of minutes by purchasing it from a reputable CA like Sectigo.
SSL Validation for Organization Validation (OV) Certificates
When you want better verification and trust than what a DV certificate can provide, you can go one step further by getting organization SSL validation.
OV SSL certificate validation is what we call “business validation,” and it falls between the DV and EV SSL certificate validation levels. In addition to checking domain validation, the CA will conduct additional verification of your business or organization to ensure it’s legitimate. As you can imagine, this means your business needs to meet certain requirements. The requirements of OV SSL validation are as follows:
1. Organization Authentication
Organization authentication is done by the CA to check whether you’re a legitimate legal entity that is registered and active in the state or country you claim. As part of this process, the CA will check the address you provide against official online government databases. If there are no public government records that substantiate your organization’s existence, then the CA can verify your information through alternative methods.
Official Registration Documents
Official registration documents include Articles of Incorporation, chartered licenses, or other documents issued by the government to prove your legality. These documents include:
- Dun & Bradstreet Reports. Dun & Bradstreet is a firm that’s known for their reliability and trustworthiness. What they do is provide financial reports on companies to help reduce risks. Their report satisfies more than one requirement of the CA for you to obtain the OV certification.
- Professional Opinion Letters (POLs). Professional opinion letters, or what are known as legal opinion Letters, are highly valued by CAs for the authentication of your organization. They can fulfill many requirements for both OV and EV SSL validation. POLs can be obtained from accredited attorneys or accountants who can vouch for the legitimacy of your enterprise. A signed POL can effectively satisfy four out of five requirements of OV SSL validation.
2. Locality Presence
For the purpose of locality presence, the CA will need a proof of your active local presence. You can either prove your presence through your registration information on the public government records or the other alternatives mentioned for organization authentication. The CA will verify these against your application and will give you the go ahead.
3. Telephone Verification
The CA will want to verify your telephone number is legitimate by comparing it to government public records. If it’s not on these records, a CA can also rely on third-party directories. If the telephone number matches, this verification step is complete.
If they are not able to verify in any of the above, you’ll get a chance to either submit a POL or a Dun & Bradstreet credit report to fulfill this requirement.
4. Domain Control Verification
Domain verification is the simplest step in the SSL verification process, and the CA will follow the same process as in DV. Alternatively, you can also get a POL to complete this step.
5. Final Verification Call
After all the above verifications are done, a CA representative will call to confirm all of the details you have submitted. They’ll either speak with you or your organization’s designated point of contact. This is a straightforward call to verify and confirm all the information on the form you submitted. It will take only a few minutes to complete this step.
Once you have duly fulfilled the five-step requirement, the CA will issue an OV SSL certificate to you. It might take one to three days to verify, but the whole purpose of OV is to ensure your client that they can trust your website.
Extended Validation (EV) SSL Validation
Extended validation is the highest form of SSL certificate validation. After HTTPS validation, an entity can earn trust of their clients to the fullest. A POL or a Dun & Bradstreet credit report will satisfy most of the requirements of EV.
In order to give you EV SSL certificate, a CA will need to go through following steps. Most of the steps are common to organization validation, but we’ll explain the other steps here:
1. Organization Authentication
Organization authentication is a process done in a similar way as in OV. The CA verifies whether your business is active in the same street, city, and country as your claims. First the government’s official records are verified. If no online government records are found, then the CA will resort to other forms of verification as D&B report or POL.
2. Enrollment Form (I.E., an Acknowledgement Agreement)
This is an additional requirement to the OV requirements. The CA will provide you with an enrollment form. It will contain information about you and your organization. You must to print this form and sign it in person. The CA will not accept a stamped or a digital signature on this form.
3. Operational Existence
The major prerequisite for an EV is that the entity should be in operation and in good standing for at least three years. You can submit the standard registration documents, or POL, or D&B credit report to prove your position. Alternatively, the CA will also accept a letter from your bank to confirm your existence.
4. Physical Address
EV certificate is issued after thorough verification of the business enterprise. This is the reason why the exact location of the business enterprise is made by the CA for the physical address verification as opposed to just the state verification in case of OV.
This can be done either through public records of the government or through other common methods of verification.
5. Telephone Verification
Telephone verification is done by checking online government records. If the number you claim is yours doesn’t match the online records, then the CA will check other popular third-party resources like YellowPages or Scoot.
If these trials fail, the CA will still consider your telephone verification complete if you can provide a valid D&B report or POL.
PositiveSSL EV Certificates from $79.84/year!
Get the lowest prices on trusted SSL/TLS certificates from Sectigo brands.Shop for Sectigo SSL Certificates
6. Domain Control Validation
Any kind of certificate DV, EV, or OV will require you to prove that you genuinely own the domain. The CA will make the verification of the domain in the same way as in the other two types of verification.
7. Final Verification Call
There is a difference between the telephone verification and the final verification call. In telephone verification, the telephone number will be verified. If the CA can verify that your phone number is legitimate, then the telephone verification is done. The final verification call, however, is something that occurs after all of the other steps mentioned above are complete.
In this call the CA or his representative will give you a call on your number. If you are not present, either they will call you again or you can nominate a responsible person to talk to CA in your stead. The CA will ask specific questions like you name, your address, your domain name, etc. the basic questions from your application. If the answers match, the CA will issue the EV certificate to you.
Which Validation Is Good for Your Business or Organization?
Depending on the size and type of your business, you can choose the type of validation that is most suitable for you. The type of validation will also depend on whether you’re planning to accept online payments. For example, if you’re planning to accept online payments, you should get an OV certificate as the absolute minimum (EV is recommended). Certificate authorities like Sectigo offer many options for any kind of verification you need.
Secure Unlimited Subdomains With One Wildcard SSL Certificate – Save 50%
Save 50% on Sectigo Wildcard SSL Certificates. Includes unlimited server licenses, reissuances, 256-bit encryption, and more.