When you begin to look for an SSL Certificate to secure your website, where do you begin? With so many brands and different validation types, it's hard to figure it all out.
When it comes to choosing an SSL Certificate, it hard enough to decide on a brand let alone figuring out what Organization Validation (OV), Domain Validation (DV) or Extended Validation (EV) Means so we’ve written this blog article to help you out.
Domain Validation simply means that you need to verify you are the owner of the given domain you want to obtain an SSL certificate for. In order to be validated, you can verify by uploading a specific file given to you after you place your order or by email. During checkout, you will see a list of email addresses that you can use for verification purposes. These types of certificates are generally issues within 10 minutes or less.
Organization Validation is the process of not only validating that you own your domain name but it also ensures your business is registered. In order to pass validation, you must supply Sectigo or Geotrust with the following additional information:
Verify Identity and Address
If Applicant is an Organization (corporation, government agency, registered business entity, etc.): The Issuer MUST verify Identity through one of the following (these may also be used to verify address if it's included):
A. A government agency in the jurisdiction of the Applicant’s legal creation, existence, or recognition; B. A third party database that is periodically updated and considered a Reliable Data Source (see QIIS below);
C. A site visit by the CA or a third party who is acting as an agent for the CA; or
D. An Attestation Letter.
QIIS (Qualified Independent Information Source)
UK - http://www.companieshouse.gov.uk/
The following is accepted as long as the identity has been verified:
A. Articles of Incorporation (with address)
B. Government Issued Business License (with address)
C. Copy of a recent company bank statement (you may blacken out the Account Number)
D. Copy of a recent company phone bill
E. Copy of a recent major utility bill of the company (i.e. power bill, water bill, etc.) or current lease agreement for the company
If the Applicant is an Individual:
Sectigo and Geotrust MUST obtain ALL of the following:
A. Copy of a valid driver's license or passport of the Applicant
B. Copy of a recent major utility bill (i.e. power bill, water bill, etc.) or bank statement of the Applicant
Note: If the Driver’s License and Passport is not listing any address details or those details do not match with the account, then you will need to provide A. and 2 docs from B.
*Note: Recent=dated within the last 6 months
Step 2 – WhoIs Verification (Registrant company name and address)
Step 3 - DCV (Domain Control Validation)
Step 4 – Callback to a Verified Telephone Number (to verify applicant)
The phone number MUST be verified via one of the following:
A. Government database (QGIS)
B. Other third party database (QIIS)
C. Verified legal opinion or accountant letter.
Once the phone number is verified Sectigo or Geotrust validation staff will call the Applicant to verify the authenticity of the certificate request. Following successful completion of the elements above the certificate will be signed and released.
It usually takes 1-3 business days to complete this process
Extended Validation certificates are the hardest to get but they provide the most trust among your visitors. This type of certificate will display the green bar in the browser that you see for banks, large corporations, etc.
ALL requirements for EV Certificates MUST be verified directly with the government registration authority, or a Qualified Independent Information Source, or via a legal opinion or accountant letter as applicable. The basic verification requirements are:
A. Verify Legal Existence and Identity. This entails verifying the organization registration directly with the incorporating or registration agency.
B. Verify Trade/Assumed Name as applicable.
Only applicable if company does business under a name which is different from the official name of their corporation. Trade name must be registered and verifiable.
C. Verify Operational Existence
This means that we must verify that the company is able to conduct business operations. Typically this means that the company has a current active demand deposit account with a regulated financial institution. D. Verify Physical address and organization phone number
E. Verify Domain ownership
F. Verify the name, title, authority and signature of the person(s) involved in requesting the certificate and agreeing to the terms and conditions.
This process typically takes 1-5 business days to complete the process