Overview of the Extended Validation SSL/TLS Certificate Requirements and Vetting Process
All Certificate Authorities (CAs) that issue trusted SSL/TLS certificates are bound by the requirements set by the CA/Browser Forum - the Industry Governing Board. The CA/Browser Forum dictates approved methods for validation of Domain Control, Organization Registration, and Order Verification.
Since Extended Validation (EV) SSL/TLS Certificates require a higher level of vetting, the process required to issue an EV certificate is standard across all CAs and no matter who you order an EV certificate from, that CA are required to complete the same rigorous process of vetting and documentation when issuing the certificate.
Who can a CA issue EC certificates to?
Per the guidelines defined by the CA/Browser Forum, CAs may issue EC certificates to Private Organizations, Government Entities, and Business Entities that satisfy the requirements specified below:
Private Organizations
- The CA may issue EC certificates to Private Organizations that meet the following requirements:
- The Private Organization must be a legally recognized entity whose existence was created by a filing with (or an act of) the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration (e.g., by issuance of a certificate of incorporation) or is an entity that is chartered by a state or federal regulatory agency;
- The Private Organization must have designated with the Incorporating or Registration Agency either a Registered Agent, or a Registered Office (as required under the laws of the Jurisdiction of Incorporation or Registration) or an equivalent facility;
- The Private Organization must not be designated on the records of the Incorporating or Registration Agency by labels such as “inactive,” “invalid,” “not current,” or the equivalent;
The Private organization must have a verifiable physical existence and business presence; - The Private Organization’s Jurisdiction of Incorporation, Registration, Charter, or License, and/or its Place of Business must not be in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA’s jurisdiction; and
- The Private Organization must not be listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA’s jurisdiction.
Government Entities
- The CA may issue EC certificates to Government Entities that satisfy the following requirements:
- The legal existence of the Government Entity must be established by the political subdivision in which such Government Entity operates;
- The Government Entity must not be in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA’s jurisdiction;
- The Government Entity must not be listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA’s jurisdiction.
Business Entities
The CA may issue EC certificates to Business Entities that do not qualify under the criteria listed for Private Organizations above but that do satisfy the following requirements:
- The Business Entity must be a legally recognized entity whose formation included the filing of certain forms with the Registration Agency in its Jurisdiction, the issuance or approval by such Registration Agency of a charter, certificate, or license, and whose existence can be verified with that Registration Agency;
- The Business Entity must have a verifiable physical existence and business presence;
- At least one Principal Individual associated with the Business Entity must be identified and validated;
- The identified Principal Individual must attest to the representations made in the Subscriber Agreement;
- Where the Business Entity represents itself under an assumed name, the CA must verify the Business Entity’s use of the assumed name;
- The Business Entity and the identified Principal Individual associated with the Business Entity must not be located or residing in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA’s jurisdiction;
- The Business Entity and the identified Principal Individual associated with the Business Entity must not be listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA’s jurisdiction.
The Vetting Process for EV certificates
There are three major steps for the vetting of an EV certificate:
- Organization Validation
- Domain Control Validation
- Order Verification
Organization Validation
The CA will validate that the Organization listed on the EV certificate order is both registered and in good standing with the Local Registration Authority. Also, as part of this step the CA must find a phone listing for the Organization in an approved third party directory, such as Dun & Bradstreet or Google Business, for the exact name and address of the organization as listed in the Organization’s Registration. The approved directories vary by country and location and all include vetted information for their listings.
Domain Control Validation
The CA will require that the Organization demonstrate Domain Control for all domains listed on the certificate. Domains must be legally registered and Domain Control Validation can be demonstrated in several methods including email, DNS CNAME or TXT entry, and File Authorization methods. For a more detailed description of these methods please see this page.
Order Verification
When enrolling the EV Certificate order you will list a Company Contact. The CA will use the phone number vetted during the Organization Validation process to contact the Company Contact for a final order verification to ensure that the order has been placed by the Organization. The Company Contact does not need to be technical in function or skill but must have knowledge that the order has been placed and be a full time employee of the Organization listed on the certificate. Also as part of the verification call, the CA will send an email to the contact to accept the required Acknowledgement of Agreement (AA) document. The AA documents the terms and obligations for the CA and Organization regarding the EV certificate.
What Documentation do I need to submit with an EV Order?
No documentation is required to be submitted with an order for an EV certificate. When enrolling the order please make certain that you list the Organization using the official legal name and address for the Organization that matches the listing with the local Registration Authority. This will help avoid delays in validating the Organization where the CA has to have the Company Contact verify the Name and Address of the Organization. The CA can normally find all information required through online data sources, and if any questions arise, or online data is not available, they will contact the Company Contact listed on the order with instructions for submitting information to complete the vetting.
Also, as part of the order enrollment process you will choose the Domain Control Validation (DCV) method for the domain(s) listed on the order. The DCV method may be updated after the order is in process if necessary.
We're here to help!
GeoCerts is happy to help throughout the process to make sure that your EV certificate is issued as quickly as possible. The normal turnaround time is 2-3 business days. This time can be longer if the CA must wait for the return of information they ask the customer to submit. If you are a reseller enrolling an order for your customer, please make sure that the Full Time Employee of the Organization you list as the Company Contact is aware that the CA may be contacting them for additional information and to complete the Order Verification Phone Call. And as always, please feel free to contact us for any help and support you need.
Additional Resources
Additional Resources
- Official EV SSL Certificate Guidelines - CAB Forum
- Wikipedia Extended Validation Certificate (EV)