EV process and its documentation
Practically everybody wants to assure website visitors that the company is real and trustworthy enough to start business and make online payments. Extended validation (EV) certificates are designed for this purpose.
Despite all benefits, a thorough organization check, applicant verification and paperwork are required before the Certificate Authority is able to issue an EV certificate for your company.
The paperwork is an essential part of the validation process, and it might look confusing and vague at first sight. We are going to shed some light on this process here.
Type of organization
Most businesses for which EV SSL certificates are purchased are private organizations. A private organization is an entity which legal existence is created or recognized by a filing with the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration (e.g., by issuance of a certificate of incorporation, registration number, etc.) or created or recognized by a Government Agency (e.g., under a charter, treaty, convention, or an equivalent recognition instrument).
Examples of private organizations are:
- Corporations: with Inc. suffixes (US)
- Limited Liability Companies: LLC (US), Ltd. (UK), Pty. Ltd. (AUS), GmbH (Germany)
- Limited Liability Partnerships, etc.
All validation steps described below are mostly related to private organizations. If you have another type of business, governmental or international organization, we suggest contacting the Comodo (now Sectigo) validation team for additional information. The validation process may differ from case to case for such entities, therefore validation agents will be able to provide you with more precise instructions on this matter.
- Legal existence
First of all, the Certificate Authority must verify that your organization is legally recognized and active through government databases (Secretary of State for US companies, Companies House for UK companies, etc.). If the Comodo (now Sectigo) validation team failed to find your organization, they may ask for the copy of Articles of Incorporation, Certificate of Formation or other business registration document. In this case, the Certificate Authority should make a call to the registration authority and verify if the organization is active or not.
- Physical existence
To check the organization's physical existence and business presence, the Certificate Authority must verify that the physical address provided by the Applicant is an address where the organization conducts business operations (not a mail drop, P.O. box or an address for an agent of the Organization). This address will be included into the body of the SSL certificate after verification.
- Telephone number of the organization
Callback verification is an essential part of the validation process as it allows recognizing and preventing fraudulent attempts to obtain a certificate on behalf of the organization. The Certificate Authority must call the verified organization’s phone number and make sure that: 1) The person mentioned in the Subscriber Agreement did sign the contract with Comodo (now Sectigo); 2) The Contract Signer is a full-time employee authorized to order the certificate on behalf of the organization.
According to the EV guidelines,the physical address and telephone number of an organization must be verified through one of the independent information sources:
- government database
- reliable third-party database (Dun and Bradstreet, Hoovers, Bloomberg, etc.)
- professional opinion letter (legal opinion letter or accountant letter)
As government databases mostly do not allow including the company’s telephone number, we suggest registering your company in the worldwide business database, Dun and Bradstreet.
The registration process is free of charge and usually takes 7-10 days (in some cases, up to 30 days) to allocate a special D-U-N-S number for your organization. You may not be aware of the fact that D&B has already assigned this number to your company based on the information provided by the registration agency or business partners. Fortunately, they have an online search service or a very convenient database with free access where you can check whether your organization is listed or not.
If you do not have time to wait for an update, please consider a Professional Opinion Letter or a domain validation certificate on a temporary basis.
- Operational existence
To make sure that an organization is financially active and engaged in business activities, the Certificate Authority must verify that at least one of the following requirements is met:
- The Organization has been in existence for at least three years
- The Organization is registered in the Dun & Bradstreet database or Qualified Government Tax database
- The Organization has an active demand deposit account which can be proved by a bank statement.
- A professional opinion letter which proves that the Organization has an active demand deposit account with a bank.
Note: To check the progress status and take action to expedite your Certificate issue, use the convenient SSL Validation Tool.
Professional Opinion Letter
If you need to obtain an EV certificate urgently or prefer keeping the company details confidential, it is possible to send a professional opinion letter signed by a Lawyer, Public Notary or Certified Public Accountant. The person who signed the legal opinion or accountant letter should have a valid license within the country where the organization is registered or the country where the organization maintains an office or a physical facility. To expedite the validation process, we highly recommend requesting a Professional Opinion from a person who speaks English so that he or she can confirm the signature during phone verification with a Comodo (now Sectigo CA) validation agent.
Please make sure that the following information is included:
- Legal name of the organization
- Trade name or DBA name (if required)
- Street address
- Telephone number
- Bank account – “Bank Name”, “Account Number”
- Manual or digital signature
- First and last name of the person who signed the letter
The template for a legal opinion or an accountant letter can be downloaded here.
You can find the Legal Opinion and Accountant Letter samples below. It is necessary to replace the underlined information in bold with your own.
Legal Opinion Letter sample (this firm represents Namecheap Inc)
EV Certificate Request No (Comodo/Sectigo order ID) can be found in your Namecheap account by following the next steps:
Log into NC account >> Dashboard >> Domain List >> ensure you have All Products filtered at the top-right side of the screen >> find the domain name for which the EV certificate was activated >> hover on the red padlock icon and click Manage in the pop-up window:
Client is a legal name of the organization as listed in the government database, tax database, etc.
Client Representative is a person who has applied for the certificate on behalf of the organization. We recommend that the Contract Signer is specified in this field.
Application Date is the date when the EV order has been activated for a particular domain name in the Namecheap account.
Accountant Letter sample:
Subscriber Agreement and Certificate Request Form
Subscriber Agreement is a legally valid and enforceable agreement between the Comodo Certificate Authority (now Sectigo CA) and the Organization that binds the Applicant to the terms and conditions of use. By signing this Subscriber Agreement, the contract signer acknowledges that they have the authority to obtain the digital equivalent of a company stamp, seal, or (where applicable) the officer's signature to establish the authenticity of the company’s website, and that the Organization is responsible for all uses of its EV certificate. The sample can be found below:
Certificate Request Form is a request from an Applicant (Organization) to the CA for obtaining an EV Certificate for a particular domain name(s). You can find the sample where one person is to act in all three roles, Certificate Requester, Certificate Approver and Contract (Subscriber Agreement) Signer below. If the contractor or hosting provider is involved into the EV application process, then it is recommended to use the 'Standard' version of the Certificate Request Form.
Once the Subscriber Agreement is well read and fully understood, and the Certificate Request Form is filled out, you need to sign both documents and submit them here, putting the Sectigo Order ID in subject.
It is possible to resend the Agreement email with the help of Sectigo SSL Validation Tool.
Usually, it takes up to 10 business days to complete the validation process and get an EV SSL certificate issued. The verification process can be definitely shortened to a couple of days, if valid company’s information is listed in a reliable database (government one, D&B, etc.) or a Professional Opinion Letter. Thus, the EV application and validation processes are not so difficult as it seemed in the beginning. We encourage you to apply for an EV certificate in order to get the maximum trust among users and have the advantage among the competitors.
Please visit the official site of CA/Browser Forum which is the regulatory body governing the issuance of EV SSL certificates to find more information.