EV process and its documentation

Introduction

Practically everybody wants to assure website visitors that the company is real and trustworthy enough to start business and make online payments. Extended validation (EV) certificates are designed for this purpose.

Despite all the benefits, a thorough organization check, applicant verification and paperwork are required before the Certificate Authority can issue an EV certificate for your company.

The paperwork is an essential part of the validation process, and it might look confusing and vague at first sight. We are going to shed some light on this process here.

Type of organization

Most businesses for which EV SSL certificates are purchased are private organizations. A private organization is an entity which legal existence is created or recognized by a filing with the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration (e.g., by issuance of a certificate of incorporation, registration number, etc.) or created or recognized by a Government Agency (e.g., under a charter, treaty, convention, or an equivalent recognition instrument).

Here are the examples of private organizations:

  • Corporations: with Inc. suffixes (US)
  • Limited Liability Companies: LLC (US), Ltd. (UK), Pty. Ltd. (AUS), GmbH (Germany)
  • Limited Liability Partnerships, etc.

Validation process

All validation steps described below are mostly related to private organizations. If you have another type of business, governmental or international organization, we suggest contacting the Sectigo validation team for additional information. The validation process may differ from case to case for such entities, therefore validation agents will be able to provide you with more precise instructions on this matter.

  1. Legal existence

    First of all, the Certificate Authority must verify that your organization is legally recognized and active through government databases (Secretary of State for US companies, Companies House for UK companies, etc.). If the Sectigo validation team fails to find your organization, they may ask for a copy of Articles of Incorporation, Certificate of Formation or other business registration documents. In this case, the Certificate Authority should make a call to the registration authority and verify if the organization is active or not.

  2. Physical existence

    To check the organization physical existence and business presence, the Certificate Authority must verify that the physical address provided by the Applicant is an address where the organization conducts business operations (not a mail drop, P.O. box or an address of an agent for the Organization). This address will be included into the body of the SSL certificate after verification.

  3. Telephone number of the organization

    Callback verification is an essential part of the validation process, as it allows recognizing and preventing fraudulent attempts to obtain a certificate on behalf of the organization. The Certificate Authority must call the verified organization phone number and make sure that 1) The person mentioned in the Subscriber Agreement did sign the contract with the Certificate Authority; 2) The Contract Signer is a full-time employee authorized to order the certificate on behalf of the organization.

    According to the EV guidelines,the physical address, email address for the callback, and telephone number of the organization must be verified through one of the independent information sources:

    • government database
    • reliable third-party database (Dun and Bradstreet, Hoovers, Bloomberg, etc.)
    • professional opinion letter (legal opinion letter or accountant letter)

    Note: For the callback purpose, you can use either an official company email address or, as an alternative, one of generic domain-related email addresses from the following list: admin@example.com, administrator@example.com, hostmaster@example.com, postmaster@example.com, webmaster@example.com.

    As government databases mostly do not allow including company telephone numbers, we suggest registering your company in the worldwide business database, Dun and Bradstreet.

    The registration process is free of charge and usually takes 7-10 days (in some cases, up to 30 days) to allocate a special D-U-N-S number for your organization. You may not be aware of the fact that D&B has already assigned this number to your company based on the information provided by the registration agency or business partners. Fortunately, they have an online search service or a very convenient database with free access where you can check whether your organization is listed or not.

    If you do not have time to wait for an update, please consider a Professional Opinion Letter or a domain validation certificate on a temporary basis.

  4. Operational existence

    To make sure that the organization is financially active and engaged in business activities, the Certificate Authority must verify that at least one of the following requirements is met:

    • The Organization has been in existence for at least three years
    • The Organization is registered in the Dun & Bradstreet database or Qualified Government Tax database
    • The Organization has an active demand deposit account which can be proved by a bank statement
    • A professional opinion letter proves that the Organization has an active demand deposit account in a bank.

Note: If you have a Sectigo certificate, you can use the convenient  SSL Validation Tool  to check the progress status and take action to expedite your certificate issuance


Professional Opinion Letter

If you need to obtain an EV certificate urgently or prefer keeping the company details confidential, it is possible to send a professional opinion letter signed by a Lawyer, Public Notary or Certified Public Accountant. The person who signed the legal opinion or accountant letter should have a valid license within the country where the organization is registered or the country where the organization maintains an office or a physical facility. To expedite the validation process, we highly recommend requesting a Professional Opinion from a person who speaks English so that they can confirm the signature during phone verification with a Sectigo CA validation agent.

Please make sure that the following information is included:
- Legal name of the organization
- Trade name or DBA name (if required)
- Street address
- Telephone number
- Bank account – “Bank Name”, “Account Number”
- Manual or digital signature
- First and last name of the person who signed the letter

The template for a legal opinion or an accountant letter can be downloaded here:

You can find the Legal Opinion and Accountant Letter samples below. It is necessary to replace the underlined information in bold with your own.

Legal Opinion Letter sample (this firm represents Namecheap Inc)

evdoc1

EV Certificate Request No (CA order ID) can be obtained in different ways, depending on the SSL provider.

For SSL.com certificates, it will be mentioned in the email subject you receive from validation@ssl.com after certificate activation. 


For Sectigo certificates, it can be found in your Namecheap account by following the steps below:
Log into NC account >> Dashboard >> Domain List >> ensure you have All Products filtered at the top-right side of the screen >> find the domain name for which the EV certificate was activated >> hover on the red padlock icon and click Manage in the pop-up window:

evdoc2

Client is a legal name of the organization as listed in the government database, tax database, etc.

Client Representative is a person who has applied for the certificate on behalf of the organization. We recommend that the Contract Signer is specified in this field.

Application Date is the date when the EV order has been activated for a particular domain name in the Namecheap account.

Accountant Letter sample:

evdoc3

Subscriber Agreement 

Subscriber Agreement is a legally valid and enforceable agreement between the Sectigo Certificate Authority and the Organization that binds the Applicant to the terms and conditions of use. By signing this Subscriber Agreement, the contract signer acknowledges that they have the authority to obtain the digital equivalent of a company stamp, seal, or (where applicable) the officer's signature to establish the authenticity of the company’s website, and that the Organization is responsible for all uses of its EV certificate. 

This step can be completed online, but for certain orders, a handwritten signature and mailing may be required. The Certificate Authority will contact you via the company representative email address to complete the Subscriber Agreement. 

The samples can be found below: 

SSL.com:


Sectigo:


Once the Subscriber Agreement is well read and fully understood, you can complete and submit it to the Certificate Authority.

If you have a Sectigo certificate, it is possible to resend the Agreement email with the help of SSL Validation Tool.

For SSL.com certificates, the process can vary depending on the information the Certificate Authority can verify. Once the Subscriber Agreement is submitted, SSL.com must verify the identity of the person who signed the documents and confirm that the individual is authorized to request an EV certificate on behalf of the company.

If the signer is a company officer, such as the CEO, and SSL.com can match the signer's name, title, and company information against an independent online database, SSL.com will use identity verification. In that case, the signer can verify their identity online, which makes the validation process more convenient and allows you to skip the callback verification.

For verification purposes, SSL.com uses Veriff, a secure, user-friendly tool. The link to Veriff will be sent to you in a separate email. The platform uses photo-based verification to validate documents through a smartphone, tablet, or similar device.



Veriff is certified as a PCI DSS Service Provider Level 1 provider, the same level of security used by major payment card brands such as Visa and Mastercard. This certification requires a comprehensive annual third-party security audit, along with ongoing security testing, in accordance with the requirements of the PCI Security Standards Council.

You can be confident that Veriff enables users to submit sensitive documents safely and conveniently while helping businesses securely manage and delete submitted data. From the moment you access the platform, your session is protected by SSL encryption, and any images transmitted online are handled in compliance with SSL security standards. This is the same level of protection commonly used by eCommerce websites for credit card transactions.

If SSL.com cannot reliably match the signer's information against an online database, they will typically perform callback verification. During the callback, SSL.com will contact your company to verify the signer's identity, employment status, and authority to request an EV certificate on the organization's behalf. Because these details are confirmed during the call, Veriff is not used in such cases.

Conclusion

Usually, it takes up to 10 business days to complete the validation process and get an EV SSL certificate issued. The verification process can be definitely shortened to a couple of days if valid company information is listed in a reliable database (government one, D&B, etc.) or a Professional Opinion Letter. Thus, the EV application and validation processes are not so difficult as it seemed at the beginning. We encourage you to apply for an EV certificate in order to get the maximum trust among users and have the advantage among the competitors.

Please visit the official site of CA/Browser Forum which is the regulatory body governing the issuance of EV SSL certificates to find more information.

Updated
Viewed
45993 times

Need help? We're always here for you.

notmyip