EV process and its documentation

Introduction

Practically everybody wants to assure website visitors that the company is real and trustworthy enough to start business and make online payments. Extended validation (EV) certificates are designed for this purpose.

Despite all the benefits, a thorough organization check, applicant verification and paperwork are required before the Certificate Authority can issue an EV certificate for your company.

The paperwork is an essential part of the validation process, and it might look confusing and vague at first sight. We are going to shed some light on this process here.

Type of organization

Most businesses for which EV SSL certificates are purchased are private organizations. A private organization is an entity which legal existence is created or recognized by a filing with the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration (e.g., by issuance of a certificate of incorporation, registration number, etc.) or created or recognized by a Government Agency (e.g., under a charter, treaty, convention, or an equivalent recognition instrument).

Here are the examples of private organizations:

  • Corporations: with Inc. suffixes (US)
  • Limited Liability Companies: LLC (US), Ltd. (UK), Pty. Ltd. (AUS), GmbH (Germany)
  • Limited Liability Partnerships, etc.

Validation process

All validation steps described below are mostly related to private organizations. If you have another type of business, governmental or international organization, we suggest contacting the Sectigo validation team for additional information. The validation process may differ from case to case for such entities, therefore validation agents will be able to provide you with more precise instructions on this matter.

  1. Legal existence

    First of all, the Certificate Authority must verify that your organization is legally recognized and active through government databases (Secretary of State for US companies, Companies House for UK companies, etc.). If the Sectigo validation team fails to find your organization, they may ask for a copy of Articles of Incorporation, Certificate of Formation or other business registration documents. In this case, the Certificate Authority should make a call to the registration authority and verify if the organization is active or not.

  2. Physical existence

    To check the organization physical existence and business presence, the Certificate Authority must verify that the physical address provided by the Applicant is an address where the organization conducts business operations (not a mail drop, P.O. box or an address of an agent for the Organization). This address will be included into the body of the SSL certificate after verification.

  3. Telephone number of the organization

    Callback verification is an essential part of the validation process, as it allows recognizing and preventing fraudulent attempts to obtain a certificate on behalf of the organization. The Certificate Authority must call the verified organization phone number and make sure that 1) The person mentioned in the Subscriber Agreement did sign the contract with Sectigo; 2) The Contract Signer is a full-time employee authorized to order the certificate on behalf of the organization.

    According to the EV guidelines,the physical address, email address for the callback, and telephone number of the organization must be verified through one of the independent information sources:

    • government database
    • reliable third-party database (Dun and Bradstreet, Hoovers, Bloomberg, etc.)
    • professional opinion letter (legal opinion letter or accountant letter)

    Note: For the callback purpose, you can use either an official company email address or, as an alternative, one of generic domain-related email addresses from the following list: admin@domain.com, administrator@domain.com, hostmaster@domain.com, postmaster@domain.com, webmaster@domain.com.

    As government databases mostly do not allow including company telephone numbers, we suggest registering your company in the worldwide business database, Dun and Bradstreet.

    The registration process is free of charge and usually takes 7-10 days (in some cases, up to 30 days) to allocate a special D-U-N-S number for your organization. You may not be aware of the fact that D&B has already assigned this number to your company based on the information provided by the registration agency or business partners. Fortunately, they have an online search service or a very convenient database with free access where you can check whether your organization is listed or not.

    If you do not have time to wait for an update, please consider a Professional Opinion Letter or a domain validation certificate on a temporary basis.

  4. Operational existence

    To make sure that the organization is financially active and engaged in business activities, the Certificate Authority must verify that at least one of the following requirements is met:

    • The Organization has been in existence for at least three years
    • The Organization is registered in the Dun & Bradstreet database or Qualified Government Tax database
    • The Organization has an active demand deposit account which can be proved by a bank statement
    • A professional opinion letter proves that the Organization has an active demand deposit account in a bank.

Note: To check the progress status and take action to expedite your Certificate issue, use the convenient SSL Validation Tool.

Professional Opinion Letter

If you need to obtain an EV certificate urgently or prefer keeping the company details confidential, it is possible to send a professional opinion letter signed by a Lawyer, Public Notary or Certified Public Accountant. The person who signed the legal opinion or accountant letter should have a valid license within the country where the organization is registered or the country where the organization maintains an office or a physical facility. To expedite the validation process, we highly recommend requesting a Professional Opinion from a person who speaks English so that they can confirm the signature during phone verification with a Sectigo CA validation agent.

Please make sure that the following information is included:
- Legal name of the organization
- Trade name or DBA name (if required)
- Street address
- Telephone number
- Bank account – “Bank Name”, “Account Number”
- Manual or digital signature
- First and last name of the person who signed the letter

The template for a legal opinion or an accountant letter can be downloaded here.

You can find the Legal Opinion and Accountant Letter samples below. It is necessary to replace the underlined information in bold with your own.

Legal Opinion Letter sample (this firm represents Namecheap Inc)

evdoc1

EV Certificate Request No (Sectigo order ID) can be found in your Namecheap account by following the steps below:
Log into NC account >> Dashboard >> Domain List >> ensure you have All Products filtered at the top-right side of the screen >> find the domain name for which the EV certificate was activated >> hover on the red padlock icon and click Manage in the pop-up window:

evdoc2

Client is a legal name of the organization as listed in the government database, tax database, etc.

Client Representative is a person who has applied for the certificate on behalf of the organization. We recommend that the Contract Signer is specified in this field.

Application Date is the date when the EV order has been activated for a particular domain name in the Namecheap account.

Accountant Letter sample:

evdoc3

Subscriber Agreement and Certificate Request Form

Subscriber Agreement is a legally valid and enforceable agreement between the Sectigo Certificate Authority and the Organization that binds the Applicant to the terms and conditions of use. By signing this Subscriber Agreement, the contract signer acknowledges that they have the authority to obtain the digital equivalent of a company stamp, seal, or (where applicable) the officer's signature to establish the authenticity of the company’s website, and that the Organization is responsible for all uses of its EV certificate. The sample can be found below:

evdoc4

Certificate Request Form is a request from an Applicant (Organization) to the CA for obtaining an EV Certificate for a particular domain name(s). You can find the sample where one person is to act in all three roles, Certificate Requester, Certificate Approver and Contract (Subscriber Agreement) Signer below. If the contractor or hosting provider is involved into the EV application process, then it is recommended to use the 'Standard' version of the Certificate Request Form.

evdoc5

Once the Subscriber Agreement is well read and fully understood, and the Certificate Request Form is filled out, you need to sign both documents and submit them here, putting the Sectigo Order ID in subject.

It is possible to resend the Agreement email with the help of Sectigo SSL Validation Tool.

Usually, it takes up to 10 business days to complete the validation process and get an EV SSL certificate issued. The verification process can be definitely shortened to a couple of days if valid company information is listed in a reliable database (government one, D&B, etc.) or a Professional Opinion Letter. Thus, the EV application and validation processes are not so difficult as it seemed at the beginning. We encourage you to apply for an EV certificate in order to get the maximum trust among users and have the advantage among the competitors.

Please visit the official site of CA/Browser Forum which is the regulatory body governing the issuance of EV SSL certificates to find more information.

Updated
Viewed
36431 times

Need help? We're always here for you.

notmyip