Extended Validation (EV) certificate vetting process
This verification procedure applies to the following TLS certificates:
- Thawte Web Server EV
- DigiCert Extended Validation SSL
- DigiCert Secure Site EV
- DigiCert Secure Site Pro EV
- GeoTrust True BusinessID EV
To ensure maximum security, the EV SSL/TLS certificate verification process is more thorough, and all information is verified from multiple sources. The process of verifying and issuing an EV certificate takes a little longer than a regular OV (Organization Validation) certificate. However, verification, once performed, speeds up future orders where they do not need to be repeated (see green paragraph below).
The process of verifying an EV TLS certificate is simple and consists of three steps, which can be automated:
- Domain ownership validation
- Applicant company verification
- Final confirmation and order completion
Domain ownership validation
The certificate for a given domain does not necessarily have to be requested only by its owner, but every certificate order for a certain domain must be confirmed by its holder (owner, administrator, an employee of the organization).
Domains are confirmed separately in the certificate order, but the validation is valid even in the future; see the green notice above.
Emails (five addresses given by the certification authority) can be used for domain verification and, where there is no mail, alternative verification using DNS record or FTP file can be used. For more information, see the article on DV certificate validation.
Applicant company verification
Information about the company that will subsequently hold the SSL/TLS certificate is verified in the Commercial Register. The organization listed as the certificate’s applicant must have its identification number; self-employed persons cannot get an EV certificate under their name (the CN certificate cannot contain the name of a natural person).
Companies applying for an EV certificate must have operated for at least 3 years (otherwise confirmation must be provided) and must not be in bankruptcy or liquidation.
There is no need for the applicant's cooperation and this step is purely done by the CA. Recurring orders are subject to prior verification, which can be valid for up to 13 months.
Final confirmation and order completion
The certificate verification process ends with a short call from the certification authority to the authorization contact from the order, which should be an employee from the organization requesting the certificate. The call takes about a minute and is in English.
The certification authority obtains the phone number from public telephone sources (Google Companies, DnB). If the CA is not able to locate some information publicly, it will request (in exceptional cases) subsequent verification via forms. The certificate’s issue is thus extended by the time of the subsequent verification.
Once the verification process is complete, the generated SSL/TLS certificate is sent to the technical contact email, or you can obtain it at any time by logging in to your customer account.