Extended Validation SSL achieves the highest level of consumer trust through the strictest authentication standards of any SSL certificate. Extended Validation verification guidelines require VeriSign to obtain and verify multiple pieces of identifying information about the Organization and Organizational Contact listed in the enrollment.
A. Organization Authentication Requirements
The following entities are eligible to receive an EV Certificate provided they are currently registered with and approved by an official registration agency in their jurisdiction. The resulting charter, certificate, license or equivalent must be verifiable through that registration agency
VeriSign must be able to confirm all of the following organizational registration requirements:
- Government agencies
- General partnerships
- Unincorporated associations
- Sole proprietorships
- Official government agency records must include:
- The organization's registration number.
- The organization's date of registration/incorporation.
- The organization’s registered address.
- A non-government data source (such as Dun & Bradstreet) must include the organization's place of business address if it is not included in the Government agency records
If the organization has been registered for less than three years, VeriSign must verify operational existence through one of the following means:
- Through a non-government data source (such as Dun & Bradstreet) - or -
- By verifying the organization has an active demand deposit account (such as a checking account) with a regulated financial institution through a Professional Opinion Letter or directly with the financial institution.
B. Organization Authentication Requirements
To qualify for an Extended Validation SSL Certificate, domain registration details must reflect the full Organization name as included in the certificate request. Where domain registration does not reflect the organization name as identified in the certificate request, positive confirmation of the Organization's exclusive right to use the domain name is required from the registered domain administrator or with a Professional Opinion Letter.
- The domain must be registered with ICANN or IANA registrar (for CCTLDs). Domain registration details must be updated to reflect the organization name as included on the certificate request.
- Where domain registration is private, the domain registrar is required to unblock the privacy feature.
- The Organization's Organizational Contact must confirm knowledge of the organization's domain ownership during the verification call.
C. Organization's Organizational Contact Authentication Requirements
To qualify for an Extended Validation SSL Certificate, the Organizational Contact identified in the certificate request must be employed by the requesting organization and have appropriate authority to obtain and delegate Extended Validation certificate responsibilities.
- Employment and authorization cannot be verified through the organization's web site.
- If the Organizational Contact identified in the certificate request is listed in government records as a corporate officer (such as Secretary, President, CEO, CFO, COO, CIO, CSO, Director, or equivalent), then organizational contact employment and authorization can be approved without verifying this information as described below.
VeriSign must be able to confirm all of the following Organizational Contact requirements:
- Organizational Contact's identity, title, and employment through an independent source.
- Organizational Contact is authorized to obtain and approve EV certificates on behalf of the Organization. This can be verified through one of the following methods:
- Directly contacting the CEO, COO, or similar executive at the organization and confirming the authority of the organizational contact. If no public records are available regarding the CEO, COO, or other executive, VeriSign will attempt to contact the organization’s Human Resources department for contact details.
- A Professional Opinion Letter
D. Order Verification Requirements
VeriSign must verify the certificate request and all certificate details with the Organizational Contact identified in the certificate request. VeriSign must contact the Organizational Contact using an independently-verified telephone number.
This telephone number is obtained through one of the following methods:
- By researching qualified telephone databases to find a telephone number. Ensure your organization’s primary telephone number is listed in a public telephone directory.
- As provided in a Professional Opinion Letter.
- As confirmed during a site visit conducted by VeriSign. During the verification call, VeriSign must verify the following with the Organizational Contact:
- The name of the Certificate Request or identified in the certificate request and his or her authority to obtain the Extended Validation certificate on behalf of the organization.
- Knowledge of the company's ownership and right to use the domain identified in the certificate request.
- Approval of the Extended Validation SSL Certificate request.
- Acknowledgement of signature of VeriSign SSL Certificate Subscriber Agreement that includes all Extended Validation terms and conditions.
E. Additional Verification requirements
If VeriSign is unable to verify any of the required information on your certificate application, we may request you to provide a Professional opinion from a lawyer or accountant to verify the information.