Let’s have a go at understanding what SSL validation is and the requirements that you’ll need to satisfy during the SSL validation process
If you’ve been searching how to get an SSL/TLS certificate that fits your needs and wondering what the validation process for it entails, you’ve come to the right place. SSL server certificates come with varying degrees of assurance depending on its validation level — domain validation, organization validation, or extended validation. Each of these SSL cert validation levels comes with a different set of requirements in terms of providing documentation or verification steps that you’ll need to satisfy.
Throughout this article, we’ll break down all the three HTTPS validation levels, understand how each verification process works, and determine which might best suit your needs.
Of course, if you’re just looking for an SSL certificate checker that can help you validate your SSL certificate online, we’ve got you covered for that, too.
The first SSL validation level we’re going to discuss is domain validation. It is the simplest form of validation and is an easy-going process that executes automatically. It requires the applicant to submit minimal evidence and can be completed within minutes.
As soon as you make a purchase for a DV SSL certificate and submit the certificate signing request (CSR), all you then have to do is prove your ownership of the domain to a trusted third-party certificate authority (CA).
The simplest way to verify that you own the domain is via email verification. The CA will view the WHOIS record of the applicant’s domain and send an email to the listed address. Once you receive the email, respond to confirm that you’re the domain owner who requested the certificate.
But with all of these benefits, the downside is the degree of assurance that this SSL cert validation delivers to end-users. Because DV certs involve the least stringent verification process that doesn’t investigate business documents or verify its legitimate operational existence, and several other details, the trust it commands with users is relatively low compared to other validation levels.
Having said that, because it offers the same encryption strength as the other validation levels, it is an ideal choice to secure personal websites, blogs, or other websites that don’t collect or process sensitive information.
However, encrypting the connection between the client browser and the server that hosts the website to which you’re connecting, isn’t enough to ensure security. That’s because obtaining an HTTPS padlock to your site by installing a DV certificate with minimum authentication requirements isn’t just easy for legitimate owners — it’s also easy for cybercriminals.
If the site you’re accessing happens to be a malicious phishing site hosted by an attacker, your data still stands to be compromised. Higher SSL cert validation levels require more rigorous vetting processes that virtually eliminates such risks. That’s why it’s so important to assert your identity with an OV or EV SSL certificate.
There are three ways using which you can verify that you’re the domain owner:
1. Email-Based Authentication
As mentioned earlier, email-based authentication is the simplest option. The CA can send an email to the listed address in the WHOIS record or to any of the pre-approved email addresses listed below:
2. File-Based Authentication
If you choose to verify using this method, you’ll need to place a text file shared by the CA in the root directory of your website. Once that’s done, the CA proceeds with verification via HTTP or HTTPS.
3. CNAME-Based Authentication
A CNAME record in the DNS entry is used to specify an alias. This method of verification involves creating a new CNAME record that points back to the CA. The CA typically shares two unique MD5 and SHA256 hashes that you’ll need to enter in your CNAME DNS record (using the following format):
_<MD5 hash>.yourdomain.com CNAME <SHA-256 hash>.targetCAaddress.com
For example, to perform a DNS CNAME domain control verification for the domain ‘example.com,’ the following record will be created:
CNAME DNS entry:
_c7fbc2039e400c8ef74129ec7db1842c.example.com CNAME c9c863405fe7675a3988b97664ea6baf.442019e4e52fa335f4 06f7c5f26cf14f.targetCAaddress.com
Depending on the CA, you may also need to generate a unique token in place of the hash values. Follow the instructions given on your CA’s website.
The next SSL validation, as the name suggests, is most suited for corporate environments and intranets if a reasonable level of trust in users is sufficient. The SSL cert validation process for OV certificates typically takes anywhere between one to three business days and requires you to prove that your company is a legitimate legal entity. To do this, you’ll need to complete the following requirements:
- Organization Authentication
- Locality Presence
- Telephone Verification
- Domain Verification
- Final Verification
OV SSL certificates provide a significantly higher level of assurance than DV certs. When a CA issues an OV certificate, the organization’s name appears on the certificate along with the validation level. This information, along with other info, will be visible to any site visitor who views your certificate details.
How Do I Satisfy the Requirement for Organization Authentication?
The CA verifies the organization’s registration information and examines whether it’s a legitimate legal entity. Perhaps the most intensive OV requirement is organization authentication. This is when the CA checks to see that your business is legally registered and active in your state or country. The details you provide during the enrollment process must match the registered information to fulfill this specification. Additionally, if your organization operates under any other name, that information needs to be updated as well.
Typically, the CA will attempt to obtain and verify the records from the official online government database in your country or state that displays your business registration information publicly. They also rely on three alternative verification methods (we’ll refer to these as the “three common alternative verification” methods or documents throughout the rest of the article):
Present Your Official Registration Documents
Official registration documents include articles of incorporation, chartered licenses, etc. issued by the government to establish your company as a legitimate legal entity.
Share Your Dun & Bradstreet Report
You can also provide a Dun & Bradstreet credit report to your CA to fulfill this requirement. Dun & Bradstreet is a firm that provides financial reports on other companies typically to reduce business risks. They are held in high esteem by third-party CAs, and obtaining one can help you satisfy multiple requirements in the validation process.
Provide Professional Opinion Letters
Professional opinion letters, or POLs (aka legal opinion letters), can help you satisfy a majority of requirements in the validation process regardless of whether you’re opting for an OV or an EV certificate. When it comes to OV certificates, professional opinion letters (POLs) can help you fulfill four out of the five requirements. All that needs to be done is to get an accredited attorney or an accountant to vouch for your organization and give assurance that it is a legitimate legal entity by signing a letter from the CA.
How Do I Fulfill the Locality Presence Requirement?
The CA matches the information filled out in the CSR against the registration information in government records to ensure that your organization has an active legal presence in your registered location. If this information is not publicly available, you can submit any of the common alternative verification documents (registration docs, D&B reports, and POLs).
How Do I Meet the Requirements for Telephone Verification?
Most businesses will have a phone number publicly listed or associated with it where consumers can call. For telephone verification, the CA will verify if your business’s telephone number is listed in your online government records. If not, you can complete this requirement using any of the alternative methods mentioned below:
- Submit a Dun & Bradstreet Credit Report
- Provide a Professional Opinion Letter
- Use a Third-Party Directory – If your number is not listed on a government database, don’t worry. The CA will also look at existing or new telephone listings for your organization from acceptable third-party sources such as BBB, yellow pages, etc.
How Do I Complete Domain Verification?
Like the process with DV certs, email confirmation to verify your domain is the easiest way to meet this requirement. Additionally, you can also opt for the following methods, which are fairly uncomplicated:
- Get a Professional Opinion Letter
- Proof of Right Email – You can request the CA to send you an authentication email to confirm your domain ownership on any of the pre-approved email addresses.
- Update your WHOIS Record — There could be several reasons why domain verification by the CA may fail. Having an outdated WHOIS record or your records set to private are two such examples. The easiest way around this issue is to update your records. Once that’s done, you can request your CA to verify the details again.
How Does the Final Verification Work?
Once all the above requirements are met, a CA representative will get in touch with you or your organization’s specified point of contact to confirm the details of your order before issuing the certificate. This involves a simple call where the business owner or the specified applicant will be asked questions like “what is the name of your company?” or “did you place the order?” and only takes about five minutes to complete.
The CA will attempt to connect with you in any of the following ways if you’re not reachable directly:
- Extension or IVR — If the registered number does not connect to your desk directly, the CA will try to contact you using your extension as long as it’s listed, or you’ve provided it previously. Even if your business uses an Interactive Voice Response (IVR), the CA will work its way through the system, and as long as they’re able to connect with the correct point of contact, you’ll have satisfied the final requirement.
- Transfer or Alternate Number — If you don’t use an extension or an IVR, you may want to instruct the receptionist to transfer the call to you or provide the CA with your direct number.
The last SSL cert validation level, extended validation, offers the highest degree of assurance for any enterprise and involves the most thorough vetting process. This HTTPS validation process may take up to five days but can be expedited upon request. The applicant must provide acceptable documents to verify the business’s identity during the verification process.
To get an EV certificate, you will need to fulfill the following requirements:
- Organization Authentication
- Enrollment Form (aka Acknowledgement of Agreement)
- Operational Existence
- Physical Address
- Telephone Verification
- Domain Control Validation
- Final Verification Call
As with OV certificates, a professional opinion letter from an accredited attorney or accountant, vouching for your organization, or a Dun & Bradstreet credit report, will satisfy several of the requirements mentioned above. As you can tell, many of these specifications are similar to those discussed previously with OV certs (with the exception of the enrollment form, operational existence, and physical address requirements):
How Do I Complete the Enrollment Form Requirement?
The enrollment form (aka an Acknowledgement of Agreement) is a single page request form that tells the CA that you’re acting in good faith and that you’re the organizational contact authorized to be making this purchase on behalf of your company. It requires some basic details about you, your organization, and an HR contact who can verify that you’re employed with the company on whose behalf you’re requesting the certificate.
When signing the form, note that digital or stamped signatures are not acceptable. You’ll need to take a printout, sign it, then scan or fax it back to the CA.
How Do I Fulfill the Requirement for Operational Existence Verification?
The CA verifies that your business has been in operation for at least three years and is in good standing. If you’re an established firm, this step is fairly easy to clear. However, for new companies, you may need to provide additional documents. Depending on the needs of the specific CA, you can choose which common alternative verification method to use (official registration document, D&B credit report, or POL). Additionally, you also have the option to submit a bank confirmation letter:
- Obtain a Bank Confirmation Letter — If you have an active checking account with any local financial institution, you can ask your bank to share a letter verifying this information to complete this requirement.
How Do I Satisfy the Physical Address Verification Requirement?
Once the CA verifies that the physical address submitted in your CSR is an exact match with the information found in government records, this requirement can be crossed off. However, if the information is not publicly available, you may submit any of the three common alternative documents to complete this requirement.
The certificate details will contain the SSL cert validation level in addition to other important details about the certificate holder, such as the organization’s country, state, locality, street, etc.
Hopefully, you now have a fair understanding of what the SSL validation process includes and what to expect once you’ve submitted the certificate signing request. The choice between DV SSL and other SSL validation levels is fairly easy to determine — if you’re a blogger or have a personal website, DV certs should typically meet your needs. However, for organizations or ecommerce companies that collect or process sensitive information, an OV certificate should be the minimum SSL validation level.
Deciding between an OV and EV certificate ultimately depends on your individual goals, financial plans, and how much identity assurance you wish to provide to site users. Just be sure to weigh all of your options carefully.