Let’s have a go at understanding what SSL validation is and the requirements that you’ll need to satisfy during the SSL validation process
If you’ve been searching how to get an SSL/TLS certificate that fits your needs and wondering what the validation process entails, you’ve come to the right place. SSL server certificates come with varying degrees of assurance depending on its validation level — domain validation, organization validation, or extended validation. Each of these SSL cert validation levels comes with a different set of requirements in terms of mandatory documents or verification steps that’ll need to be satisfied.
Throughout this article, we’ll break down all the three HTTPS validation levels, understand how each verification process works, and determine which might best suit your needs.
Of course, if you’re just looking for an SSL certificate checker that can help you validate your SSL certificate online, we’ve got you covered for that, too.
The first SSL validation level we’re going to discuss is domain validation. It is the simplest form of validation and is an easy-going process that is performed automatically. It requires the applicant to submit minimal evidence and can be completed within minutes.
As soon as you make a purchase for a DV SSL certificate and submit the certificate signing request (CSR), all you then have to do is prove your ownership of the domain to a trusted third-party certificate authority (CA).
The simplest way to verify that you own the domain is via email verification. The CA will view the WHOIS record of the applicant’s domain and send an email to the listed address. Once you receive the email, respond to confirm that you’re the domain owner who requested the certificate.
But with all of these benefits, the downside is the degree of assurance that this SSL cert validation delivers to end users. Because DV certs involve the least stringent verification process that doesn’t investigate business documents or verify its legitimate operational existence, and several other details, the trust it commands with users is relatively low compared to other validation levels.
Having said that, because it offers the same encryption strength as the other validation levels, it is an ideal choice to secure personal websites, blogs, or other websites that don’t collect or process sensitive information.
However, encrypting the connection between the client browser and the server that hosts the website to which you’re connecting, isn’t enough to ensure security. That’s because obtaining an HTTPS padlock to your site by installing a DV certificate with minimum authentication requirements isn’t just easy for legitimate owners — it’s also easy for cybercriminals.
If the site you’re accessing happens to be a malicious phishing site hosted by an attacker, your data still stands to be compromised. Higher SSL cert validation levels require more rigorous vetting processes that virtually eliminates such risks. That’s why it’s so important to assert your identity with an OV or EV SSL certificate.
View All Domain Validated (DV) SSL Certificates
The next SSL validation, as the name suggests, is most suited for corporate environments and intranets if a reasonable level of trust in users is sufficient. The SSL cert validation process for OV certificates typically takes anywhere between one to three business days and requires you to prove that your company is a legitimate legal entity. To do this, you’ll need to complete the following requirements:
- Organization Authentication — The CA verifies the organization’s registration information and examines whether it is a legitimate legal entity.
- Locality Presence — The CA matches the information filled out in the CSR against the registration information in government records to ensure that your organization has an active legal presence in your registered location. If in case this information is not publicly available, you can submit a professional opinion letter by a legally registered attorney or accountant who can vouch for the legitimacy of your business.
- Telephone Verification — The CA will verify if your business’s telephone number is listed in your online government records. If not, typically, a few other sources will be checked by the CA (such as third-party directories. A professional opinion letter will satisfy this requirement as well.
- Domain Verification — Similar to the process with DV certs, email confirmation to verify your domain is the easiest way to meet this requirement. Additionally, you can also opt for a file or CNAME-based authentication, which is also fairly uncomplicated.
Final Verification — Once all the above requirements are met, a CA representative will get in touch with you or your organization’s specified point of contact to confirm the details of your order before issuing the certificate.
OV SSL certificates provide a significantly higher level of assurance than DV certs. When a CA issues an OV certificate, the organization’s name appears on the certificate along with the validation level. This information, along with other info, will be visible to any site visitor who views your certificate details.
View All Organization Validated (OV) SSL Certificates
The last SSL cert validation level, extended validation, offers the highest degree of assurance for any enterprise and involves the most thorough vetting process. This HTTPS validation process may take up to five days but can be expedited upon request. The applicant must provide acceptable documents to verify the business’s identity during the verification process.
To get an EV certificate, you will need to fulfill the following requirements:
- Organization Authentication
- Enrollment Form (aka Acknowledgement of Agreement)
- Operational Existence
- Physical Address
- Telephone Verification
- Domain Control Validation
- Final Verification Call
As with OV certificates, a professional opinion letter from an accredited attorney or accountant, vouching for your organization, or a Dun & Bradstreet credit report, will satisfy several of the requirements mentioned above. As you can tell, many of these specifications are similar to those discussed previously with OV certs (with the exception of the enrollment form, operational existence, and physical address requirements):
- Enrollment Form (aka an Acknowledgement of Agreement) — This is a certificate request form that tells the CA that you’re acting in good faith, and that you’re authorized to be making this purchase on behalf of your organization.
- Operational Existence — The CA verifies that your business has been in operation for at least three years and is in good standing. If you’re an established firm, this step is fairly easy to clear. However, for new companies, you may need to provide additional official registration documents. There are a few other alternatives like a credit report, bank confirmation letter, or a professional opinion letter. Depending on which CA you choose, look at the most feasible validation option that suits you.
- Physical Address — Once the CA verifies that the physical address submitted in your CSR matches the information in government records, this requirement can be crossed off. If the information is not publicly available, look at alternatives like submitting a professional opinion letter by an authorized signatory who can confirm that your business has a legitimate address.
The certificate details will contain the SSL cert validation level in addition to other important details about the certificate holder such as the organization’s country, state, locality, street, etc.
View All Extended Validation (EV) SSL Certificates
Hopefully, you now have a fair understanding of what the SSL validation process includes and what to expect once you’ve submitted the certificate signing request. The choice between DV SSL and other SSL validation levels is fairly easy to determine — if you’re a blogger or have a personal website, DV certs should typically meet your needs. However, for organizations — especially ecommerce companies or other organizations that collect or process sensitive information — an OV certificate should be the minimum SSL validation level. Deciding between an OV and EV certificate ultimately depends on your individual goals, financial plans, and how much identity assurance you wish to provide to site users.