Validation Requirements for SSL Certificates with Extended Validation

General Information ID:    INFO1595    Updated:    02/28/2017

Description

Extended Validation SSL achieves the highest level of consumer trust through the strictest authentication standards of any SSL certificate. Extended Validation verification guidelines require Symantec to obtain and verify multiple pieces of identifying information about the Organization and Organization Contact listed in the enrollment.
 

A. Organization Authentication Requirements
The following entities are eligible to receive an EV Certificate provided they are currently registered with and approved by an official registration agency in their jurisdiction. The resulting charter, certificate, license or equivalent must be verifiable through that registration agency. 

  • Government agencies
  • Corporations 
  • General partnerships 
  • Unincorporated associations 
  • Sole proprietorships

Symantec must be able to confirm all of the following organizational registration requirements: 

  • Official government agency records must include: 
    • The organization's registration number. 
    • The organization's date of registration/incorporation. 
    • The organization’s registered address. 
  • A non-government data source (such as Dun & Bradstreet) must include the organization's place of business address if it is not included in the Government agency records 
  • If the organization has been registered for less than three years, Symantec must verify operational existence through one of the following means: 
    • Through a non-government data source (such as Dun & Bradstreet)
      - or - 
    • By verifying the organization has an active demand deposit account (such as a checking account) with a regulated financial institution through a Professional Opinion Letter or directly with the financial institution.
       

B. Domain Authentication Requirements
To qualify for an Extended Validation SSL Certificate, domain registration details must reflect the full Organization name as included in the certificate request. Where domain registration does not reflect the organization name as identified in the certificate request, positive confirmation of the Organization's exclusive right to use the domain name is required from the registered domain administrator.

  • The domain must be registered with ICANN or IANA registrar (for CCTLDs). Domain registration details must be updated to reflect the organization name as included on the certificate request. See SO10588 for details on how Symantec confirms the domain registration details
  • The Organization's Organization Contact must confirm knowledge of the organization's domain ownership during the verification call.
     

C. Organization's Organization Contact Authentication Requirements
To qualify for an Extended Validation SSL Certificate, the Organization Contact identified in the certificate request must be employed by the requesting organization and have appropriate authority to obtain and delegate Extended Validation certificate responsibilities.
 

Notes:

  • Employment and authorization cannot be verified through the organization's web site. 
  • If the Organization Contact identified in the certificate request is listed in government records as a corporate officer (such as Secretary, President, CEO, CFO, COO, CIO, CSO, Director, or equivalent), then organization contact authentication can be approved without verifying this information as described below.

Symantec must be able to confirm all of the following Organization Contact requirements:

  • Organization Contact's identity and employment through an independent source.
  • Organization Contact is authorized to obtain and approve EV certificates on behalf of the Organization. This can be verified through one of the following methods: 
    • A Professional Opinion Letter
    • Order Verification
       

D. Order Verification Requirements
Symantec must verify the certificate request and all certificate details with the Organization Contact identified in the certificate request. Symantec must contact the Organization Contact using an independently-verified telephone number.
 

This telephone number is obtained through one of the following methods: 

  • By researching an approved third party telephone database to find a telephone number. Ensure your organization’s primary telephone number is listed in a public telephone directory under the verified business address.
  • As provided in a Professional Opinion Letter.
  • During the verification call, Symantec must verify the following with the Organization Contact: 
    • The name of the Certificate Requestor identified in the certificate request and his or her authority to obtain the Extended Validation certificate on behalf of the organization. 
    • Knowledge of the company's ownership and right to use the domain identified in the certificate request. 
    • Approval of the Extended Validation SSL Certificate request. 
    • Acknowledgement of signature of Symantec SSL Certificate Subscriber Agreement that includes all Extended Validation terms and conditions.
       

E. Additional Verification requirements
If Symantec is unable to verify any of the required information on your certificate application, we may request you to provide a Professional opinion from a lawyer or accountant to verify the information
 

 

Contact Support

Find Answers