Extended Validation (EV) Guide

Knowing the advantages of the EV SSL Certificate & its specifications for authentication

Consumers typically rely the most on the Extended Validation certificates because it is not very easy to obtain one. All records of a corporation will suit from the initial domain registration, to corporate documents, all the way to records of corporate banks. This is to confirm that a company is a legitimate business and who they think it is.

To get your Certificate of Extended Validation, Certificate Authority (CA) will initiate an investigation and review process. They’ll ask for you to send multiple papers. A list of those documents can be found below.

The simplest and most suitable way to have the certificate released is to send a letter of opinion from an attorney or a CPA.

  • Download Opinion Letter for Lawyers
  • Download Expert letter of opinion (CPA, Accountant)

Submission of SSL Extended Validation Agreement

REQUIRED: The Extended Validation SSL Agreement must be acknowledged and signed by your organizational contact, and faxed or mailed to the Certificate Authority.

IMPORTANT! Certificate Authority ( CA) can not start processing your order until it receives the signed Agreement.

Sending a Message of Opinion to Lawyers

Fill up and send the Lawyers Opinion Letter to enable the issuance of orders. The Lawyers Opinion Letter verifies the specifics of the credential and the company and helps the credential to be issued more quickly.

IMPORTANT! The Lawyers Opinion Letter is the easiest and most expedient way to include the details needed for the verification. If this information about verification is not given via the Lawyers Opinion Letter, it must be given through other means (described below).

As for the Lawyers Opinion Letter, Symantec must be able to confirm the following:

  • The letter must come from an attorney, solicitor, barrister, advocate, or equivalent qualified to practice law in the country of incorporation jurisdiction of the requesting entity, or in any jurisdiction where the entity has an office or physical facilities.
  • Certificate Authority ( CA) must be able to verify that the lawyer is registered in the appropriate jurisdiction, with the appropriate authority.
  • Certificate Authority ( CA) shall be able to check the letter of opinion directly with the lawyer

Requirements for organisational authentication

To apply for an Extended Validation SSL Certificate, the company seeking the certificate must be recognized as a corporation or equivalent in its country of jurisdiction with the relevant government entity.

Symantec will be able to assert all the following conditions for organisation’s registration:

  • Records of official government departments shall include:
  • The registration number of the company, or the registration / incorporation date of the company.
  • Registered address of the organization (or address of registered agent of the company).
    A non-government data source (such as Dun & Bradstreet) must provide the place of business of the company (as defined in the order.) Expanded SSL Authentication Specifications Symantec, Inc. 5
  • If the entity has been licensed for less than 2 years, Symantec will use one of the following methods to check its operational existence:
  • By a non-governmental source of data (such as Dun & Bradstreet)- or-
  • By verifying that the organization has an active request deposit account (such as a checking account) with a regulated financial institution through a letter of opinion from the lawyers or directly with the financial institution.

Domain authentication requirements

To qualify for an Extended Validation SSL Certificate, the details of the domain registration must reflect the full name of the organization as it appears on the request for certificates.

  • The domain must be registered with registrar ICANN or IANA (for CCTLDs).
  • A parent relationship or a subsidiary relationship is not adequate evidence of domain name ownership. Domain registration details must be updated to reflect the name of the organization as indicated on the request for a certificate.
  • Where domain registration is not updated to reflect the name of the organization as identified on the request for the certificate, an opinion from a lawyer regarding the exclusive right of the organization to use the name is required, in addition to verifying this fact directly with the registered domain contact.
  • During the verification call the Organizational Contact must confirm knowledge of the domain ownership of the organization.

Authentication of organisation’s contact requirements

Organizational Contact Authentication Requirements To qualify for an Extended Validation SSL Certificate, the Organizational Contact identified in the certificate request must be employed by the applicant organization and have the appropriate authority to obtain and delegate Extended Validation certificate responsibilities.

Note: Usage and authorisation can not be checked via the website of the company.

Note: If the Organizational Contact identified in the certificate application is listed as a corporate officer (such as Secretary, President, CEO, CFO, COO, CIO, CSO, Director or equivalent) in government records, then the Organizational Contact Employment and Authorisation may be approved without verifying this information as described below.

Symantec must be able to assert all the following criteria about Organizational Contact:

  • Identity, title and jobs of the Organizational Touch from an independent source.
  • Organizational Contact is allowed on behalf of the Company to obtain and accept EV certificates, and delegate this authority to others. That can be checked by one of the following methods:
  • Letter of advice to lawyers
  • A Statement of Organizational Resolution
  • Contact the CEO, COO or equivalent executive directly at the company and clarify the organisation’s communication authority. If no public records are available with respect to the CEO , COO or other executive, Symantec will attempt to contact the human resources department of the organization for contact details.

Requirements for Order verification

As part of processing an Extended Certification SSL Certificate, Symantec must check the application for the certificate and all specifics of the certificate with the Organizational Contact specified in the request for the certificate. Symantec must contact the Organizational Contact through a telephone number obtained independently (not the telephone number given in the order)

This telephone number is reached by one of the following methods:

  • To find a phone number, research qualified telephone databases. Ensure the primary telephone number for your company is specified in a public telephone directory.
  • As set out in a letter of opinion from lawyers.
  • As verified by Symantec during a tour to the site.

During the call for verification, Symantec shall check with the Organizational Contact the following:

  • The name of the technical contact (or managed PKI administrator) identified in the application for the certificate and his or her authority on behalf of the organization to obtain the Extended Validation certificate.
  • The authority of the Managed PKI administrator to assign Extended Validation obligations where appropriate.
  • Knowledge of the ownership of the firm and the right to use the domain identified in the request for certificates.
  • Approval of application for an extended SSL certificate validation.
  • Signing acknowledgment of Symantec Expanded Validity User Agreement