A trust hierarchy demands that entities "vouch" for each other. Companies that issue SSL Certificates are in the business of establishing that entities on the internet are, in fact, who they claim to be.
The potential for criminal activity on the internet, in relevance to SSL Certificates, is in the online hijacking of websites or connections to siphon encrypted data. Persons so inclined can easily copy website interfaces and pose as well known vendors, simply to collect data.
The use of an SSL Certificate prevents this from occurring because the Certificate Authority (CA) will only issue an SSL Certificate to a legitimate entity.
The type of SSL Certificate purchased will determine the validation process your SSL Certificate must go through before issuance.
Trustico® offers three types of SSL Certificates : Domain Validated (DV), Organization Validated (OV) and Extended Validation (EV). Each of these SSL Certificate types have their own validation procedures that must be met before issuance of the SSL Certificate can happen.
Select the validation type that applies to your SSL Certificate order.
The following sections provide an overview of each validation type and the requirements involved.
Domain Validation (DV) Requirements
Domain Validated (DV) SSL Certificate products are authenticated using one of three validation methods. The validation process is automated and can typically be completed within minutes.
The available Domain Control Validation (DCV) methods are :
- Approver E-Mail
- HTTP or File
- DNS CNAME
Domain Validation (DV) SSL Certificates do not require any business verification, telephone calls, or documentation. Once you complete one of the validation methods above, your SSL Certificate is issued automatically. Discover Domain Validated (DV) SSL Certificates 🔗
Approver E-Mail Verification Method
When choosing to purchase a Domain Validated (DV) SSL Certificate, an approver will be chosen during the ordering process. The Certificate Authority (CA) will send an Approver E-Mail to the designated approver.
The following generic e-mail addresses are able to be used :
- admin@yourdomain.com
- administrator@yourdomain.com
- hostmaster@yourdomain.com
- webmaster@yourdomain.com
- postmaster@yourdomain.com
Applicants must choose one of these generic addresses to prove that they administer the domain name for which the SSL Certificate is being purchased.
The recipient must follow the instructions in the e-mail, typically by clicking a confirmation link or entering a verification code. Since Domain Validation (DV) does not require extensive documentation or manual review, the process can often be completed within minutes.
CNAME or TXT Record Verification Method
Another method is Domain Name System (DNS) record verification, where a unique code is provided that must be added to the domain Domain Name System (DNS) records. Once the correct record is detected, domain ownership is confirmed.
This method is useful for those who do not have access to one of the five allowed e-mail addresses or prefer a more technical approach.
After placing the SSL Certificate order, you may have the option to validate domain ownership using CNAME records instead of the standard e-mail approval method.
To check availability and to switch to CNAME validation, simply log into the Trustico® tracking system after submitting your order and change the validation preference from Approver E-Mail to CNAME.
This alternative validation method requires you to create a specific CNAME record in your domain's Domain Name System (DNS) settings, which will verify your control over the domain and allow the SSL Certificate issuance process to proceed.
Access the tracking system to change your validation method or check your order status.
Your Certificate Authority (CA) Reference number is required to access the tracking system. Learn About The Trustico® Tracking System 🔗
File Based Verification Method
File-based verification requires the domain owner to upload a verification file to a specific directory on the website's server. The Certificate Authority (CA) will then check for the presence of this file to confirm ownership.
This method is often used by web administrators who have direct control over their website's files. Discover File Based Authentication 🔗
Organization Validation (OV) Requirements
Organization Validated (OV) SSL Certificate products assist with consumer confidence as they require strict authentication and include an organization name within the SSL Certificate.
During the ordering process you must ensure the organization you specify is an active entity and can be confirmed by the government authority responsible for registering the entity within the specific jurisdiction.
An exact match between the organization name specified during the order process and the government authority is required.
Organization Validation (OV) SSL Certificates require manual verification by the Certificate Authority (CA), including verification of business registration documents and a telephone call to confirm the order. Discover Organization Validated (OV) SSL Certificates 🔗
View the Organization Validation (OV) information page or the detailed validation guide for complete requirements.
The detailed validation guide explains exactly what documentation and verification steps are required for Organization Validation (OV) SSL Certificates.
Extended Validation (EV) Requirements
Extended Validation (EV) SSL Certificates achieve the highest level of consumer trust through the strictest authentication standards of any SSL Certificate. Extended Validation (EV) verification guidelines require the Certificate Authority (CA) to obtain and verify multiple pieces of identifying information.
An Extended Validation (EV) SSL Certificate offers more than just encryption, as it also enables the organization behind the website to present its own validated identity of legal, physical and operational existence and hence authenticate itself to website visitors.
The use of an Extended Validation (EV) SSL Certificate prevents fraudulent activity because the Certificate Authority (CA) will only issue an Extended Validation (EV) SSL Certificate to a legitimate entity after thorough verification.
To ensure your SSL Certificate request is processed quickly, you will be required to provide authentication documents. Discover Extended Validation (EV) SSL Certificates 🔗
View the Extended Validation (EV) information page or the detailed validation guide for complete requirements.
The detailed validation guide explains exactly what documentation and verification steps are required for Extended Validation (EV) SSL Certificates.
Manual Verification for OV and EV
Organization Validated (OV) and Extended Validation (EV) products require manual verification by the Certificate Authority (CA). When a product requires manual verification, certain requirements must be met and will be stated within the product information pages.
Sample documents that may be required to support the SSL Certificate application include Articles Of Incorporation, Fictitious Name or Doing Business As documents, Business Licensing, and other official documentation proving the organization's legal existence.
The administrative contact of the order will be contacted for further information if documentation is required.
A verification telephone call with the administrative contact will usually be required before issuance. The telephone number must be publicly listed in an approved telephone directory or verifiable through a third-party source.
It is recommended that the organization be listed at Dun and Bradstreet as it is one of the world's leading sources of commercial information and insight on businesses, which Certificate Authorities (CAs) rely on to verify organization details.
The detailed validation guides explain exactly what is required for successful verification.
Following the detailed validation guides will help ensure your SSL Certificate is issued as quickly as possible.
Additional Validation Information
All SSL Certificate types, including Single Domain SSL Certificates, Wildcard SSL Certificates, and Multi-Domain SSL Certificates or Unified Communications Certificates (UCC), can be validated with any of the available Domain Control Validation (DCV) mechanisms.
Multi-Domain SSL Certificates can use different mechanisms for each Fully Qualified Domain Name (FQDN) in the request.
The Certificate Authority (CA) no longer considers proof of control of www.yourdomain.com as also proving control of yourdomain.com. Previously, if you ordered an SSL Certificate for the two Fully Qualified Domain Names (FQDN), www.example.com and example.com, and validated using HTTP_CSR_HASH on www.example.com, that was taken to also demonstrate control of example.com. That is no longer the case.
It remains the case that validating control of example.com is sufficient for the validation of an SSL Certificate to contain both example.com and www.example.com.
Order Queuing and Fraud Prevention
In the event an authentication procedure fails, or the system suspects possible fraudulent activity, the order may be queued for manual review. Also, occasionally orders are randomly queued for manual review.
Authentication engines are programmed to automatically flag certain orders for a quality review before issuance. The system looks for specific information within new and renewal orders.
For example, orders from certain countries or containing certain words may be flagged.
