Table of Contents

There are three types of TLS/SSL certificates, certificates with extended validation (EV), organisation-validated certificates (OV) and domain-validated certificates (DV). They differ in the degree of security provided by the issuing authority (CA) through validation processes of varying intensity.

The certificate with which the page is secured is indicated by the lock symbol, additional information that can be called up above it or the company name in the browser bar.

Important

For all verification problems, the CA sends an email to the administrative contact describing the problem and explaining what to do. This notification will only be sent once by the CAs. Respond immediately otherwise the order will be cancelled after some time.

Domain-validated certificates (DV)

Domain-validated certificates offer the user limited security, as the operator of the website is not visible to the user in contrast to the other certificate types.

Issuance duration of the Certificate: 1-2 days

This will be checked

One of the authentication methods (email, DNS, file) checks whether the applicant is the owner of the domain.

Validation steps when ordering

The verification is performed by means of a confirmation email that the CA sends to a recipient address specified by the requester. This email contains a link to confirm the order, which must be clicked on by the recipient. Alternatively, this validation can also be done via DNS-Auth and File-Auth. Once the confirmation is received, the certificate is issued within a few minutes. Since no further verification takes place for this certificate type, there is no further information about the website owner within the certificate other than the common name.

Appearance of DV certificates in the web browser

Using an DV certificate a lock icon will appear in the browser's URL bar.

  

Organisation-validated certificates (OV)

For OV certificates, in addition to the lock symbol in the browser bar, the owner of the website is also specified in the certificate details. This gives visitors to the site the assurance that the site operator is an existing company.

Issuance duration of the Certificate: 3-4 days

Only for Sectigo and its subbrands PositiveSSL, InstantSSL:

For OV and EV certificates, the 'Sectigo Certificate Subscriber Agreement' must be agreed to online. The admin contact will receive an email with an 'Agreement link' for this purpose.

This will be checked

The ownership of the domain, the existence of the company and the authority of the user to apply for the certificate are verified.

Validation steps when ordering

Domain owner

One of the authentication methods ( email, DNS or file ) checks whether the applicant is the owner of the domain.

Commercial register entry

The company is then checked against the entry in the commercial register or comparable registers of other countries.

Make sure that the information in the commercial register entry for the company is up to date at the time of validation. In the certificate application, use the identical name for the company and no different abbreviations or similar.

If the entry differs from the information in the certificate application, the CA requires further documents, e.g. the business registration.

Verification Calls

Finally, a verification by telephone is carried out.  A company telephone number from a public directory in the respective country is used for this purpose. Since the number of the central office is usually entered in the public telephone directories, it should be informed of the calls to be expected. Calls are usually made in English and during business hours.

The CAs try several times to reach the contact named in the application (Corporate Contact). If this is not possible, the CAs sends an email explaining how to proceed. It is also possible to leave a voice message with a security code with which the contact person can answer the call and thus complete the verification.

Make sure that the entries in the telephone directories are up-to-date at the time of validation.  If the entry differs from the information in the certificate application, the CA also requires a telephone bill from the company.

It is possible to make an appointment for the calls directly with DigiCert.
Please note that it is mandatory that the organisation-validation is completed before you schedule a call!
To do so, go to https://digicert.simplybook.me/v2/#book, select an appointment that suits you and log in with your name and the email address used when placing the order. Ideally, add the OrderID. You can find the ID in the SSL Manager or in the CA's confirmation email when the order has been accepted.

Appearance of OV certificates in the web browser

In the address line of the browser, the lock symbol appears without the company name, which is mentioned in the certificate details.

Firefox Browser

Certificates with extended validation (EV)

Certificates with Extended Validation (EV) are the most trusted certificates for Web sites through advanced validation and policy enforcement at issuance. The user of the website can immediately see that a certificate is active and who is the operator of the website.

Issuance duration of the Certificate: 5-7 days

Only for Sectigo and its subbrands PositiveSSL, InstantSSL:

For OV and EV certificates, the 'Sectigo Certificate Subscriber Agreement' must be agreed to online. The admin contact will receive an email with an 'Agreement link' for this purpose.

This will be checked

The first step is to check whether the applicant is also the holder of the domain. Then the existence of the company and the authority of the user to apply for the certificate are checked. The verification is more intensive than with OV-validated certificates. Due to the intensive verification the certificates with the extended validation (EV) are the most trustworthy certificates for websites for customers.

Validation steps when ordering

Domain owner

One of the authentication methods ( email, DNS or file ) checks whether the applicant is also the owner of the domain.

Commercial register entry

The company is then checked against the entry in the commercial register or comparable registers of other countries. 

Make sure that the information in the commercial register entry for the company is up to date at the time of validation. In the certificate application, use the identical name for the company and no different abbreviations or similar.

If the entry differs from the information in the certificate application, the CA requires further documents, e.g. the business registration.

Verification Calls

Finally, a verification by telephone is carried out.  A company telephone number from a public directory in the respective country is used for this purpose. Since the number of the central office is usually entered in the public telephone directories, it should be informed of the calls to be expected. Calls are usually made in English and during business hours.

  • The first call checks whether the employee entered when the order was placed works for the company.
  • The second call, which is directed to a superior, is used to check the authorization of the contact person for the purchase order.
  • Finally, a call is made to the actual contact person to confirm the order.

The CAs try several times to reach the contact named in the application (Corporate Contact). If this is not possible, the CAs will send him an email explaining how to proceed.

Make sure that the entries in the telephone directories are up-to-date at the time of validation.  If the entry differs from the information in the certificate application, the CA also requires a telephone bill from the company.

Recently it has become possible to make an appointment for the calls directly with DigiCert. To do this, go to https://digicert.simplybook.me/v2/#book, select an appointment that suits you and log in with your name and the email address used when ordering. Ideally, add the OrderID. You will find this in the SSL Manager or in the confirmation email of the CA when the order is accepted.

Restrictions on EV Certificates

EV Certificates are not issued to individuals, registered traders, GBRs, doctors or lawyers. For companies under the age of three, confirmation from the bank may be required. For all public institutions such as cities, offices, schools, a confirmation may be required, a short letter on official paper and with a stamp.

Appearance of EV certificates in the web browser

In contrast to the two other types of certificate types, not only is the small lock is displayed in the bowser bar, but also the operator of the page is shown.

Chrome

Internet Explorer

Firefox

 By clicking on the area with the lock icon  in the URL bar, the user receives further information about the operator of the website.