Extended Validation (EV)

Authentication Requirements

Extended Validation (EV) SSL Certificates achieve the highest level of consumer trust through the strictest authentication standards of any SSL Certificate. Extended Validation (EV) verification guidelines require us to obtain and verify multiple pieces of identifying information.

Trustico® Validation Image

Extended Validation (EV) SSL certificates are the gold standard, the industry’s premium business class SSL security products and provide the highest level in trust and security. They visually confirm that they have the highest level of authentication among the SSL Certificate range. With 2 unique features of displaying a green address bar and the registered business name in the address bar, which occurs once the SSL Certificate has been issued and correctly installed.

All major browsers include an enhanced user interface display for web security - triggered positively by the presence of a valid EV SSL Certificate or negatively by known association with malware or a revoked or misconfigured SSL/TLS Certificate.

According to the following report published in 2015 :

- 53% of consumers recognize the padlock means more trust
- 42% of consumers understand the green bar means greater safety.

It is important to recognize safety. Your customers are looking for safety and online security. They do not want to have their credentials or identity stolen online. Customers are more wary than ever before about online safety. By purchasing the correct SSL Certificate for your business, you are not only securing the connection between the customers browser and your website. You're providing security & confidence. Customers will see your company name in their browser establishing a level of trust that your customers will recognize. More Information

Have you ever made a purchase from a site you felt you didn’t trust?

Have you ever visited a site you didn’t trust?

With Google®’s announcement of their intended changes to the visual indicators of security provided by an SSL Certificate, the EV SSL Certificate is the only way to make your website stands out in providing proof of your commitment to the trust and security of your customers. More Information.

Who Uses EV SSL Certificates

Your bank, payments, cryptocurrency sites, e-commerce companies, tech companies like AirBnB, Twitter, GitHub, Microsoft and Apple.

The EV certificates are recommended for e-commerce sites and domains that handle sensitive information like personal or credit card details or data critical for company operations and provide strong encryption to protect all of this information

The Benefits of an EV SSL Certificate for an Online Business include :

- Improved SEO rankings
- Protect against harmful cyber attacks
- A decrease in abandoned shopping carts
- An increase in your customer retention rate
- High conversion rate for your products/services
- Security against phishing
- Increase customer in trust and confidence
- Very strict validation process
- Secure users private information & financial transactions
- Displays your organization name in the green Address Bar with HTTPS padlock
- Compatible with all Operating Systems (OS) and Servers

EV SSL Certificates have an additional functionality which is Subject Alternative Names (SAN). With EV SAN SSL Certificate (also known as a Multi Domain SSL Certificate), you can easily manage the security of your domains from the one SSL Certificate. There are no Wildcard domains allowed, but you can have as many domain names as you want on your SSL Certificate. You can also add domain names to an SSL Certificate later, up to a total of 250 on a single EV SSL certificate.

Getting Your EV SSL Certificate

Once an order has been submitted via our online ordering system please continue to monitor your e-mail for further information and requests for documents. We recommend completing the appropriate acknowledgment document as a priority. If you are able to complete this document, we may be able to expedite your order.

If you have ordered a Comodo® branded SSL Certificate you may be contacted directly by Comodo® and may be provided with an acknowledgment document to complete and return. A copy of the document can viewed and completed by clicking the following link :

Comodo® EV Agreement (PDF)

Please ensure to complete and fax the appropriate acknowledgment document to us, using one of the fax numbers from our Contact Us page. Following receipt of the completed document the following authentication requirements will be carried out to ensure your order can be expediently processed.

The admin contact is listed as the certificate signer for the order and will need to read through and complete the subscriber agreement.

These details will later on be checked by the Comodo verification team during the verification call.

Domain Authentication Requirements

To qualify for an Extended Validation (EV) SSL Certificate, domain registration details must reflect the full organization name as included in the SSL Certificate request. Where domain registration does not reflect the organization name as identified in the SSL Certificate request, positive confirmation of the organizations exclusive right to use the domain name is required from the registered domain administrator or with a professional opinion letter.

The domain must be registered with ICANN or an IANA registrar (for CCTLDs). Domain registration details must be updated to reflect the organization name as included on the SSL Certificate request.

Where domain registration is private, the domain registrar is required to unblock the privacy feature.

The organizations "Certificate Approver" must confirm knowledge of the organization's domain ownership during the verification call.

Per the Baseline Requirements, confirmation of control of the domain is first required, done so using the automated approver e-mail. An alternate verification method is available if the automated approver e-mail can’t be completed. It requires access to the root directory of the domain.

Organization Authentication Requirements

An Extended Validation SSL Certificate offers more than just encryption, as it also enables the organization behind the website to present its own validated identity of legal, physical and operational existence and hence authenticate itself to website visitors.

A trust hierarchy demands that entities "vouch" for each other. Companies that issue SSL Certificates are in the business of establishing that entities on the internet are, in fact, who they claim to be. The potential for criminal activity on the internet (in relevance to SSL), is in the online hijacking of websites or connections to siphon encrypted data. Persons so inclined to can easily copy web site interfaces and pose as well-known vendors, simply to collect data. The use of an EV SSL certificate prevents this from occurring because we will only issue an EV SSL certificate to a legitimate entity.

The EV SSL Certificate provides the highest level of identity assurance and works as a guarantee that the organization behind the website, as well as the trusted third party validating the identity, completed a thorough identity verification process as per the EV guidelines (a set of vetting principles and policies approved by the CA/Browser forum).

There are strict industry standards that must first be met before the EV SSL Certificate can be issued. EV verification guidelines, drawn up by the Certificate Authority/Browser (CAB) Forum require a much more rigorous check then other SSL Certificate types. Requiring to obtain and verify multiple pieces of identifying information of the requesting company.

The following entities are eligible to receive an Extended Validation (EV) SSL Certificate provided they are currently registered with and approved by an official registration agency in their jurisdiction. The resulting charter, certificate, license or equivalent must be verifiable through that registration agency :

- Government agencies
- Corporations
- General partnerships
- Unincorporated associations
- Sole proprietorships

We must be able to confirm all of the following organizational registration requirements from official government agency records :

- The organization's registration number
- Date of registration / incorporation
- Organization's registered address (or the address of the organization's registered agent)

A non-government data source (such as Dun & Bradstreet) must include the organization's place of business address if it is not included in the government agency records.

If the organization has been registered for less than three years, we may be required to verify operational existence through one of the following means :

Through a non-government data source (such as Dun & Bradstreet), or by verifying the organization has an active demand deposit account (such as a checking account) with a regulated financial institution through a professional opinion letter or directly with the financial institution.

The company name and address listed on the order must be confirmed as registered and operational in the country listed on the order and have a verifiable physical address.

These details are checked by Comodo themselves using a 'Qualified Government Information Source'. Below are some examples of various government agencies that we can use :

- United Kingdom : Companies House
- Israel : The Ministry Of Justice
- United States : The Local Secretary Of State
- Austria : FirmanABC

There must be an exact match between the company name entered on the order and the company name that is officially registered. This includes corporate identifiers, including Limited, Ltd, LLC, Inc etc.

The company must also be confirmed as operational for at least 3 years. A Principal Individual Letter (PIL) may also be required if the company has been operating for less than 3 years.

Organizations Approver Authentication Requirements

To qualify for an Extended Validation (EV) SSL Certificate, the "Certificate Approver" identified during the ordering process must be employed by the requesting organization and have appropriate authority to obtain and delegate Extended Validation (EV) SSL Certificate responsibilities.

Employment and authorization cannot be verified through the organization's website.

If the "Certificate Approver" is listed in government records as a corporate officer (such as Secretary, President, CEO, CFO, COO, CIO, CSO, Director, or equivalent), then organizational contact employment and authorization can be approved without verifying this information as described below.

We must be able to confirm all of the following "Certificate Approver" requirements :

1. "Certificate Approver" identity, title, and employment through an independent source.

2. "Certificate Approver" is authorized to obtain and approve EV certificates on behalf of the organization. This can be verified through via a professional opinion letter, corporate resolution or by directly contacting the CEO, COO, or similar executive at the organization and confirming the authority of the organizational contact. If no public records are available regarding the CEO, COO, or other executive, we will attempt to contact the organization's human resources department for contact details.

Telephone Verification Call

We must verify the SSL Certificate request and all SSL Certificate details with the "Certificate Approver" identified during the ordering process. We must contact the "Certificate Approver" using an independently verified telephone number.

The telephone number is obtained through one of the following methods :

By researching qualified telephone databases to find a telephone number - ensure your organization's primary telephone number is listed in a public telephone directory, as provided in a professional opinion letter or as confirmed during a physical site visit.

During the verification call, we must verify the following with the "Certificate Approver" :

- The name of the SSL Certificate Requester identified in the SSL Certificate request and his or her authority to obtain the Extended Validation SSL Certificate on behalf of the organization.
- Knowledge of the company's ownership and right to use the domain identified in the SSL Certificate request.
- Approval of the Extended Validation SSL Certificate request and acknowledgment of signature of the applicable SSL Certificate Subscriber Agreement that includes all Extended Validation terms and conditions.

The company needs to exist in Qualified Independent Information Source records. When contacted, someone will confirm the admin contact's authority in the company. The EV application process will ask you for the phone number of an administrative contact. This is not actually used to validate your identity.

Typically, Dun & Bradstreet, Hoovers, White Pages or Yellow Pages are used. These can't be self reported: the Qualified Independent Information Source must review the information.

These contact details will be used to contact the company by telephone. An agent from the verification team will ask to speak to HR for larger companies. Then the verifying agent will confirm the authority of the certificate signer to make decisions on behalf of the company (e.g., get a certificate issued), and speak to the certificate signer to make sure they approve of the order. This is designed to stop someone who works for the company from creating their own rogue certificates.

Final Approval Stages

Once the verification call has been completed, the order will be moved into the second approval stage. This means that an agent will be checking all of the order details to make sure that they comply with the industry standards, before issuing the certificate to the certificate signer.

Additional Verification Requirements

If we are unable to verify any of the required information on your SSL Certificate application, we may request you to provide a professional opinion letter from a lawyer or accountant to verify the information.

Professional Opinion Letter Requirements

The professional opinion letter will be verified with the registered Bar Association or Board of Accountancy in the appropriate jurisdiction. If we are unable to verify the professional opinion letter, we will not be able to accept the letter signed by that individual.

Professional opinion letters must be completed by one of the following :

1. Attorney (solicitor, barrister, advocate, or equivalent) licensed to practice law in the country of the applicant’s jurisdiction of incorporation or any jurisdiction where the applicant maintains a confirmed office or physical facility.

2. Certified Public Accountant (chartered accountant, or equivalent) licensed to practice accounting in the country of the applicant’s jurisdiction of incorporation or any jurisdiction where the applicant maintains a confirmed office or physical facility.

3. Qualified Government Officials (based on country regulations) in the country of the applicant’s jurisdiction of incorporation or any jurisdiction where the applicant maintains a confirmed office or physical facility. These may include Clerks, Bailiffs, Registrars, Judges, Justice of the Peace and Police Officers.

4. Notaries Publics (outside of the US and Canada) who are a Government Official or Legal Professional can sometimes sign a professional opinion letter. Contact Us for more information.

Extended Validation (EV) orders require all information in the professional opinion letter be confirmed directly with the Attorney or Certified Accountant. They will be contacted using the contact details filed with the registered Bar Association or Board of Accountancy in the appropriate jurisdiction. Please ensure this person is aware of our intent to contact them to verify the information.

Additional Information

Sometimes a lawyer or accountant will need to write a letter of attestation, which allows the lawyer/accountant to attest to some aspects of the company. The lawyer/accountants credentials still need to be checked before their attestation can be used.

The entire verification process can be completed in 1 business day, so long as all of the required information is available and as long as the customer can complete each requirement asked of them.

A more comprehensive list of all of the requirements for an EV SSL certificate can be found on the CAB Forum’s own site :

https://cabforum.org/wp-content/uploads/EV-V1_5_5.pdf