So you've purchased an Extended Validation Code Signing Certificate. Nice move! On its face the process may seem a bit daunting. It's not. And we're here every step along the way. We've even outlined everything for you to make approval fast and easy.
What are the Extended Validation Requirements?
For the most part, regardless of what Certificate Authority you choose to get your certificate from, the requirements for extended validation are the same because of the CA/B Forum. The CA/B Forum is essentially a regulatory body, run by the Certificate Authorities and the companies behind the largest web browsers. They've determined the simple baseline requirements necessary to obtain a valid EV certificate. The requirements everyone must satisfy are:
- Enrollment Forms
- Organization Authentication
- Operational Existence (3 years of registration)
- Physical Address
- Telephone Verification
- Final Verification Call
Real businesses have no problem!
If you're a legitimate business – and you mostly have your ducks in a row – this process should be a breeze. Keep in mind, part of the reason the EV requirements are so involved is to differentiate the legitimate business from the rest of the crowd. Therefore, if you're trying to pull a fast one or you're not a real company—Extended Validation isn't going to work for you. But if you're working for an actual business (you know, one with an office, phone lines and maybe even business cards) then you have nothing to worry about.
Plus, you have us in your corner. Not to toot our own horn but we've been doing this for a while. Some might even call us experts. We'll be here to guide you through every step of the process. Typically, the industry likes to say issuance takes 1-5 business days—that's to give the CA's some time. But if you're in a pinch, we can even help expedite the process for you.
So what are you waiting for? Extended Validation is absolutely the best decision for your business and with us helping, the process for getting validated will be painless. Let's do this!
The first requirement for getting an Extended Validation Code Signing Certificate might just be the easiest. You simply fill out the Enrollment Form and return it to the Certificate Authority.
Sectigo uses 2 enrollment forms which only require some basic information about your organization, and contact info for the person in charge of the certificate request (the organizational contact).
You can prepare your Enrollment Forms before placing your EV Code Signing order, however you will need your vendor order ID number to submit the forms. You can download both forms from the bottom of this article.
When you are ready to submit the forms, you can upload them directly to Sectigo's ticketing system (click here!). You should receive a Case ID number to reference if you need to contact support.
Throughout the Extended Validation process, you – the individual who is applying for the certificate – will be known as the Organizational Contact. This just means that you are the point of contact for your company.
Keep in mind that the reason Extended Validation even exists is to authenticate real companies, thus differentiating their websites from other websites and allowing them to provide their customers or clients with a greater degree of trust. The enrollment form is the first requirement that needs to be met in this process. The idea behind it is to verify that you, the Organizational Contact, have the right to act on your organization's behalf in the first place.
This may sound severe, but it's for your company's own good. An employee in good standing has nothing to worry about. This is to weed out someone impersonating an employee, looking to commit an act of fraud by getting a certificate for an imposter website. Nobody – not your organization, nor the CA – wants this to happen, so it's in everyone's best interest to make sure that you're authorized to be applying for this EV Code Signing certificate before the process goes any further.
What Information Do the Enrollment Forms Ask For?
The Enrollment forms focus on getting information about the Organization and Organizational Contact. It asks for the organization's name, the full name of the Organizational Contact, the Organizational Contact's official title, the Organizational Contact's signature and the date and place of signing.
Unfortunately, digital signatures or stamped signatures are not accepted, so you'll have to print the form out, sign it and then either scan it or fax it back to the CA. You could, of course, mail it too. But we wouldn't advise that—it will seriously delay getting your certificate issued.
The next requirement in the Extended Validation process is called Organization Authentication. This is the point where the Certificate Authority verifies that your company is a legitimate legal entity that is registered and active in your local municipality.
What is Organization Authentication?
The Organization Authentication requirement is pretty straightforward – the CA is going to check to make sure your company is a legally registered business – though if your company operates under any trade names, assumed names or a DBA you will need to make sure that all of those registrations are accurate and up to date as well.
In most cases the Certificate Authority will be able to verify everything via the use of online government databases—the CA will check the official website in your country or state that displays business entity registration status. It's extremely important that the details listed on that database match the details you put down on the Enrollment Form or the CA will be forced to double back and a delay in the issuance of your certificate will ensue.
If the CA can't authenticate your organization using available online resources, you're not out of luck. There are other ways to complete the Organization Authentication requirement.
Other Methods for Organization Authentication
There are two other methods for satisfying the Organization Authentication requirement.
- Official Registration Documents – You can provide the CA with official registration documents that were issued by your local government—this includes items like articles of incorporation, chartered licenses or DBA statements. These all show that your organization is indeed a real business, and that it's recognized as such by your local government.
- POL – You can also get a Legal Opinion Letter, sometimes call a Professional Opinion Letter or POL. In some cases – for instance, if your company has in-house legal – this is actually the most convenient method to earn an Extended Validation Code Signing Certificate. A POL can be used to satisfy every single requirement for EV certificates, except for the Enrollment Form. A POL is essentially a document in which an attorney (one that is licensed to practice law in your location) or a professional accountant vouches for your company's legitimacy. It carries a lot of weight in the eyes of the CAs.
Either one will satisfy the Organization Authentication requirement.
Can anything else go wrong with Organization Authentication?
As long as your company is legitimate and has all of its registration information up to date with its local government—everything should go smoothly. But there are a few common mistakes which can hold up the process.
For instance, if your official registration details are outdated/expired or your company operates under multiple names and you didn't accurately list the names on your certificate or in the Enrollment Form—you may have to go back and clean things up on your end before the CA will move forward.
The next requirement for an Extended Validation Code Signing certificate is proving Operational Existence. The CA must confirm that your company has been operational for three or more years. If your company has not been operational for three years, it's still possible to have your Operational Existence verified—but it's going to require a little more work on your part.
Proving Operational Existence
For a well-established company that has been around for longer than three years, proving Operational Existence should be a breeze. In fact, much like with getting Organizational Authentication, there's a chance you won't have to provide any documentation at all and the CA will be able to verify your company's Operational Existence just by checking online.
In this case the CA will check the Online Government Database – either in your local municipality, state or country – that displays your incorporation date. If you're located in a place that keeps good records and you've been around for long enough, this requirement will be met easily.
Other Ways to Prove Operational Existence
If your company resides in a place that doesn't keep good online records, or if your company is younger than three years old, then proving Operational Existence is going to require a little more work on your part. But don't be worried, it's still not all that labor-intensive (or scary).
There are four alternative ways to prove Operational Existence:
- Official Registration Documents – If your company has been operating for more than three years you'll simply need to forward along documentation. This can be done with almost any document issued by your local government, for example, articles of incorporation, a charter license or a DBA statement.
- Dun & Bradstreet – Dun & Bradstreet is a company that provides credit reports on businesses. Regardless of how long your company has been operating, if there is a Dun & Bradstreet credit report on your organization the CAs can use it to verify Operational Existence.
- Bank Confirmation Letter – No matter how long your organization has been operating, if you have an active checking account at a local financial institution all you have to do is supply a letter verifying this information to the CA and you can check the Operational Existence box off.
- POL – If you have a Professional Opinion Letter – a notarized letter from a lawyer or accountant vouching for your company's legitimacy – you can use it to prove your operational existence.
Any of these options will satisfy the Operational Existence requirement and get you one step closer to being issued an Extended Validation Code Signing Certificate.
The Physical Address requirement for an Extended Validation Code Signing Certificate is just what it sounds like—you have to prove your organization has an established physical presence in the country or state that it's registered in.
Proving your Company's Physical Address
In order to prove your company's physical address, the Certificate Authority will have to verify your company's street address, city, state and country.
The first way the CA is going to attempt to do this is by checking an Online Government Database – be that in your local municipality, your state or your country – for your company's publicly listed address. Everything must match the details on your certificate and enrollment form exactly. Unfortunately, the CAs will not accept PO Boxes or companies registered off-shore.
You might also run into problems with the fact that some government databases do not list a business's physical address. However, if you do run into any issues – as with all of these requirements – there is a relatively simple workaround that will still allow you to get your Extended Validation Code Signing Certificate.
Alternative Methods to Prove your Company's Physical Address
There are three ways to prove your company's physical address if the CA's search of the online government databases fails to satisfy the requirement.
- Official Registration Documents – You can send in any official registration documents issued by your local government – articles of incorporation, chartered license, DBA statement – and the CAs will accept them as proof of a physical address.
- Dun & Bradstreet – You can use a comprehensive Dun & Bradstreet credit report to verify the physical address of your company. Dun & Bradstreet is a large company that does credit reports on businesses, the CAs view DUNS as an unimpugnable source of information when vetting organizations.
- POL – Finally, you can use a Legal Opinion Letter, sometimes called a Professional Opinion Letter or POL, which is signed by an attorney or an accountant, to prove your company's physical address. Unless you have in-house legal or easy access to an accountant getting a POL can be a pain, but it's benefits are undeniable—outside of the Enrollment Form a POL can be used to satisfy every requirement in the Extended Validation Code Signing process.
Any of these methods can be used to prove your company's physical address, should the CA's attempts to verify that information via an online government database fail.
Telephone Verification is yet another requirement for an Extended Validation Code Signing Certificate. You must have an active telephone number listed in an acceptable telephone directory. The listing must match the exact information given on your certificate and Enrollment Form (i.e. business name with corporate identifier and physical address).
Completing Telephone Verification
As with many of the other requirements (Physical Address, Operational Existence, Organization Authentication) the Certificate Authorities will first attempt to verify this information using an Online Government Database. If the database in your local municipality, state or country has your company's phone number listed along with all of its other information then you'll complete this requirement easily.
Unfortunately, the majority of online government databases do not display this information.
Don't worry, there are still multiple ways to satisfy this requirement.
Alternative Ways to Complete Telephone Verification
If the CA can't verify your telephone number online, there are three other methods you can use to satisfy this requirement.
Third-Party Telephone Listing – You can use an existing telephone listing in a third-party directory. Acceptable directories include the YellowPages, Dun and Bradstreet, Better Business Bureau, Kompass, Infobel, and several others, depending on your region. But keep in mind, all the details in the listing must match the information on your company's certificate and Enrollment Form.
- Dun & Bradstreet – You can also use a Dun & Bradstreet credit report to verify the telephone number associated with your company. Dun & Bradstreet is a large company that does credit reports on businesses and the CAs are willing to use the information they compile in order to verify specific details during the Extended Validation vetting process. DUNS Credit Reports can also be used to verify Physical Address and Operational Existence.
- POL – Finally, you can use a Legal Opinion Letter – sometimes called a Professional Opinion Letter, or POL – to verify your company's telephone number. This is especially useful if your company doesn't publically display its phone number in any directories or listings. A POL is a document signed by an attorney or accountant that vouches for the legitimacy of your company. It can be used to satisfy every requirement except the Enrollment Forms.
Final Verification Call
The Final requirement for Extended Validation Code Signing Certificates is the Verification Call. The Certificate Authority must speak with you or the Organization Contact using the verified business telephone number in order to confirm the details of your order.
Completing the Verification Call
This step is fairly simple, the Certificate Authority has already received your Enrollment Form, gone through Organization Authorization and confirmed Operational Existence, your company's Physical Address, Telephone Number and Domain Ownership.
Now all that's left is for the CA to call your company's verified phone number and speak with you or the Organization Contact. The CA will use the call to verify the details of the order so they can then issue the certificate to the technical contact or web admin that will be installing the certificate (we can also help you install the certificate in lieu of an admin).
Unless you have severe social anxiety about taking a phone call—this requirement is absolutely painless.
Possible Issues with Taking the Verification Call
That being said, there are a few potential hiccups that can occur when you're getting ready to take the Final Verification Call. Namely, there's a good chance that your company's verified telephone number – the one that appears in public listings – doesn't connect directly to your desk.
Don't worry, the CA can enter your extension or connect with you through Interactive Voice Response (IVR). Alternatively, the CA can also be transferred to your line from your company's phone receptionist or operator, or it can obtain your number from a colleague after initiating the call using the verified telephone number.
The CA will make every effort to reach you. Just make sure you answer the phone. Seriously. Don't let it go to voicemail. Otherwise you'll just be delaying the issuance of your EV Code Signing Cert. And nobody wants that.
After you have finished all steps of the Extended Validation process, the CA will continue processing your order until they are ready to provision the USB device and ship it to your business address. You should receive a shipping confirmation email as soon as the package is on its way.