EV SSL certificate
An EV certificate gives websites a professional and trustworthy appearance. In addition, it gives websites an increasing conversion rate. Because of the green address bar, visitors are able to see at a glance with whom they do business. The EV certificates of Comodo are competitively priced. Within one day you can be the owner of a green address bar for your website, for only €95!
An Extended Validation certificate, why?
An EV certificate is ideal for webshops, banks and websites where visitors must exchange personal information:
- Green address bar for a maximum visibility of the SSL security.
- Reliable appearance increases conversion rates.
- Check of domain owner, company data and the requester.
- Higher Google ranking when using SSL on all pages of the website.
What is an Extended Validation certificate?
Extended Validation (EV) is the highest form of authentication for SSL. The validationprocedures are very strict, which explains the higher costs in comparison with the other types of certificates. This procedure also explains why the delivery time is longer. The Extended Validation certificate is used to secure online services where trust plays a very important role. For example: online banking websites, webshops and public webmail services. The green address bar displays your legal company name and provides highly visual assurance to customers that your site is secure.
The way of displaying an EV certificate varies per browser.
Request an EV certificate
A certificate can be requested via the Control Panel on the website.
We verify the information in the request and the required signed documentation. If the validation procedure is completed, the certificate will be delivered within 3 to 10 working days (the delivery time depends on the Certificate Authority). The validation procedure for Comodo certificates is done by our own employees, that is why it is possible to deliver this in 1 business day.
If information in the request is incorrect or missing, we will let you know what we need. After receiving the certificate, you can install the certificate on the server(s). Manuals on how to generate a CSR and how to install a certificate can be find in our knowledgebase. Note: this type of certificate shows the registered Legal Name, or the Tradename followed by the Legal Name in parentheses. Use the notation: Tradename (Legal Name). An exception is a sole trader; these types of companies don't have a Legal Name, so the use of a single Tradename is allowed.
When requesting an EV certificate the following will be verified:
The domain holder information(Whois); The registration in the commercial register: the data in the certificate needs to be an exact match with the data in the commercial register (including the legal form); A signed contract; A check on revoked certificates; Phone verification: the phone number of the Organisation should be registered in the Yellow Pages or in the commercial register.
The exact requirements differ per CA.
Symantec, Thawte, GeoTrust
A corporate contact is required for verification when requesting a certificate. The full first name is needed, only the initials is not sufficient. The corporate contact needs to be an employee at the company the certificate is requested for. It's possible to finish the verification directly if the corporate contact is registered as authorised in the commercial register. If the corporate contact was not registered, the CA wants to talk to the HR, before validating with the corporate contact. The CA only contacts the organisation by phone through a registered number in the Yellow Pages or in the commercial register, or any other valid register. Further, an Acknowledgement Agreement needs to be signed. The corporate contact receives the Acknowledgement Agreement by e-mail.
A Subscriber Agreement must be signed. It's possible to sign and confirm the SA online in stead of a handwritten signing on paper documents. The SA needs to be signed by the corporate contact. As a contact, an employee or another authorized person should be specified. The Note: The request need to be done for the company, for which the certificate is, itself. A certificate is a recognition of a company as an entity, not of the owner(s) or holdings.
The verification call can be completed directly if the contact is registered as qualified in the commercial register. When this is not the case, another employee of the organisation needs to confirm that the contact is authorized to validate the request. The verification call can only be made through a registered number in the commercial register or any other valid register. When the registered number is incorrect, the registration should be adjusted first. If also the domain validation was successful (all information match the commercial register), the certificate can be issued.
A corporate contact is required for verification when requesting a certificate. The corporate contact must be an employee of the company the certificate is requested for. The verification call will be completed directly when the contact is registered in the commercial register as qualified. If not, the title will be checked with Human Resources. When this is not a management title, an extra verification will be done with the manager of the contact to check if he or she is authorized to request this certificate. The verification call can only be made through a registered number in the Yellow Pages or in the commercial register. When the registered number is incorrect, the registration should be adjusted first.
A signed Acknowledgement Agreement and a Request Form are needed. The Request form is sent to the e-mail address that was specified during requesting the certificate. The Acknowledgement Agreement is send directly form GlobalSign to the e-mail address of the specified contact.
The validation procedure per CA:
|Check commercial register (Including legal form)|
|Check whois information (Organisation name and addresss)|
|Check US blacklist|
|Check on revoked certificates|
|Additional check for organisations under 3 years|
|Check on registered phone number|
|Contact listed as employee?|
|Request directly from CA|
|Sending an agreement|
|Determining if contact is qualified by commercial register|
|Determining if contact is qualified through HR|
|Check on title through HR (to check whether someone is competent)|
|Check with manager if contact is qualified|
|Validation with contact|
|Final validation from CA|
An important motivation for the use of SSL certificates is to give confidence in online transactions. For this a CA testifies as an "independent third party" that the owner of a certificate is trustworthy. Commercial pressure led CA's to issue certificates without Organisation data in it. For this type of certificate a limited verification is done and the owner of a website is not verified. Browsers showed no visual difference between this certificate and the verified certificates. As a standard certificate only shows a padlock in the address bar, a visitor is not able to identify the websites' owner. As a result fraudsters could pretend to be a credible and reliable website.
In 2005 the first meeting of the CA/Browser Forum took place, initiated by Comodo. The purpose was to improve the standards for issuing certificates. On the 12th of June in 2007 the first guidelines of Extended Validation (EV) were introduced.
By setting stricter criteria for the issuance of certificates and consistent verification of these criteria by all participating CA's, SSL certificates with Extended Validation are designed to keep the confidence of the visitors in the safety of the website. EV certificates clearly show the visitor that they visit the website of a legally established business or organisation.
Certificate transparency (CT) is an initiative of Google. Google Chrome can check whether an SSL certificate is issued legitimately. Since the 1st of February in 2015 Certificate Transparency is required for every EV certificate. All CA's support this initiative en ensure that all issued EV certificates are known on the CT list. More information regarding Certificate Transparency.