Extended Validation (EV) is the highest level of SSL Certificate validation, designed to provide the strongest level of trust and security for websites. Unlike Domain Validation (DV) and Organization Validation (OV) SSL Certificates, which focus primarily on domain ownership and basic business verification respectively, Extended Validation (EV) SSL Certificates require a strict and thorough validation process before issuance.
The primary purpose of Extended Validation (EV) is to assure users that a website is operated by a legally established and trustworthy entity. This helps protect against phishing attacks and fraudulent websites by ensuring that only verified businesses can obtain an Extended Validation (EV) SSL Certificate. The Certificate Authority (CA) must verify the organization's legal, physical, and operational existence before any Extended Validation (EV) SSL Certificate can be issued.
Once an Extended Validation (EV) SSL Certificate is issued, it enables HTTPS encryption and displays the organization's verified name within the SSL Certificate details, which users can check for added assurance. Websites with Extended Validation (EV) SSL Certificates are widely recognized as being more secure and reputable, making them a preferred choice for businesses that need to establish strong user trust. Trustico® offers Extended Validation (EV) SSL Certificates from trusted Certificate Authorities (CAs) including Sectigo® to provide the highest level of identity assurance available.
How Does Extended Validation (EV) Work?
Obtaining an Extended Validation (EV) SSL Certificate requires the most in-depth validation process of any SSL Certificate type. The Certificate Authority (CA) follows strict guidelines set by the Certificate Authority / Browser Forum (CA/Browser Forum) to verify the legitimacy of the requesting organization. The process involves two main stages : Domain Control Validation (DCV) to confirm domain ownership, followed by a comprehensive organization verification process.
The first stage is Domain Control Validation (DCV), where the Certificate Authority (CA) confirms that the applicant has control over the domain for which the SSL Certificate is being requested. This can be completed using any of the supported Domain Control Validation (DCV) methods, including Approver E-Mail verification, Domain Name System (DNS) CNAME record verification, Domain Name System (DNS) TXT record verification, or HTTP and HTTPS file based verification. Learn About The Complete Validation Procedure 🔗
The second stage is a detailed review of the business or organization. The Certificate Authority (CA) verifies the legal existence of the company by checking official government registration records and confirms that the organization is active and in good standing. The organization name specified during the SSL Certificate order must be an exact match with the name recorded with the relevant government authority.
The company's physical address is also verified to ensure that it is a real, operational business location. The Certificate Authority (CA) checks independent sources, such as government databases and third-party directories like Dun and Bradstreet, to confirm the accuracy of the information provided. Additionally, the Certificate Authority (CA) must validate the organization's telephone number and ensure that it is publicly listed. A verification telephone call is typically made to the company using this independently verified number, where an authorized representative must confirm the request for the SSL Certificate.
In some cases, the Certificate Authority (CA) may request additional documentation, such as legal agreements, proof of operational status, or a signed verification letter from a company officer or attorney. These extra steps ensure that Extended Validation (EV) SSL Certificates are only issued to legitimate and reputable entities. Because of the thorough verification process, Extended Validation (EV) SSL Certificates take longer to issue than Domain Validation (DV) or Organization Validation (OV) SSL Certificates. The process typically takes several business days but can sometimes take longer depending on the responsiveness of the organization and the complexity of the verification.
Approver E-Mail Verification Method
E-Mail verification is the most widely used Domain Control Validation (DCV) method for the domain ownership stage of Extended Validation (EV). The Certificate Authority (CA) sends a confirmation e-mail to a pre-approved address associated with the domain. The recipient must then follow the instructions in the e-mail, typically by clicking a confirmation link and entering a verification code provided in the message.
The e-mail address used for Domain Control Validation (DCV) must be one of the following pre-approved addresses : admin@yourdomain.com, administrator@yourdomain.com, hostmaster@yourdomain.com, webmaster@yourdomain.com, or postmaster@yourdomain.com. These addresses are defined by the Certificate Authority / Browser Forum (CA/Browser Forum) as acceptable for Domain Control Validation (DCV) purposes.
Important : WHOIS-based e-mail validation is being deprecated in accordance with Ballot SC-80v3. After June 15, 2025, only the five pre-approved e-mail addresses or a contact listed in the _validation-contactemail Domain Name System (DNS) record for the domain will be accepted for e-mail based Domain Control Validation (DCV).
If none of the standard pre-approved e-mail addresses are available for your domain, you may be able to configure a _validation-contactemail Domain Name System (DNS) TXT record to specify an alternative e-mail address. Learn About E-Mail Address Handling for SSL Certificates 🔗
Domain Name System (DNS) CNAME Record Verification Method
Domain Name System (DNS) CNAME record verification is an alternative Domain Control Validation (DCV) method that does not require access to any of the pre-approved e-mail addresses. This method requires you to create a specific CNAME record in your domain's Domain Name System (DNS) settings, which proves your control over the domain and allows the SSL Certificate issuance process to proceed to the organization verification stage.
The CNAME record is constructed using cryptographic hashes derived from the Certificate Signing Request (CSR) associated with your SSL Certificate order. An MD5 hash and a SHA-256 hash are generated from the DER-encoded Certificate Signing Request (CSR). The host portion of the CNAME record is an underscore followed by the MD5 hash at your domain, and the target is the SHA-256 hash split into two 32-character labels followed by sectigo.com as the canonical name. A unique value may also be included in the record for one-time use verification.
After placing your SSL Certificate order, you can switch to CNAME validation by logging into the Trustico® tracking system and changing the validation preference from Approver E-Mail to CNAME within your order details. Trustico® will provide the exact CNAME record values that need to be added to your Domain Name System (DNS) configuration. Explore Our SSL Certificate Tracking and Management Tool 🔗
Domain Name System (DNS) TXT Record Verification Method
Domain Name System (DNS) TXT record verification is another Domain Name System (DNS) based Domain Control Validation (DCV) method supported by the Certificate Authority (CA). With this approach, a unique random value token is provided at the time of your SSL Certificate order. You must then create a Domain Name System (DNS) TXT record with the host set to _pki-validation at your domain and the TXT value set to the random token provided.
The token provided for Domain Name System (DNS) TXT validation is valid for 30 days from the date of issuance and may only be used once per SSL Certificate order. If the token expires before the record is verified by the Certificate Authority (CA), a new token will need to be generated by resubmitting the validation request through the Trustico® tracking system.
Important : Each Domain Name System (DNS) TXT validation token is unique to a specific SSL Certificate order. Reusing a token from a previous order will not work. Always use the exact token value provided for your current order through the Trustico® tracking system.
HTTP and HTTPS File Based Verification Method
File based verification requires the domain owner to upload a specific verification file to a designated directory on the web server. The Certificate Authority (CA) will then check for the presence of this file at a known location to confirm domain ownership. This method is commonly used by web administrators who have direct access to their website's file system.
To complete file based validation, you will need to create a text file named using the MD5 hash value derived from your Certificate Signing Request (CSR). The contents of this file must include the SHA-256 hash of your Certificate Signing Request (CSR) on the first line, the text "sectigo.com" on the second line, and optionally a unique value on the third line. The file must be placed at the following path on your web server : http://yourdomain.com/.well-known/pki-validation/ or the HTTPS equivalent at https://yourdomain.com/.well-known/pki-validation/ using port 80 or port 443 respectively.
The verification file must be plain ASCII text without a Byte Order Mark (BOM). Both CRLF and LF line endings are acceptable. The web server must be publicly accessible on port 80 for HTTP or port 443 for HTTPS at the time the Certificate Authority (CA) performs the validation check. Learn About File Based Authentication for SSL Certificates 🔗
Warning : File based validation cannot be used for Wildcard SSL Certificates. If you are ordering a Wildcard SSL Certificate, you must use either Approver E-Mail or a Domain Name System (DNS) based validation method instead.
Organization Verification Requirements for Extended Validation (EV)
After Domain Control Validation (DCV) has been completed, the Certificate Authority (CA) proceeds with the organization verification stage. This is the most rigorous verification process of any SSL Certificate type and is what distinguishes Extended Validation (EV) from all other validation levels.
The organization name provided during the SSL Certificate order must exactly match the legal name recorded with the relevant government authority. The Certificate Authority (CA) will verify the organization's registration details against official government databases and confirm that the entity is active and in good standing. If the organization operates under a different trading name, a Fictitious Name or Doing Business As document may be required to confirm the connection between the trading name and the legal entity.
The Certificate Authority (CA) will verify the organization's physical address against publicly available records to confirm that it is a real, operational business location. The address provided must match official business registration records or be independently verifiable through a recognized third-party source. A verification telephone call with an authorized representative of the organization will be required before issuance. The telephone number used for verification must be publicly listed in an approved telephone directory or verifiable through a recognized third-party source such as Dun and Bradstreet.
Tip : It is recommended that the organization be listed at Dun and Bradstreet, as it is one of the world's leading sources of commercial information and insight on businesses. Certificate Authorities (CAs) rely on Dun and Bradstreet to verify organization details during the Extended Validation (EV) process. Being listed can significantly speed up the verification stage.
Additional documentation that may be requested includes Articles of Incorporation, Fictitious Name or Doing Business As documents, Business Licensing, legal agreements, proof of operational status, or a signed verification letter from a company officer or attorney. The administrative contact of the order will be contacted for further information if any additional documentation is needed.
Why is Extended Validation (EV) Needed?
Extended Validation (EV) is essential for organizations that need to establish the highest level of trust with their website visitors. Unlike Domain Validation (DV) and Organization Validation (OV) SSL Certificates, which primarily provide encryption and basic business verification respectively, Extended Validation (EV) SSL Certificates focus on comprehensive authentication to ensure users know exactly who they are dealing with online.
One of the biggest benefits of Extended Validation (EV) SSL Certificates is their ability to prevent phishing attacks and online fraud. Cybercriminals often create fake websites that appear legitimate, tricking users into entering personal information. With Extended Validation (EV), users can check the SSL Certificate details to confirm the verified business identity, making it much harder for fraudsters to impersonate trusted brands.
Extended Validation (EV) SSL Certificates also improve customer confidence. When users see that a website has undergone extensive verification and is backed by a trusted Certificate Authority (CA), they are more likely to feel safe when providing sensitive information, such as credit card details, passwords, and personal data. This increased trust can lead to higher conversion rates and improved customer retention for businesses. Learn About How SSL Certificates Improve Search Engine Rankings 🔗
Additionally, some regulatory and compliance standards require businesses to use Extended Validation (EV) SSL Certificates, particularly in industries like banking, healthcare, and e-commerce. Many large enterprises and government institutions choose Extended Validation (EV) SSL Certificates to meet strict security requirements while ensuring the highest level of authentication available.
Who Should Use Extended Validation (EV) SSL Certificates?
Extended Validation (EV) SSL Certificates are ideal for businesses and organizations that need to establish maximum trust and security. They are commonly used by financial institutions, e-commerce websites, law firms, healthcare providers, government agencies, and other high-profile organizations that handle sensitive transactions.
They are particularly beneficial for websites where customer trust is critical. Users who visit a website secured with an Extended Validation (EV) SSL Certificate can check the SSL Certificate details to confirm that they are dealing with a legitimate business rather than a potentially fraudulent website. This level of assurance is especially valuable for websites that process payments, collect personal data, or provide access to sensitive account information.
While Extended Validation (EV) SSL Certificates provide the highest level of authentication, they may not be necessary for all websites. Smaller businesses, blogs, and personal websites that do not handle sensitive transactions may find that Domain Validation (DV) or Organization Validation (OV) SSL Certificates are sufficient for their needs. Discover Domain Validation (DV) SSL Certificates 🔗
However, for businesses that prioritize security, customer trust, and fraud prevention, an Extended Validation (EV) SSL Certificate from Trustico® is the best choice. Trustico® provides Extended Validation (EV) SSL Certificates with full support throughout the validation process, helping to ensure your SSL Certificate is issued as quickly as possible. View Our Organization Validation (OV) SSL Certificates 🔗
Best Practices for Extended Validation (EV)
Following best practices during the Extended Validation (EV) process helps to ensure a smooth and timely SSL Certificate issuance. Generating a unique Certificate Signing Request (CSR) for each SSL Certificate order prevents token reuse issues during the Domain Control Validation (DCV) stage. If you are using a Domain Name System (DNS) based validation method, verifying that your records have propagated correctly before submitting the validation request will help avoid unnecessary delays. Learn About Certificate Signing Requests (CSR) 🔗
For the organization verification stage, ensuring that your business registration details are current and that your organization name exactly matches government records will prevent delays. Having your telephone number publicly listed in an approved directory and ensuring the authorized representative is available for the verification call will also help the Certificate Authority (CA) complete the process as quickly as possible.
Tip : Completing Domain Control Validation (DCV) promptly after placing your order allows the Certificate Authority (CA) to begin the organization verification stage sooner. Preparing all required business documentation in advance, including any legal agreements or proof of operational status, helps to minimize the overall time to issuance for your Extended Validation (EV) SSL Certificate.
Trustico® provides all the tools and guidance needed to complete both stages of the Extended Validation (EV) process efficiently through the Trustico® order tracking system. Explore Our Reasons to Choose Trustico® for SSL Certificates 🔗
