Validation Requirements

DigiCert

A. Organization Authentication Requirements
The following entities are eligible to receive an EV Certificate provided they are currently registered with and approved by an official registration agency in their jurisdiction. The resulting charter, certificate, license or equivalent must be verifiable through that registration agency.

Government agencies
Corporations
General partnerships
Unincorporated associations
Sole proprietorships

DigiCert must be able to confirm all of the following organizational registration requirements:

Official government agency records must include:
- The organization's registration number.
- The organization's date of registration/incorporation.
- The organization’s registered address.
A non-government data source (such as Dun & Bradstreet) must include the organization's place of business address if it is not included in the Government agency records
If the organization has been registered for less than three years, DigiCert must verify operational existence through one of the following means:
- Through a non-government data source (such as Dun & Bradstreet)
  - or -
- By verifying the organization has an active demand deposit account (such as a checking account) with a regulated financial institution through a Professional Opinion Letter or directly with the financial institution.

B. Domain Authentication Requirements
To qualify for an Extended Validation SSL Certificate, domain registration details must reflect the full Organization name as included in the certificate request. Where domain registration does not reflect the organization name as identified in the certificate request, positive confirmation of the Organization's exclusive right to use the domain name is required from the registered domain administrator or with a Professional Opinion Letter.

The domain must be registered with ICANN or IANA registrar (for CCTLDs). Domain registration details must be updated to reflect the organization name as included on the certificate request. See SO10588 for details on how DigiCert confirms the domain registration details
The Organization's Organizational Contact must confirm knowledge of the organization's domain ownership during the verification call.

C. Organization's Organizational Contact Authentication Requirements
To qualify for an Extended Validation SSL Certificate, the Organizational Contact identified in the certificate request must be employed by the requesting organization and have appropriate authority to obtain and delegate Extended Validation certificate responsibilities.

Notes:

Employment and authorization cannot be verified through the organization's web site.
If the Organizational Contact identified in the certificate request is listed in government records as a corporate officer (such as Secretary, President, CEO, CFO, COO, CIO, CSO, Director, or equivalent), then organizational contact authentication can be approved without verifying this information as described below.

DigiCert must be able to confirm all of the following Organizational Contact requirements:

Organizational Contact's identity and employment through an independent source.
Organizational Contact is authorized to obtain and approve EV certificates on behalf of the Organization. This can be verified through one of the following methods:
- A Professional Opinion Letter
- Order Verification

D. Order Verification Requirements
DigiCert must verify the certificate request and all certificate details with the Organizational Contact identified in the certificate request. DigiCert must contact the Organizational Contact using an independently-verified telephone number.

This telephone number is obtained through one of the following methods:

By researching an approved 3rd party telephone database to find a telephone number. Ensure your organization’s primary telephone number is listed in a public telephone directory under the verified business address.
As provided in a Professional Opinion Letter.
As confirmed during a site visit conducted by DigiCert.

During the verification call, DigiCert must verify the following with the Organizational Contact:
The name of the Certificate Requestor identified in the certificate request and his or her authority to obtain the Extended Validation certificate on behalf of the organization.
Knowledge of the company's ownership and right to use the domain identified in the certificate request.
Approval of the Extended Validation SSL Certificate request.
Acknowledgement of signature of DigiCert SSL Certificate Subscriber Agreement that includes all Extended Validation terms and conditions.

E. Additional Verification requirements
If DigiCert is unable to verify any of the required information on your certificate application, they may request you to provide a Professional opinion from a lawyer or accountant to verify the information

Geotrust

Extended Validation SSL achieves the highest level of consumer trust through the strictest authentication standards of any SSL certificate. Extended Validation verification guidelines require GeoTrust to obtain and verify multiple pieces of identifying information about the Organization and Organizational Contact listed in the enrollment.

A. Organization Authentication Requirements
Geotrust must verify that your organization is registered with a government agency and in good standing in the location listed in your order.
The following entities are eligible to receive an EV Certificate provided they are currently registered with and approved by an official registration agency in their jurisdiction.

Government agencies
Corporations
General partnerships
Unincorporated associations
Sole proprietorships

B. Operational Existence Confirmation
If the organization has been registered for less than three years, GeoTrust must verify operational existence through one of the following means:

Through a qualified information source (e.g., Dun & Bradstreet, IRS)
By verifying the organization has an active demand deposit account (e.g., checking account) with a regulated financial institution
Through a Professional Opinion Letter (template will be provided by GeoTrust)

C. Physical Address Confirmation
GeoTrust must verify the organization’s registered, physical address through one of the following means, if not listed in the Government Agency record:

A qualified information source (e.g., Dun & Bradstreet, BBB). The record must include the organization's full business name, and place of business address
Through a Professional Opinion Letter (template will be provided by GeoTrust)

D. Telephone Number Confirmation
GeoTrust must verify the organization’s telephone number through one of the following means, if not listed in the Government Agency record:

A qualified information source (e.g., Dun & Bradstreet, BBB, Yellow Pages)
Through a Professional Opinion Letter (template will be provided by GeoTrust)

E. Domain Authentication Requirements
GeoTrust must confirm that your organization owns, or has the right to use, the domain listed in your order. Domain ownership is confirmed by performing a WHOIS lookup. The WHOIS lists a “Registrant”, which is considered the owner of the domain. The domain registrant must match the organization’s registered, legal name listed and approved on the order.

If the registrant does not match, please update the domain Registrant with your domain Registrar to show your organization’s registered, legal name.
If your organization does not own the domain listed in your order, GeoTrust will request:
- Update the Registrant to match the organization’s registered, legal name.
- Have the Administrative Contact (or relevant contact) on the WHOIS complete the Domain Rights Confirmation Letter. Support will provide that contact with the Domain Rights Confirmation Letter template and instructions via e-mail.

F. Order Verification Requirements
Verification involves calling the Organizational Contact for the order via a telephone number obtained through a qualified information source (e.g., Dun & Bradstreet, BBB, Yellow Pages), to confirm the order information within the enrollment.

Comodo

1. DOMAIN VALIDATED CERTIFICATES (DV)

• A - Email Challenge-Response DCV
• B - HTTP Based DCV
• C - DNS CNAME Based DCV
Following completion of one of the elements above the certificate will be signed and released

Additional details can be found using the following URL:
Methods of Domain Control Verification

Note that ALL SSL Certificates MUST undergo the above DCV process in addition to any other requirements listed below for OV and EV certificates.

2. ORGANIZATION VALIDATED (OV) AND CODE SIGNING CERTIFICATES

Step 1 – Verify Identity and Address - This can be acquired using the following online resources:

If Applicant is an Organization (corporation, government agency, registered business entity, etc.):
Comodo MUST verify Identity through one of the following (these may also be used to verify address if it's included):

A. A government agency in the jurisdiction of the Applicant’s legal creation, existence, or recognition;
B. A third party database that is periodically updated and considered a Reliable Data Source (see QIIS below);
C. A site visit by the CA or a third party who is acting as an agent for the CA; or
D. An Attestation Letter.

QIIS (Qualified Independent Information Source)

www.dnb.com
www.hoovers.com
UK - http://www.companieshouse.gov.uk/

Comodo MAY use the following to verify ADDRESS provided that identity has been verified as required above:

A. Articles of Incorporation (with address)
B. Government Issued Business License (with address)
C. Copy of a recent company bank statement (you may blacken out the Account Number)
D. Copy of a recent company phone bill
E. Copy of a recent major utility bill of the company (i.e. power bill, water bill, etc.) or current lease agreement for the company

If the Applicant is an Individual:
Comodo MUST obtain ALL of the following:

A. Copy of a valid driver's license or passport of the Applicant
B. Copy of a recent major utility bill (i.e. power bill, water bill, etc.) or bank statement of the Applicant
Note: If the Driver’s License and Passport is not listing any address details or those details do not match with the account, then Comodo needs A. and 2 docs from B.

*Note: Recent=dated within the last 6 months

Step 2 – WhoIs Verification (Registrant company name and address)

Step 3 - DCV (Domain Control Validation)

Step 4 – Callback to a Verified Telephone Number (to verify applicant)

The phone number MUST be verified via one of the following:

A. Government database (QGIS)
B. Other third party database (QIIS)
C. Verified legal opinion or accountant letter.

Once the phone number is verified Comodo validation staff will call the Applicant to verify the authenticity of the certificate request. Following successful completion of the elements above the certificate will be signed and released.

* OV = Organization Validated SSL

3. EXTENDED VALIDATED CERTIFICATES (EV)

ALL requirements for EV Certificates MUST be verified directly with the government registration authority, or a Qualified Independent Information Source, or via a legal opinion or accountant letter as applicable. The basic verification requirements are:

A. Verify Legal Existence and Identity
This entails verifying the organization registration directly with the incorporating or registration agency.

B. Verify Trade/Assumed Name as applicable.
Only applicable if company does business under a name which is different from the official name of their corporation. Trade name must be registered and verifiable.

C. Verify Operational Existence
This means that Comodo must verify that the company is able to conduct business operations. Typically this means that the company has a current active demand deposit account with a regulated financial institution.

D. Verify Physical address and organization phone number

E. Verify Domain ownership

F. Verify the name, title, authority and signature of the person(s) involved in requesting the certificate and agreeing to the terms and conditions.