Currently, web hosts are increasingly offering SSL certificates as standard completely free of charge. These are usually Let’s Encrypt or Comodo branded certificates. These are fully, properly functioning certificates, recognized as trusted by 99+% of browsers. These certificates are sufficient for most Internet users – they have strong 256-bit encryption and effectively protect the transmission between the client’s computer and the website. Therefore, they can be used for the transmission of personal data. These types of basic certificates are usually DV (Domain Validated). What if we need something more? This is where the EV Certificate comes in.

We also recommend checking out how free certificates differ from paid ones.

Be like a bank, that is, EV certified

Some companies go a step further: in addition to the padlock icon in the browser bar, they may also have the name of their company displayed. This name is also included in the details of the certificate. Until now, EV (Extended Validation) certificates have mainly been associated with banks, but more and more companies are choosing to use them to highlight their credibility.

How to register an EV certificate?

A “regular” DV certificate is simple to register, hence the whole process can be easily automated (you only need to be the owner of the domain – but that’s rather obvious) and the certificate is issued either by clicking a verification link (in the case of paid DV certificates) or by being able to read a special file that is generated when generating free certificates.

In the case of EV certificates, the matter is already “extended” in name, meaning more complicated. Officially, according to documents from Comodo (one of the certificate issuers) is verified:

A. Verify Legal Existence and Identity This entails verifying the organization registration directly with the incorporating or registration agency.

B. Verify Trade/Assumed Name as applicable. Only applicable if company does business under a name which is different from the official name of their corporation. Trade name must be registered and verifiable.

C. Verify Operational Existence This means that we must verify that the company is able to conduct business operations. Typically, this means that the company has a current active demand deposit account with a regulated financial institution.

D. Verify Physical address and organization phone number.

E. Verify Domain ownership.

F. Verify the name, title, authority and signature of the person(s) involved in requesting the certificate and agreeing to the terms and conditions.

How are EV SSL certificates verified in practice?

After completing the EV certificate registration application, a manual verification from the certificate issuer follows.

First comes an email asking to accept the rules for issuing a certificate, the email reads:

In order to complete your request for an EV SSL Certificate, we require that you confirm the SSL Request and execute an SSL Subscriber Agreement. This can be done via click through by following the link below and filling in the required details:

This is followed by manual verification by Comodo employees.

It is worthwhile in the application form to provide data that can be easily verified on the Internet. E.g., by giving the CEO’s company cell phone number in the form (which is not officially given anywhere) you can expect another email:

ACTION REQUIRED: We are unable to verify the telephone. Please update/register your business, including telephone number, with a third party independent source, including local/national registration agencies and reputable third party databases such as

https://www.upik.de/

https://www.dnbdirect.ca/

Or provide an opinion letter signed by an Attorney, Certified Public Accountant or Latin Notary (where legally recognized) verifying the telephone number.

That is, the phone number you provide in the form should be directly listed in the aforementioned databases (upik.de or dnbdirect.ca), but we’ll go on about databases. Of course, you can also enter a statement at the notary that the number belongs to your company.

Note: the suggestion that you send a contract with your phone carrier or a monthly invoice to confirm that you are paying for the phone number provided will not go through:

As per EV Guidelines we must be able to verify the applicant’s telephone number through a third party directory and phone bills are not acceptable to validate EV SSL certificate.

At this point you can sometimes get stuck, because mentioned by the nice gentleman from Comodo “third party directory”, is repeated like a mantra address “upik.de”. Like a phone invoice, other databases and registries, even very serious ones like the RIPE registry (which assigns IP addresses to operators), will also not go through in Comodo. They simply won’t.

What is this D-U-N-S number and the bases of dnbdirect.ca and upik.de?

In the very initial form that needs to be filled out for EV certificate registration, Comodo asks for the Dun & Bradstreet D-U-N-S Number. This is nothing more than a database of companies. Just such a “worldwide” one. Yes, surely your company is also already with them. It’s something like a directory. However, there may be a problem with this database, because you may never have entered it or even heard of it. And your company’s data is there, but it may be incomplete, for example. In our case it was missing … telephone number. And this number is what Comodo wanted to verify. So the data needs to be updated for Comodo to treat it as reliable. Unfortunately, we do not know why this particular database is treated as reliable and not others. That’s how Comodo figured it out, and we’re left to comply, or … verify, for example, the phone number through a notary and a certified translator. Choose the easier way 🙂

Data update in D-U-N-S.

The easiest way for verification purposes is to do a patch in the D-U-N-S database. Comodo suggests doing the update in the German branch, the upik.de database.

Of course, you can do as they ask, but you may encounter a response:

we have forwarded your eUpdate request to your local D&B office, They are allowed 30 working days time to fulfill the update.

After that it may take another approx. 1 week for the data to become visible on UPIK.

Which means that basically the whole procedure for correcting the data takes 30 working days (!), which together with the propagation time between their systems takes almost 2 months … If you do not want to wait, you need to read between the lines what to do.

Verification of the company’s existence

You may also encounter requests for information on where to find company data on the website of official authorities.

Legal Verification: We need to verify the legal existence of your Company. Please get back to us where your company has been registered or please provide your business license or please provide us the direct government link which is listing the company name.

Hello, I’m calling from Comodo – or telephone verification.

One way of verifying that a company that applies for EV certification exists is by phone: someone from Comodo will call the phone number provided earlier (the one that was subject to verification) and want to speak with someone who will confirm that the person filling out the form is that person. Of course, Comodo will announce itself by email:

Thank you for the kind response. We need to verify the (here was the first and last name as per the earlier form) role as Signer/Approver/Requester for the EV SSL through phone and we need to verify your job title with HR department,Secretary, President, CEO, CFO, COO, CIO, CSO, Director, etc…. or someone OTHER THAN THE SIGNER.

We will be contacting you to the telephone number : +xxxxxxxxxxx

Kindly confirm us, whether the above mentioned telephone number is right and also please reply with your available time.

A nice gentleman from Comodo called. He introduced himself in English, that he was calling from Comodo and … asked to call the person who was listed on the form. Note, if this person is not in the office, then you can give in this first call a direct number (e.g., cell phone) to this person and then they call once again already to a specific person, for example, the president (the person who was given in the form). That is, the first call must be to the number given in the application, but then in the conversation you can give another number.

The conversation looked more or less like this:

Comodo: Hello I’m calling from Comodo

Me: Hello, I’m X Y

Comodo: Could You confirm your company name and domain name?

Me: Comany is Smarthost Sp. z o.o. and domain is: “smarthost dot eu”

Comodo: Do you accept therms of service?

Me: Yes, I do accept.

Comodo: Ok, thank you, bye

The person who called spoke very slowly and clearly. And she had a rather exotic accent. The call is from a restricted number.

A phone call to the company, was the last point of verification, after which we got confirmation that the EV certificate will be issued “today”. That is, all we have to do is wait, unless … read below.

Remember the CAA record in the DNS system

Some time ago, a new record called CAA appeared in the DNS system. This record is responsible for information about who can issue an SSL certificate for our domain. The record can be, for example, “DigiCert” for RapidSSL-branded certificates. And now there may be a problem – when you generate a Comodo-branded certificate, it … even after passing the correct verification, you will not get the certificate, because its issuance is blocked in your system. Of course, you may not have a CAA record, or you may have it set just to “Comodo”, but it’s still worth checking. It is worth keeping this in mind when applying for an EV certificate.

We welcome the ability to display the company name next to the padlock icon

Phew, and that’s the end of it. When you come to verify correctly, the company will simply send you the certificate by email. Then it remains only to install it on the server.

If you buy an EV certificate (like DV) for a domain, e.g. customer-domain.eu, you will also get a certificate covering also the domain with the www prefix as a standard: www.customer-domain.eu.

Is it worth it to have an EV certificate?

The image is priceless. The price of an EV type SSL certificate is a promotional cost: 130$ net per year (renewal after one year costs 260$ net). You also have to sweat a little when working with verification. But what one does not do for image 😉