Due to the prevalence of counterfeit websites on the Internet, one of the key purposes of a SSL certificate is to help assure consumers that they are actually doing business with the website they believe they are accessing. A SSL certificate provided by a trusted third-party authenticates the identity of a website based on a validation process performed by the Certificate Authority (CA).
Select The Best Level of Authentication for your Website
The level of identity authentication assured by a CA is a significant differentiator between SSL certificates. The explosive growth of phishing and other fraudulent websites designed to steal information from consumers has put a spotlight on the authentication strength of various SSL certificates and the authentication processes employed by different CAs. There are three commonly recognized categories of SSL authentication; Extended Validation (EV), Organization Authentication, and Domain Authentication.
Extended Validation Authentication
Extended Validation (EV) Authentication is the highest level of authentication available with a SSL certificate. Any website with an established brand reputation should consider the benefits of an SSL certificate with EV Authentication. New, high-security browsers identify these websites as authenticated by prominently displaying a green address bar and security status bar with the name of the verified organization that owns the website. These certificates are by far the most noticeable forms of identity authentication based on SSL technology by consumers.
Getting an EV Authenticated Certificate
Some certificate authorities require a signed acknowledgement of agreement from the corporate contact listed on any order for an EV SSL certificate. A company registration document may also be required if we are unable to confirm the organization’s details through a government database. A legal opinion letter may also be requested to confirm the following details about the organization applying for the Extended Validation SSL certificate:
- Physical address of place of operation
- Telephone number
- Confirmation of exclusive right to use the domain
- Additional confirmation of the organization’s existence (if less than 3 years old), and
- Verification of the corporate contact’s employment.
These are the standard methods of identity verification used to validate organizations for EV SSL certificates. However, documentation requirements may vary depending on the information available on various approved online databases.
Organization Authentication, also known as business identity authentication, is a high assurance level of authentication. SSL certificates with this level of authentication require verification of an organization’s existence through a government issued business credential. Validation includes among others business identity authentication, domain name verification and verification that the organizational contact applying for the certificate on behalf of the company or organization is an employee of that organization.
Getting a Certificate with Organization Authentication
Usually, the certificate authority will get the independent verification of government issued business credentials by searching one of many government or private databases to which they have access. If we cannot find “proof of right” to do business in the stated name for a certificate requester, we may request a copy of one of the following items:
- Articles of Incorporation
- Business License
- Certificate of Formation
- Doing Business As
- Registration of Trade Name
- Charter Documents
- Partnership Papers
- Fictitious Name Statement
- Vendor/Reseller/Merchant License
- Merchant Certificate
- US Tax Licenses for non-profit organizations and sole proprietorships (in either case the state tax documents must list the organization as non-profit or sole proprietor)
The organization named in the certificate requester’s distinguished name (CSR) must reflect the full legal name of their business. If the official name of the business as listed in one of the above sources of business credentials does not match the distinguished name, we will not be able to accept it. Suffixes such as “Inc, LLC, or LP” can be disregarded.
For example: "Dina's Cafe" may be used to authenticate "Dina's Cafe Inc." However, "Dina's Cafe" may not be used to authenticate "Dina's Cafe and Gift Shop Inc." In addition to the business credential verification, every certificate order goes through domain name verification. The organization ordering the SSL certificate must own their website domain name or have proof that they have the legal right to use that domain name. We also verify that the organizational contact applying for the certificate on behalf of the company or organization is an employee of that organization.
Domain authenticated certificates are the lowest form of authentication available. An entity requesting a domain authenticated certificate will go through a process to help verify that they either own the domain requested or that they have the right to use that domain name. Additionally we will verify that the email address for the contact requesting the certificate is either listed in the WHOIS directory or meets the CA's predetermined email alias requirements.