Organization Validation SSL: Fast & Easy Approval

So you've purchased an Organization Validation SSL certificate -now what? How does one get their organization validated? It may seem like a tall order, but don't worry. It's really quite simple. And you've got us in your corner. Trust us, this will be easy.

What are the Organization Validation Requirements?

The requirements for an Organization Validation SSL certificate are the same regardless of which CA you go with. These requirements are:

  • Organization Authentication
  • Locality Presence
  • Telephone Verification
  • Domain Authentication
  • Final Verification Call

As long as you're a legitimate organization this process will go smoothly. Remember, part of the reason this process even exists is to differentiate the legitimate businesses from the pretenders—including scam artists and cybercriminals. So, if you're working for an actual business, then you have nothing to worry about.

Plus, we'll be here helping you the whole way. You'll have the benefit of our many years of experience behind you. Typically, the CA's like to tell you issuance takes 1-3 business days—that's to give themselves some cushion. But if you're in a hurry, we can even expedite the process for you.

So what are you waiting for? Let's get started!

What is Organization Authentication?

The Organization Authentication requirement is perhaps the most involved of all the OV requirements. The CA will be checking that your organization is registered and active within your state or country. It's absolutely vital that all of the listed information from your organization's registration matches the details that you supplied during enrollment. It's also worth noting that if your organization operates under any trade names, assumed names or DBAs, that all of that registration information needs to be up to date and accurate as well.

The primary way that the CAs will attempt to verify this information is by checking the Online Government Database in your local municipality, state or country—whatever government site publicly displays your business entity registration status. 

If all the details match up, then you'll have satisfied this requirement. If not, don't worry. There are alternative methods your CA and you can utilize to authenticate your organization. 

  • Official Registration Documents – You can use the business registration documents that have been issued by your local government to satisfy this requirement. Examples of these types of documents include articles of incorporation, chartered licenses and DBA statements—anything from the government showing your company is a legitimate legal entity.
  • POL – Though Legal Opinion Letters, often called Professional Opinion Letters or POLs, can be a hassle to obtain, they are exceptionally useful during the validation process. They satisfy four of the five requirements for Organization Validation. Essentially you are having an attorney or accountant vouch for the legitimacy of your organization by signing a letter from your CA.


Locality Presence

After Organization Authentication , the next requirement for an Organization Validated SSL certificate is proving Locality Presence. For this requirement, the Certificate Authority (CA) will try to verify that your organization or company has an active legal presence in its registered location.

What is Locality Presence

To fulfill the Locality Presence requirement, the Certificate Authority needs to verify that your organization has a legitimate physical presence within the country or state it's registered in. The CA doesn't need to verify the actual street address, just the city, state or country in the address.

Usually the CA will attempt to verify this information by searching an Online Government Database. It will look in the relevant database and check the registration details – the city/state/country in your address – against the details you provided at the outset of the process.

If everything checks out, you're good to go—you have satisfied this requirement. However, if everything doesn't match exactly, you'll need to utilize another method to prove your locality presence.

Fortunately, there are three other ways to satisfy this requirement.

Other Methods for Organization Authentication

There are two other methods for satisfying the Organization Authentication requirement.

  • Official Registration Documents – The CAs will accept documents from your local government (city, state or country) that verify the information you provided them during enrollment. This includes documents such as articles of incorporation, chartered licenses and DBA statements.
  • Dun & Bradstreet – Providing a comprehensive DUNS Credit Report will allow the CA to verify the physical address associated with your organization. Dun & Bradstreet credit reports are incredibly useful for the purpose of validation as they can satisfy both this requirement and the Organization Authentication requirement.
  • POL – A legal opinion letter, which is sometimes called a POL or professional opinion letter, is a document in which an accountant or attorney (they must be in good standing) verifies the legitimacy of your business. They can be used to satisfy four of the five requirements for an OV SSL Certificate.

Telephone Verification

One of the more straightforward requirements in the Organization Validation process is Telephone Verification. Do you have a telephone number listed? Is it verifiable by a third-party directory? Boom. Done.

What is Telephone Verification?

In order to satisfy the Telephone Verification requirement, you must have an active telephone listing that's verifiable by an acceptable online telephone directory. The listing must display the exact same business name and physical address as you've already had verified.

To check this, the first place the CAs will go are the Online Government Databases. If your number is listed and the organization name and address match up, you're good to go—you've satisfied this requirement.

Unfortunately, the majority of government databases don't display the phone number. This complicates things a bit for the CA, but not for you, as long as your organization does have a number listed.

  • Dun & Bradstreet – Providing a comprehensive DUNS Credit Report will allow the CA to verify the physical address associated with your organization. Dun & Bradstreet credit reports are incredibly useful for the purpose of validation as they can satisfy both this requirement and the Organization Authentication requirement.
  • POL – A legal opinion letter, which is sometimes called a POL or professional opinion letter, is a document in which an accountant or attorney (they must be in good standing) verifies the legitimacy of your business. They can be used to satisfy four of the five requirements for an OV SSL Certificate.

Domain Verification

The next requirement for Organization Validated SSL is Domain Verification. This is where the Certificate Authority (CA) will attempt to verify that your organization owns the domain in question.

What is Domain Verification?

To satisfy the Domain Verification requirement you need to prove that your organization owns the domain that was registered for.

There are several ways to do this, but the CA is going to start by looking at the WHOIS registry. WHOIS, is an internet database that stores domain registrar information. For this approach to work the record must be publicly available. There are some cases in which the WHOIS cannot be used, such as if human verification (i.e. CAPTCHA) is required, or if international privacy laws prevent the data from being published.

If the WHOIS registry is publicly available and checks out against the information you supplied during enrollment, then you've cleared this requirement. If not, there are three other ways to satisfy the Domain Verification requirement.

Alternative Methods to Complete Domain Verification

  • Updating your WHOIS Record – If the details in your WHOIS record are outdated or incorrect, or if a privacy setting is enabled, you can update the record and request that the CA check your WHOIS details again. 
  • Pre-Approved Alias Emails – If your domain's WHOIS record cannot be accessed the CA can also send the authentication email to one of five pre-approved email addresses associated with the website. The five pre-approved addresses are:
  • File-Based Authentication – The CA will provide you with a text file that you will need to upload to the root directory of your website. This will then be verified by the CA via HTTP or HTTPS.
  • DNS-Based Authentication  – The CA will provide you with two unique hash values. You, in turn, must create a DNS record on your domain with these values to complete validation. 

Final Verification Call

The Final Verification call is the last requirement for an Organization Validated SSL certificate. It's simple, the Certificate Authority (CA) will call the telephone number associated with your organization to verify the details of the order.

What is the Final Verification Call?

To finish the Organization Validation process and issue your SSL certificate, the Certificate Authority will need to call and speak with you or your specified applicant (your site admin) via your organization's verified telephone number in order to confirm the details of your order.

This really is as simple as it sounds. Just make sure you (or your site admin) are available to pick up the phone and answer the questions. They're not hard questions, either. Just generally things like, “did you order this?” or “what is the name of your company?” Simple. And it takes less than five minutes.

Now, if the listed telephone number doesn't ring directly to your desk – as does sometimes happen – do not worry. The CA will attempt to contact you a couple of different ways.

  • Extension or IVR – If your phone system uses extensions or Interactive Voice Response (IVR), then the CA will work through the phone system to connect to you. So as long as your extension is listed (or you have provided it) or your phone can be reached by the IVR, you'll be alright. .
  • Transfer or Alternative Number – If you don't have an extension or IVR, the CA can also have the receptionist (or whoever answers your phones) transfer them or provide them with your direct number.

From there, just answer the CA's questions (like we said, they're not trying to trick you with anything too challenging) and you'll have satisfied the final requirement.

Now all that's left is for the CA to issue you the SSL certificate, then you'll need to install it.