Understanding the SSL Validation Process


“Hey, I just bought an SSL certificate for my domain name, but the padlock symbol is still missing from my website. Is there a problem with my certificate?”

Customers who are purchasing SSL/TLS certificates for the first time tell us this every day. They get flustered when we tell them about the certificate signing request (CSR) generation, SSL validation, and installation processes, which is understandable. That’s because they expect it to be a long and painful operation, which it isn’t (as you’ll soon discover).

If you’ve already purchased an SSL certificate and are looking for guidance on how to enable it, or you’re looking to buy a new one, this article will direct you through the entire SSL validation and authentication process. Check out these two tools on CSR generation and SSL certificate installation for the other two sections of the SSL activation phase.

What Is SSL Validation?

The response to this question will be in two parts.

First, some people searching for answers to this query on the internet are looking for an SSL certificate checker. This tool is useful for ensuring that a certificate has been correctly implemented and that no problems have arisen as a result of the installation process.

The second reason people ask this question is that they want to learn more about SSL validation in terms of certificates.

When you purchase an SSL licence, it is not immediately installed on your server. You must show that you own the certificate authority (CA) that issued the certificate and that you own the domain for which the certificate was issued.

The CA verifies whether your website is sponsored by and belongs to a legitimate company when you get a business authenticated SSL certificate. SSL validation (also known as SSL authentication) is a mechanism that verifies the ownership of a domain and the legitimacy of a company.

The 3 Types of SSL Validation Levels

According to the validation specifications, an SSL certificate can be divided into three categories:

1) Domain Validation (DV): This procedure allows you to show that you own a domain (and nothing else).

2) Organization Validation (OV): This protocol entails both data validation and business authentication.

3) Extended Validation (EV): This method requires domain and organisation validation, as well as the requirement that your company be at least three years old and in good standing.

If you’re unsure of SSL certificate you purchased (DV, OV, or EV), please contact your certificate provider and inquire. In general, if the certificate does not provide any validation information, it is a simple DV SSL certificate.

How to Complete the SSL Authentication Process

Let’s look at the steps in each form of SSL validation procedure.

Breaking Down the Domain Validation Process

You can use this simple SSL validation type to show that you own a domain. DV SSL certificates are SSL certificates that only need domain validation. The CA verifies that the public key (CSR code) you sent to the CA is valid and belongs to the server that hosts the claimed website. The CA verifies your ownership in two ways:

Email Verification

The CA sends you an email with a verification connection to an email address that only a legal person can access. The connection can be sent to one of these five email addresses (chosen by you).

    • Admin@yourdomain.com
    • Administrator@yourdomain.com
    • Webmaster@yourdomain.com
    • Hostmaster@yourdomain.com
    • Postmaster@yourdomain.com

They don’t send emails to addresses like Gmail, Yahoo, or Hotmail. You just need to click the verification connection once you receive the text, and you’re done!

File Verification

The CA will give you some files and tell you to place them in a particular folder in the root directory. You can use this method instead of the email SSL validation process if you can’t get or afford an email address with your domain name from your hosting company or Google Suite.

Breaking Down the Organization Validation Process

If you purchase an OV SSL certificate, you must complete all of the steps required for a DV SSL certificate, as well as a business verification process. This allows you to claim your identity in a more effective way, which will help you gain the confidence of your site’s tourists.

The following are the OV requirements:

Complete the Enrollment Form

The CA will give you an enrollment form via email after you purchase an OV SSL certificate. On the form, you must fill in the following information:

    • Data about the company’s registration.
    • If your company operates under trade names, assumed names, or DBAs, you must specify this in the form.
    • Locality information for the entity (same as in registration papers) that demonstrates it has a physical presence in a particular city, state, or region.
    • An official phone number for getting in touch with the organization.
    • The full name and official title of the organizational touch.
    • The signature of the organizational touch, as well as the date and location of signing.

You’ll need to print the file, sign it, and then scan or fax it back to the California Agricultural Experiment Station. (Electronic transfers are not permitted.)

Await Organization Authentication:

The CA’s workers can manually search to see if your company is licensed and operating in your jurisdiction. They will look up your business entity’s registration status in online government databases in your local municipality, state, or region. You’re good to go if all of the specifics fit and CA is happy.

Prove Locality Presence:

The CA will check to see if your organization has a legitimate, physical presence in the address you given. They’ll look up your company’s registration information in the local online government database, such as its city, state, and region.

Complete Telephone Verification

CA will search online government databases to validate the phone number you provided on the enrolment form. If they can’t check your phone number from there, they’ll look it up on the internet or in a third-party directory like Kompass, Infobel, or Yellow Pages. The listing must have the same company name and physical address as the one that has been checked.

Await Domain Authentication

You’ve completed all of the domain verification steps at this stage (email or file verification). Organization validation, on the other hand, entails a few extra steps. The CA can verify that your company owns the domain by reviewing the WHOIS records.

However, most hosting companies charge a small fee for a service called “domain protection,” which hides your information from WHOIS records. If you’ve chosen that choice, you’ll need to ask your hosting company to keep your WHOIS records open until your SSL authentication is complete.

Important Note: You will be asked to include one of the following if there is some inconsistency in the details — if the CA detects anything fishy during the SSL authentication phase in the above three verifications — or if you want to keep WHOIS records private.

    • Documents of the official registration
    • Credit report from Dun & Bradstreet
    • Legal Opinion Letters, or Professional Opinion Letters (POLs) obtained by a lawyer or an accountant

Complete the Final Verification Call

To confirm the specifics of the request, the CA will call your office number and speak with an approved individual (or the person who applied for the SSL certificate). The CA can contact you via extensions or Interactive Voice Response (IVR) if you don’t have a direct phone number.

The CA will give you an OV SSL certificate if all six SSL verification steps are successfully completed.

Breaking Down the Extended Validation Process

When it comes to the verification process, there is a fine line between company validation and extended validation. You must complete all of the DV and OV measures, but you must also demonstrate your organization’s organizational life.

What We Mean by ‘Operational Existence’

The CA must verify that your company has been in business for at least three years. Once again, the CA will confirm your company’s operational presence by looking up your incorporation date in an online government database — either in your local municipality, state, or region.

If your business is located in a municipality that does not maintain online records, you must have official registration documents that include the date of incorporation.
You will still get an EV SSL certificate if your company is less than three years old but is well-established and in good standing. All you have to do now is provide supporting documentation such as a Dun & Bradstreet credit report, a legal opinion letter, or a confirmation letter from the bank where your business has an active checking account.

It’s important to remember that you don’t have to send any of the papers. In most cases, the CA will tell you which documents you need to send. On a case-by-case basis, the requirement varies.

Melina Richardson
Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards. Previously, he worked as a security news reporter.