There are three main ways of validating SSL certificates. Domain Validation (DV), Organization Validation (OV) and Extended Validation (EV). In this article, we will discuss each of the mentioned validation types in detail and help to clarify the process and timings involved in each of them.
What is the need for these validations?
These validations, regardless of the type, are used for the certifying authority (CA) to certify that the entity requesting a certain certificate is who it claims to be and/or the owner/manager of the address(es) that the SSL certificates will certify. It is therefore important that the data it provides, such as the addresses to be certified as well as information on the entity requesting the certificates, are reliable.
Certificates with Domain Validation (DV SSL)
These certificates have a less rigorous validation process. To get a certificate of this type, you only need to confirm that you have control of the domain you want to certify, using one of the ways that we mention below. No identity information of the entity that requested the certificate (client) is verified and no information is displayed in the SSL certificate details, other than information regarding encryption and the issuing entity of the SSL certificate. In this case, there is confirmation that the data transmitted through a connection validated by the SSL certificate is in fact encrypted, however it is not possible to get information about the entity receiving this data.
The great advantages of this type of certificate are the cost and speed of issuance. These kind of SSL certificates are for those who want a more affordable solution and for application only to obtain certified secure access (https) such as blogs, portfolios, info websites or small businesses that do not sell products online.
How is the domain validation process carried out?
Domain validation can be performed using the following methods:
By sending an e-mail
In this method, an email is sent to addresses pre-defined by the certificate authority (CA) from which you can choose. It should be noted that it is not possible to send to e-mail addresses that fall outside the typology of those presented.
admin@your_Domain.com
administrator@your_Domain.com
hostmaster@your_Domain.com
postmaster@your_Domain.com
webmaster@your_Domain.com
In that email, you will have access to a link that will forward you to the Certificate Authority's (CA) platform, which you must access to validate and approve the data with the security code provided.
Via DNS record (CNAME or TXT record)
In this method, the creation of a DNS record - CNAME or TXT type - with values determined and mentioned by the certificate authority (CA) during the SSL certificate request process, is requested. This record usually follows the following format:
_<MD5 hash>.yourdomain.com. CNAME <SHA-256 hash>.[<uniqueValue>.]sectigo.com.
Exemplo:
Host: _c7fbc2039e400c8ef74129ec7db1842c.yourdomain.com.
Tipo: CNAME
Valor: c9c863405fe7675a3988b97664ea6baf.442019e4e52fa335f406f7c5f26cf14f.sectigo.com.
Or
Host: yourdomain.com.
Tipo: TXT
Valor: _entitycaa-domain-verification=NaygyAN9M8bSb6tf6d-6564HA-THsa7AS8
If the base domain of the address to be certified is configured with WebHS nameservers, the creation / configuration of the DNS record - CNAME or TXT type - required for validation can be performed by the WebHS technical team.
Via file / HTTP or HTTPS access (not appliable for wildcard certificate validation)
Using this method, the certificate authority (CA) determines and inform the content that must be inserted in a file with a .txt extension, with a name also mentioned, and that must be placed in a specific path (Access of URL with and without 'www' is necessary) within the web hosting space accessible by the address for which is generating the SSL certificate.
Example:
http://yourdomain.com/.well-known/pki-validation/file_name.txt (Access of URL with and without 'www' is necessary)
Similar to what was mentioned in the previous method, if the address to be certified is configured with WebHS nameservers, the creation / insertion of the file in the correct path can be carried out by the WebHS technical team.
Certificates with Organization Validation (OV SSL)
This type of organization validation SSL certificate adds a layer of validation to DV SSL. In addition to the domain validation, described above and equally necessary, a validation of the data associated with the organization that requests the SSL certificate is carried out. This same information will be included in the certificate details, in addition to information regarding encryption and the issuing entity of the SSL certificate.
These certificates add some additional advantages compared to DV SSL, such as an increase in credibility and security transmitted to the visitor, since through the analysis of the SSL certificate information the visitor can confirm the existence of a real entity that has provided proof of its existence. In addition to the above, these certificates also generally offer a higher guarantee value.
What does the organization's validation process consist of?
The certifying authority, in order to validate the information of the organization that requests the certificate, uses several entities / databases (Trusted Sources), subsequently making the match with the information provided by the entity requesting the SSL certificate. In this information verification process, the following websites / platforms are consulted by the certificate authority (CA), for the validation of Portuguese entities:
https://www.infobel.com/en/portugal
https://pt.kompass.com/
http://www.118net.pt/
https://www.pai.pt/
https://www.einforma.pt/
After validation of the information, the process is finished through a final verification carried out by phone. This can be automatic with the supply of a security code so that you can complete the validation via a link, or a personalized contact made by an operator for verbal validation. The call is carried out to the telephone number publicly available on the websites mentioned above. Contact to a different phone number will not be possible, unless it is proved that the new number belongs to the organization / company, by sending the proper documentation for this purpose. This validation by phone is carried out in English by the certificate authority (CA).
It is therefore extremely important that you keep information regarding your organization with reliable and up-to-date data.
Once all the above mentioned validations have been completed, the issuance of the required SSL certificate begins. It should be noted that all the validations mentioned above will be repeated when renewing the same SSL certificate, so it is suggested that the renewal of this type of SSL certificate (OV SSL) to be carried out some time in advance of the expire date in order to avoid SSL certificate expiration during the validation process.
Certificates with Extended / Extended Validation (EV SSL)
Extended Validation (EV SSL) certificates are the ones with the greatest complexity in their validation process. In addition to the validation processes described above (domain validation and organization validation) an extra validation of information concerning at least one of those responsible for the entity requesting the certificate is necessary. Therefore, and as mentioned before, the following checks will be carried out:
It is checked whether the domain to which the EV SSL certificate will be applied has its WHOIS information coincident with that of the entity requesting the certificate.
It is checked if the applicant matches the entity associated with the one who requested the certificate.
The name of the entity requesting the certificate must be completely the same as the name of the company that appears in the public records available on the following platforms:
https://www.infobel.com/en/portugal
https://pt.kompass.com
http://www.118net.pt
https://www.pai.pt
https://www.einforma.pt
The address mentioned by the applicant must be completely the same as the address in the public records available on the platforms mentioned above. If different, the certificate authority (CA) may request records proving the existence of the applicant entity at the mentioned address.
The publicly available phone contact on the platforms mentioned above will also be validated by making a call, with verbal and customised validation, carried out in English.
Extended validation certificates help prevent phishing attacks by enabling the green address bar in the browser, which provides even greater security for all visitors to your website(s). Therefore, this is the type of SSL certificate recommended for websites that involve transaction of sensitive information.