Organization Validation

OV (Organization Validation) SSL certificates contain company information based on a validation that is performed manually by CA, i.e., the certificate applicant is verified and a verbal validation of the applicant is also performed by calling an existing phone number from a public database.

How the OV certificate is validated?

Company SSL certificates go through a complete process of manual validation, which verifies the domain owner, the applicant's company and at the same time verbal validation takes place in the form of telephone verification of the contact person. The validation procedure and verification rules are approximately the same for all certification authorities.

1. Domain verification

   In order to successfully meet the domain verification requirement, it is necessary to prove that the certificate applicant has the right to manage the domain (it is the owner or administrator). This is done in the same way as domain validation by sending an email to the selected mailbox in the domain. According to the rules, these are only the following mailboxes: admin@, administrator@, webmaster@, hostmaster@ or postmaster@. It is also possible to choose FTP or DNS validation.

2. Company verification

   The certification authority completely verifies the company applying for the certificate in a public database (state Commercial Register). It is therefore necessary that all public information is the same as in the completed order. If the company cannot be simply validated, there are alternative methods of verification, for example using sample forms, which are chosen according to the situation.

3. Contact verification

   A copy of a government-issued photo ID is required to verify the requestor (admin contact) on the order.
   A copy of a government-issued photo ID such as a valid driver's license, passport, national ID, or military ID that includes your name which matches the name on the order. And "selfie" - a photo of you holding the government-issued photo ID. The photo MUST clearly show your face and the government photo ID that is readable and can be compared to the copy provided in document.

4. Phone verification

   Verification of the telephone contact is performed by the certification authority on the basis of an authoritative database of 3rd parties. Certification Authorities respects Duns&Bradstreet and other databases. Always depends on CA internal procedures and rules.

5. Final telephone verification

   If the CA has performed all the verification of the applicant, it makes the final call. This verification is performed in English by default and the CA employee asks about common things such as the company name, domain name, verifies whether a certificate has been requested. This phone is short and can be used by a person with a minimal knowledge of English.
   The Sectigo certification authority makes an automated call, first sending an e-mail with a link to the validation page, where it is possible to select the call date. The best choice is "Call now". This is an automated callback process, where the applicant is given a verification code by phone, which is inserted into the form.

   If everything is OK, the standard OV certificates are issued after this step.

The average time for issuing an OV SSL certificate is 2-3 working days. If all the information is available and the company is established and functional, an OV certificate can be obtained in two days. However, if the certification authority is unable to find the necessary information, it will require additional verification using forms and the issuance of the certificate will be extended.

Useful links for validation

• Sectigo Validation
  • Sectigo help
• DigiCert Validation (GeoTrust, Thawte, RapidSSl)
  • DigiCert Documentation
• Certum Validation
  • The verification process and the documents required

Where next?

• How domain verification works (DV certificates)
• How to create Certificate Signing Request (CSR)
• Certificate formats (PEM, KEY, CSR, PFX, ...)
• What is SSL Certificate REISSUE