Extended Validation SSL Certificate FAQ

 Why were Extended Validation SSL (EV SSL Certificates) created?
"Hand-holding: Fraud-weary consumers look for the seal of approval," Internet Retailer, March 2006.) Before customers share their confidential data online, they want proof of identification from a trusted source. The Extended Validation SSL Standard raises the bar on verification of SSL Certificates and enables visual displays in high security browsers.

[Back to top]

 What is Extended Validation SSL?
Extended Validation SSL Certificates give high-security Web browsers information to clearly identify a website's organizational identity. For example, if you use Microsoft® Internet Explorer 7 to go to a Web site secured with an SSL Certificate that meets the Extended Validation Standard, IE7 will cause the URL address bar to turn green. A display next to the green bar will toggle between the organization name listed in the certificate and the Certificate Authority (VeriSign, for example). Firefox 3 also supports Extended Validation SSL. Other browsers are expected to offer Extended Validation visibility in upcoming releases. Older browsers will display Extended Validation SSL Certificates with the same security symbols as existing SSL Certificates.

EV SSL Animation explaining 'green bar' in browser url.

[Back to top]

 What is a high-security browser?
Web browsers that were developed to recognize EV SSL Certificates are considered high-security browsers. They are designed to trigger unique visual cues to indicate the presence of an EV SSL Certificate. For instance, Internet Explorer 7 shows a green address bar and displays the name of the organization listed in the certificate as well as the certificate's security vendor. These displays make it easier for Web site visitors to quickly establish trust with the websites they visit. As of March of 2009, 70% of browsers in use worldwide were high-security and EV-enabled including Microsoft® Internet Explorer 7 and 8, Firefox 3, Opera 9.5, Safari 3.2, Google Chrome and Flock 2.0. (Market Share by Net Applications, March 2009, http://marketshare.hitslink.com).

[Back to top]

 What is the Extended Validation Standard?
In 2006, a group of leading SSL Certificate Authorities (CAs) and browser vendors approved standard practices for certificate validation and display called the Extended Validation Standard. To issue an SSL Certificate that complies with the standard, a CA must adopt the extended certificate validation practice and pass a Webtrust audit. The validation process requires the CA to authenticate the certificate applicant’s domain ownership and organizational identity, as well as the individual approver’s employment with the applicant, and authority to obtain the Extended Validation SSL Certificate. VeriSign's Certification Practice Statement outlines their authentication and verification processes.

[Back to top]

 How will Extended Validation SSL increase consumer confidence?
As people use the Web for commerce, business, and social activities, they share personal and confidential information. High profile incidents of fraud and phishing scams have made Internet users very concerned about identity theft. Before they enter sensitive data, they want proof that the website can be trusted and their information will be encrypted. Without it, they may abandon their shopping cart or other transaction and do business elsewhere. High security browsers and Extended Validation SSL Certificates provide third-party verification with a visual display that gives consumers confidence and builds trust in online business.

[Back to top]

 What are the benefits of Extended Validation SSL to website owners?
An Extended Validation SSL Certificate helps your visitors complete secure transactions with confidence and puts your organization in a leadership position. If your site has the “green bar” and your competitor’s site does not, you appear to be more trustworthy. That’s a competitive advantage in the world of e-commerce. For businesses with a high profile brand, using Extended Validation SSL is the most effective defense against phishing scams. When customers see the green bar and the name of your security vendor, they can interact with you online, with confidence.

[Back to top]

 Who is eligible to receive an EV SSL Certificate?
The CA/Browser Forum dictates what kinds of entities are eligible to obtain EV Certificates. The following entities are eligible provided they are currently registered with and approved by an official registration agency in their jurisdiction. The resulting charter, certificate, license or equivalent must be verifiable through that registration agency.

>> Government agencies

  • >> Corporations
  • >> General partnerships
  • >> Unincorporated associations
  • >> Sole proprietorships

The employment and authority of the person placing the certificate order must be verifiable. These business entities need to have a confirmable physical existence and business presence. Any assumed business names should be verifiable. A principal individual associated with the business must be validated and that person must confirm agreement to the certificate subscriber agreement. The entity cannot be located in a country where VeriSign is prohibited from doing business or listed on any government prohibited list such an embargo restriction.

In addition to the requirements described above, a legal opinion letter may be required to confirm that the requestor has the authority to obtain SSL Certificate(s) on behalf of the company. The legal opinion letter also may be used to confirm the organization registration, organization address, telephone number, domain ownership, and the organization’s business status. The physical address may, alternatively, be confirmed by a physical site visit. Once confirmed, the requestor may be able to purchase additional SSL Certificates based on the original letter. If a legal opinion letter cannot be obtained, our Certification Practice Statement outlines alternate authentication and verification processes.

[Back to top]

 What type of additional documentation does VeriSign require?
A legal opinion letter confirming that the requestor has the authority to obtain an SSL Certificate on behalf of the company must be submitted to VeriSign. The legal opinion letter also may be used to confirm the organization registration, organization address, telephone number, domain ownership, and that the organization is conducting business. Once confirmed, the requestor may be able to purchase additional SSL Certificates based on the original letter. If a legal opinion letter cannot be obtained, our Certification Practice Statement outlines alternate authentication and verification processes.

[Back to top]

 Can I renew SSL Certificates and add the Extended Validation Standard?
When you renew individual SSL Certificates, look for the upgrade to Extended Validation. Due to the additional steps in the verification process, enrollment may take longer than traditional SSL Certificates and the express guarantee for 2-day delivery does not apply. Managed PKI for SSL accounts must be pre-qualified to request Extended Validation SSL Certificates before traditional certificates may be converted to EV.

[Back to top]

 Why wouldn’t an IE7 browser recognize EV?
A browser identifies an SSL Certificate as authentic by checking to see if the certificate matches a valid SSL root resident on the client machine. VeriSign signs every EV SSL Certificate with two roots: an EV root and a traditional SSL root. With two roots, every browser will identify a valid SSL root, even older browsers that do not yet recognize EV. IE7 is designed to recognize Extended Validation, but may not correctly display in Windows XP because the traditional SSL root is matched rather than the EV root. Internet Windows XP systems do not automatically update the root store. Developed before the EV standard existed, Windows XP systems do not have the EV root locally resident unless it has been manually updated and, because the browser recognizes the traditional SSL root, it has no trigger to update the root store. VeriSign EV Upgrader technology, built directly into the VeriSign Secured® Seal, will trigger this manual update. Explorer 7 on Vista is designed to automatically update the root store on a weekly basis and should always recognize an EV Certificate and display it appropriately.

[Back to top]

 How does VeriSign EV Upgrader™ enable all IE7 browsers to recognize EV?
VeriSign EV Upgrader technology is built directly into the VeriSign Secured® Seal. The first time an IE7 client on Windows XP visits a Web site with a VeriSign seal and EV Upgrader the client browser will contact a Microsoft root store service and seamlessly install the VeriSign EV root. Once the EV root is stored, it will verify VeriSign EV SSL Certificates on any website and display green bar and organization name appropriately. The update happens in the background and without prompting from the user.

[Back to top]

 When will most Windows XP users have updated root stores?
Over 90,000 domains in 145 countries display the VeriSign seal. EV Upgrader has helped quickly update root stores for Windows XP IE7 users worldwide. VeriSign recommends that you install the VeriSign seal on your home page to ensure a prompt update and the display of the green address bar on transactional pages of Windows XP users.

[Back to top]