EV SSL achieves the highest level of consumer trust through the strictest authentication standards of any SSL certificate. EV verification guidelines require Trend Micro SSL to gather and verify multiple pieces of identifying information about the organization and organizational contact listed in the enrollment.
Organization Authentication Requirements
The following entities are eligible to receive an EV certificate provided they are currently registered with and approved by an official registration agency in their jurisdiction. The resulting charter, certificate, license or equivalent must be verifiable through that registration agency.
- Government agencies
- General partnerships
- Unincorporated associations
- Sole proprietorships
Trend Micro must be able to confirm all of the following organizational registration requirements:
Official government agency records must include:
- The organization’s registration number
- The organization’s date of registration/incorporation
- The organization’s registered address
A non-government data source (such as Dun & Bradstreet) must include the organization’s place of business address if it is not included in the Government agency records.
If the organization has been registered for less than three years, Trend Micro must verify operational existence through one of the following means:
- Through a non-government data source (such as Dun & Bradstreet) or
- By verifying the organization has an active demand deposit account (such as a checking account) with a regulated financial institution through a Professional Opinion Letter or directly with the financial institution.
Domain Authentication Requirements
To qualify for an Extended Validation SSL certificate, domain registration details must reflect the full organization name as included in the certificate request. Where domain registration does not reflect the organization name as identified in the certificate request, positive confirmation of the organization’s exclusive right to use the domain name is required from the registered domain administrator or with a professional opinion letter.
- The domain must be registered with ICANN or IANA registrar (for CCTLDs). Domain registration details must be updated to reflect the organization name as included on the certificate request.
- Where domain registration is private, the domain registrar is required to unblock the privacy feature.
- The organization’s organizational contact must confirm knowledge of the organization’s domain ownership during the verification call.
Organization’s Organizational Contact Authentication Requirements
To qualify for an Extended Validation SSL certificate, the organizational contact identified in the certificate request must be employed by the requesting organization and have appropriate authority to obtain and delegate EV certificate responsibilities.
- Employment and authorization cannot be verified through the organization’s web site.
- If the organizational contact identified in the certificate request is listed in government records as a corporate officer (such as Secretary, President, CEO, CFO, COO, CIO, CSO, Director, or equivalent), then organizational contact employment and authorization can be approved without verifying this information as described below.
Trend Micro SSL must be able to confirm all of the following organizational contact requirements:
- Organizational contact’s identity, title, and employment through an independent source.
- Organizational contact is authorized to obtain and approve EV certificates on behalf of the organization. This can be verified through one of the following methods:
- Directly contacting the CEO, COO, or similar executive at the organization and confirming the authority of the organizational contact. If no public records are available regarding the CEO, COO, or other executive, Trend Micro SSL will attempt to contact the organization’s Human Resources department for contact details.
- A Professional Opinion Letter
Order Verification Requirements
Trend Micro SSL must verify the certificate request and all certificate details with the organizational contact identified in the certificate request. Trend Micro SSL must contact the organizational contact using an independently-verified telephone number.
This telephone number is obtained through one of the following methods:
- By researching qualified telephone databases to find a telephone number. Ensure your organization’s primary telephone number is listed in a public telephone directory.
- As provided in a Professional Opinion Letter.
- As confirmed during a site visit conducted by Trend Micro SSL.
During the verification call, Trend Micro SSL must verify the following with the organizational contact:
- The name of the Certificate Requestor identified in the certificate request and his or her authority to obtain the Extended Validation certificate on behalf of the organization.
- Knowledge of the company’s ownership and right to use the domain identified in the certificate request.
- Approval of the Extended Validation SSL certificate request.
- Acknowledgement of signature of Trend Micro SSL Certificate Subscriber Agreement that includes all Extended Validation terms and conditions.
Additional Verification requirements
If Trend Micro SSL is unable to verify any of the required information on your certificate application, we may request that you provide a Professional Opinion Letter from a lawyer or accountant to verify the information.