Skip to main content

TLS certificate organization validation process

What is organization validation? Why is it important?

For OV and EV certificate orders, industry standards require DigiCert to validate the organization included in your certificate request before we can issue your certificate.

These checks are used to make sure you are who you say you are, verify the organization's legal existence, and see if an organization is trustworthy enough for an OV or EV TLS certificate.

To complete your organization's validation, DigiCert must:

How do we validate your organization?

Although we can't go into specifics about what goes on behind the scenes in our organization validation process, here are a few key things to help you understand what to expect after you place an order.

To verify your organization's existence, status, etc., we check corporate registries, such as local government registration records, Dun & Bradstreet, and Google Maps. We also check for a history of fraud or phishing and whether your organization is in government-restricted entities or anti-terrorism databases.

Additionally, we must verify the organization requesting the certificate is, in fact, the organization that gets the certificate.

Here are some details we check:

  • Organization type

    Verify what type of organization we are issuing to, such as banks, universities, businesses, non-profits, etc.

  • Organization status

    Verify the organization's status and if it is still an active business.

  • Legal address

    Verify the legal, physical address of the organization.

  • Blocklists

    Verify the organization doesn't appear on any "do not issue" lists for organizations or for the country where the organization is located.

  • Fraud and phishing lists

    Verify the organization doesn't appear on "bad actor" lists.

  • Request authenticity

    Confirm the certificate requestor's authority to order a certificate for your organization. See How do we confirm your authority?

Most of the organization verification work is done on our end. We generally ask for very little help from you. However, a DigiCert validation agent may contact you for an "acceptable" document to help us confirm your organization is legally and lawfully formed. For more information about providing "acceptable" documents, see SSL Certificate Validation Process.

How do we confirm your authority?

To confirm your authority to order certificates for the organization, we must first find a verified, publicly listed organization phone number. The organization's phone number must be from a 3rd party or independent listing.

Next, we use the verified phone number to speak with someone who represents the organization, such as an organization or technical contact, to verify your authority to request a certificate for the organization. We can also speak to you, the certificate requestor, if another representative is unavailable.

Notice

To help us confirm who we are looking for, we recommend listing your name in your company's directory and adding your name to your voicemail response.

What can you do?

  • Answer our phone call to confirm your authority (preferred method)*

    After you submit your certificate order, make sure that the organization contact, technical contact, and your company's receptionist know that you've ordered a certificate and that any of them can answer our call.

    Let them know the following:

    • Expect a phone call from DigiCert within 24 hours.

    • To be ready to answer a couple of questions about you and your position in the company.

    We cannot issue your certificate until we confirm your authority.

  • Respond to the organization consent message

    If the DigiCert validation agent can't reach you directly or someone who represents you at the verified, publicly listed organization phone number, we'll leave a message with a call-back phone number and a verification code.

    Make sure you, the receptionist, the organization contact, or the technical contact responds to the message and provides us with the verification code.

  • Schedule a time for the call

    If the DigiCert validation agent can't reach someone who represents you at the verified, publicly listed organization phone number, you may also get an email to schedule a time for us to call back and complete the verification.