TLS certificate organization validation process

What is organization validation? Why is it important?

For OV and EV certificate orders, industry standards require DigiCert to validate the organization included in your certificate request before we can issue your certificate.

These checks are used to make sure you are who you say you are, to verify the legal existence of the organization, and to see if an organization is trustworthy enough for an OV or EV TLS certificate.

To complete your organization's validation, DigiCert must:

How do we validate your organization?

Although we can't go into specifics about what goes on behind the scenes in our organization validation process, here are a few key things to help you understand what to expect after you place an order.

To verify your organization's existence, status, etc., we check corporate registries, such as local government registration records, Dun & Bradstreet and Google Maps, along with fraud, phishing, government restricted entities, and anti-terrorism databases.

Additionally, we must verify the organization requesting the certificate is, in fact, the organization that gets the certificate.

Here are some of things we check:

  • Organization type
    Verify what type of organization we are issuing to, such as banks, universities, business, non-profits, etc.
  • Organization status
    Verify the status of the organization and if it is still an active business
  • Legal address
    Verify the legal physical address for the organization
  • Blacklists
    Verify the organization doesn't appear on any "do not issue" lists for organizations or for the country where the organization is located.
  • Fraud and phishing lists
    Verify the organization doesn't appear on "bad actor" lists
  • Request authenticity
    Confirm the certificate requestor's authority to order a certificate for your organization. See How do we confirm your authority?

Most of the organization verification work is done on our end, we generally ask for very little help from you. However, a DigiCert validation agent may reach out to you for an "acceptable" document to help us confirm your organization is a legally and lawfully formed organization. For more information about providing "acceptable" documents, see SSL Certificate Validation Process.

How do we confirm your authority?

To confirm your authority to order a certificate for the organization, we must first find a verified, publicly listed organization phone number, and not just any phone number will do. The organization's phone number must be from a 3rd party or independent listing.

Next, we use the verified phone number to speak with someone who represents the organization, such as an organization or technical contact, to verify your authority to request a certificate for the organization. We can also speak to you, the certificate requestor, if another representative is unavailable.

To help us confirm who we are looking for, we recommend listing your name in your company's directory and adding your name to your voicemail response.

What can you do?

  1. Answer our phone call to confirm your authority (preferred method)*

    After you submit your certificate order, make sure that the organization contact, technical contact, and your company's receptionist are aware that you’ve ordered a certificate and any one of them can answer our call.

    Let them know the following:

    • To expect a phone call from DigiCert within 24 hours.
    • To be ready to answer a couple of questions about you and your position in the company.

    We cannot issue your certificate until we confirm your authority.

  1. Respond to the organization consent message

    If the DigiCert validation agent can’t reach you directly or someone who represents you at the verified, publicly listed organization phone number, we'll leave a message that includes a call back phone number and a verification code.

    Make sure you, the receptionist, organization contact, or technical contact responds to the message and provides us with the verification code.

  1. Schedule a time for the call

    If the DigiCert validation agent can’t reach someone who represents you at the verified, publicly listed organization phone number, you may also get an email to schedule a time for us to call back to complete the verification.

    Use this link to schedule a time when the representative will be available to answer the call: https://digicert.simplybook.me/v2/#book. Appointments display in your local time. You don’t need to convert the time.