The SSL certificates with domain verification , or as some call them, the entry-level certificates are the most common in the world, and this is not surprising, because the emission rate of these certificates varies from 2-10 minutes, depending on the brand . To obtain a certificate of this type, no documents are required, the whole process is extremely simple, you need to confirm domain ownership, and for this there are 3 ways, one main and two alternatives.

Entry-level SSL certificates with domain verification are one of the fastest-issued types of certificates because they require no documents. We recommend these certificates for small sites and small projects, when you don’t need a lot of trust from customers and visitors to the site, project.

With a certificate of this type, static security logos are most often used, however there are some that offer dynamic logos, for example: Thawte SSL 123, Sectigo SSL Certificate.

Validation methods

Here is a brief overview of the verification methods available for domain validation certification.

Validation via email (DCV Email)
This method is described on many sites and blogs, the point is that the certification authority will send you a verification letter in which there will be a link to confirm ownership of the domain. This letter can be sent either to the e-mail address specified in the Whois of your domain, or to one of the five gilded ones: admin @, administrator @, hostmaster @, postmaster @, webmaster @

Validation via DNS CNAME
A fairly popular method, for those who do not have a mail server configured, and whois emails are closed with private registration. The bottom line is simple, you have to make a special entry in your DNS, and the certification authority will check it. The method is completely automatic.

Validation via a Hash file (HTTP CSR Hash Hash)
An even simpler method is that you will be provided with a special .txt file that you will have to upload to your server, the certification authority will check its availability and a certificate will be issued . The method is completely automatic.

SSL certificates mostly use RSA keys, and the recommended size of these keys is steadily increasing (for example, from 1024 bits to 2048 bits in recent years), which is associated with maintaining sufficient cryptographic strength.

Both types of keys are based on the use of asymmetric algorithms (a key for coding and a key for decoding). However, ECC has the same level of cryptographic strength, despite having much smaller keys, which allows for greater security along with reduced calculation requirements.

Let’s see what ECC is and why we should consider using it.

What is an ECC?

ECC (Elliptic Curve Cryptography) is a public key cryptography method based on the use of elliptic curves on finite fields. The most important difference between ECC and RSA is the size of the key compared to the cryptographic strength. ECC is able to provide the same cryptographic strength as the RSA system, but with much smaller keys. For example, a 256-bit ECC key is equivalent to 3072 bits of RSA keys (which are 50% longer than the 2048-bit keys used today). Finally, the safest symmetric algorithms used in TLS (for example, AES) use at least 128-bit keys, so switching to asymmetric keys seems to be the most rational step.

Why use ECC?

The small size of the key makes ECC the ideal choice for devices with limited storage or processing resources that are increasingly found in the IoT field. Speaking in the context of server-side uses, the small size of the keys allows you to speed up your SSL handshake (handshake), which translates into faster page loading and greater security.

What are the cert that support ECC?

• All Sectigo SSL certificates;
• All GGSSL certificates;
• Symantec PRO products.

EV SSL Certificate – A certificate used to configure HTTPS support on a site.

To obtain an EV certificate, it is necessary to confirm the existence of the company on whose behalf the certificate is issued in a certification center. Browsers show information about the existence of the company both in front of the site’s domain name.

EV certificates use the same security methods as DV and OV certificates: a higher level of protection is provided by the need to confirm the existence of a company in a certification authority.

The criteria for issuing EV certificates are defined by a special document: Guidelines for extended validation, currently (from 1 August 2019) the version of this document is 1.7.0. The manual was developed by CA / Browser Forum, an organization whose members are certification authorities and Internet software vendors, as well as representatives from the legal and audit professions.

The motivation to get a certificate

An important reason for using digital certificates with SSL / TLS is to increase trust in online transactions. This requires that website operators are tested for a certificate. However, commercial pressure has prompted some certification authorities to introduce lower level certificates (domain validation). Domain validation certificates already existed before extended validation and, as a rule, only a certain confirmation of domain control is required to obtain them. In particular, the domain validation certificates do not state that this legal entity has any relationship with the domain, even if on the site it can be written that it belongs to a legal entity.

At first, the user interfaces of most browsers did not distinguish between domain validation certificates and extended validation certificates. Since any successful SSL / TLS connection led to the creation of a green lock icon in most browsers, users were unlikely to know if the extended validation site was confirmed or not (in January 2019, Chrome removed the green icons in the browser). As a result, scammers (including those involved in phishing) were able to use TLS to increase the credibility of their websites. Users of subsequent browsers can always verify the identity of the owners of the certificates by examining the information on the issued certificate that is indicated there (including the name of the organization and its address).

EV certificates are checked to verify compliance with both basic and advanced requirements. Manual verification of domain names requested by the applicant, verification by official government sources, verification by independent information sources and phone calls to the company are required. If the certificate has been issued, the company serial number registered by the certification authority, as well as the physical address, are stored in it.

EV certificates are designed to increase user confidence that the website operator is a truly existing organization. However, there is still concern that the same lack of accountability that led to the loss of public confidence in DV certificates leads to the loss of value of EV certificates.

Delivery criteria

Only certification authorities that have passed a qualified independent audit can offer EV certificates, and all centers must follow the release requirements, which are targeted:

• Establish the existence of a legal person and the owner of the site;
• establish the fact that a legal person owns this domain;
• Confirm the identity of the site owner and the authority of the people acting on behalf of the site owner.

With the exception of EV certificates for .onion domains, a wildcard certificate with Extended Validation cannot be obtained – all fully qualified domain names must instead be included in the certificate and verified by a certification authority.

User interface

EV-enabled browsers show the availability of the certificate – usually a combination of the organization name and the location of the organization. Microsoft Internet Explorer, Mozilla Firefox, Safari, Opera and Google Chrome browsers support EV.

The extended verification rules require participating certification authorities to assign a specific EV identifier after the certification authority has completed an independent audit and other criteria have been met. Browsers remember this identifier, match the EV identifier in the certificate with that of the browser for the certification authority in question: if they match, the certificate is recognized as valid. In many browsers, an EV certificate is reported by:

• The name of the company or organization to which the certificate belongs.
• A distinctive color, usually green, displayed in the address bar, indicating that the certificate has been received as HTTPS.
• The “lock” symbol is also present in the address bar. By clicking on the “padlock”, you can get more information on the certificate, including the name of the certification authority that issued the EV certificate.

Update 29.09.2019!

Version 77 of Google Chrome is now released for Windows, Linux, macOS, ChromeOS, IOS and Android users. The new release has removed the UI indicator for Extended Validation (EV) certificates from the browser’s address bar, it is also known as the “Green Address Bar”.

Adding a 2048 bit SSL certificate with SHA-256 hash algorithm is a legal and approved method to increase the ranking of your website in Google Search.

Google announced that any website with trusted SSL would have better positions than those websites that do not have an active SSL certificate.

As the Internet intertwines with our daily lives, the level of digital fraud is growing – and the user is well aware of it. Suppliers of goods and services must win the trust of their potential customers, and this is especially true for the world of e-commerce: if there is no trust, there is no desire to make a purchase. The first way to build customer trust is to ensure that the user is protected. If the customer sees that the site owner is doing all he can to ensure the security of his transactions, then the probability of making a purchase grows significantly.

The speech is also true: if the buyer understands that the owner of the site is not particularly concerned about the security of user data, the buyer will make his purchase on another site, where he will feel more secure. This is basic sanity: which online store inspires the most trust – with or without the SSL trust seal?

Impact of the Site Seal on conversions

Having understood this, it is not difficult to guess, and this is confirmed by statistics that the presence of an SSL certificate and a trust seal, which is provided by a certification center, directly affects the customer acquisition indicators, and this effect it is quite significant. For example, according to a study by VeriSign (Symantec) on the Central Reservation Service’s hotel room booking website, the conversion increased by 30% after the publication of a trust seal that said that SSL was protected by certificate.

The site seals increase control of the store center

Conversion is not all that is affected by the SSL trust seal. When a user trusts more than one website, he is ready not only to make a purchase but also to spend more money. This means that on the site with the trust seal installed, both the conversion and the average check are the most important indicators of the effectiveness of the online store.

As reported in a report on one of Comodo’s case studies, the conversion on the customer site increased by 11%, but beyond that site visitors spent 23% more on a single purchase than before. installation of the SSL certificate and the Comodo trust seal (Sectigo now). In light of these statistics, it is hardly surprising that the Netcraft analytics firm in 2011 determined that almost all the largest websites in the world have an SSL certificate with Extended Validation or simply with a Corporate Validation.

Advantages of the Site Seal

• increase trust in the website and online business;
• confirms that the organization has been verified by a trusted certification authority;
• creating a sense of trust among visitors that is needed to complete transactions;
• increase the conversion level of the site.

The SSL Certificates multi-domain , also known as Unified Communications Certificates (UCC) and Subject Alternative Name (SAN) .

They all solve the requirement of protecting multiple domains and subdomains. They are very popular for companies that manage various local websites. Content Delivery Networks (CDNs) use them to protect all their customers.

The modern SAN SSL supports up to 250 articles, where each article can be used for the domain or subdomain. Some products such as Wildcard Wildcard Multi-Domain SSL certificates may support * .domain.tld (Wildcard domains) as a SAN element.

SAN certificates are compatible with MS and other exchange servers. It is very convenient to use them, as you only have one CSR and one private key, which makes management quite simple.

Managers of Sectigo and DigiCert certification authorities require manual review of all orders if an order is reported for manual review / check.

It usually takes about 1-2 business days to review orders. Make sure your website is online and working while doing the manual check, as they may reject SSL if no website is loaded. There are multiple reasons why an order can be “frozen” for manual checking.

Most common reasons to get stuck for manual or brand validation

• Some countries can be examined manually, for example South Korea, North Korea, Sudan, Afghanistan, Iran, Iraq;
• Countries with restrictions. The order comes from countries such as Afghanistan (AF), Ivory Coast (CI), Cuba (CU), Eritrea (ER), Guinea (GN), Iraq (IQ), Iran (IR), Democratic People’s Republic of Korea (KP ), Liberia (LR), Myanmar (MM), Rwanda (RW), Sudan (SD), Sierra Leone (SL), South Sudan (SS), Syrian Arab Republic (SY), Zimbabwe (ZW).
• The domain name includes the famous brand, for example, facebook-app.com, sony-shop.net, dellshop.com;
• The domain name has a similar trademark, for example, your domain is “sibmama.com”, but the validation system may read it as “sIBMama” and mark the “IBM” trademark. Managers control these cases manually;
• The domain name has “stop words”, for example, “pay, online, secure, booking, shop, bank, bank transfer, money, e-payment, payment, protection, violence, terrorists and others”, in this case also the validation will be manual;
• The domain name is blacklisted OR has a bad reputation.

The SSL certificate validation company , also known as organization validation Certificates are products of strong confidence.

Technically, they provide the same level of encryption as any SSL DV certificate, but authenticate the company’s legal existence, address and telephone number. This brings greater trust from your existing and potential customers who visit your website or work with your online service.

SSL OV certificates always have a higher level of guarantee than DV certificates and this is an extra advantage.

Validation of OV certs takes about 1-5 days in case all the information provided on time.

Extended Validation SSL certificates are the most reliable and verified SSL products. It takes approximately 2-7 business days to pass validation in case all documents are correct and delivered on time. Please be patient, as the process may take some time.

First step – Signing of the agreement

You need to sign the EV subscription contract with a CA and there are few options to complete this step:

Sectigo / GGSSL
The best option is to use a one click link form, where you will sign an agreement using a digital signature, it only takes a few minutes. You should receive the email with the link within a few hours of placing the order.

ALTERNATIVES: Please fill in these two forms and send them to Sectigo:

1. Certificate request form
2. EV SSL Subscriber Agreement

Example Certificate request form
Example EV SSL Subscriber Agreement

DigiCert / Thawte / GeoTrust / Symantec
The validation team will send you the agreement during the verification process.

Second step – Validation of the organization

To pass Business / Organization validation, it  may  be necessary to provide some official registration documents to the certification center. Mostly they require a Business License / Incorporation / Registration Application. You can send them by post, fax or e-mail in PDF / JPG format. We strongly suggest using the email method.

Option A (most popular)
No paperwork. The legal existence of the company has been verified through the public government database using the company name or unique identification number (registration number) OR through verified third party public databases such as GLEIF, Duns & Bradstreet, Hoovers, Companies House GOV.UK, Lursoft .lv and others.

Option B (suggested)
Verifying the company with the LEI code only takes minutes / hour, not days and weeks. We strongly suggest using this method.

Option C
The company can be verified using one of the documents such as the Articles of Association, the commercial license issued by the government, the copy of a recent bank statement of the company, the copy of a recent telephone bill of the company, the copy of a recent utility bill. main users of the company (eg electricity bill, water bill, etc.).

Third step – DCV process

DCV (Domain Control Validation) is the verification of the ownership and control of domain names. It is possible to validate the domain through various methods such as validation via email, DNS CNAME and Hash file HTTP / HTTPS.

via email (most popular)
DCV via email is the most traditional method of passing ownership verification. The certification center will send an email to the administrative contact of your domain. The email contains a unique validation code and a link to a certification website to enter the code.

It is possible to use “magic five” e-mail addresses: admin @, administrator @, hostmaster @, webmaster @ and postmaster @. In some cases, WHOIS administrative e-mail can be used; private registration must be disabled.

via DNS CNAME
To validate the domain via DNS CNAME record, you must use the hashes that we extract from the CSR code you send. It takes from 10 minutes and up to 24 hours to validate the domain; it depends on your TTL DNS server.

via Hash file HTTP / HTTPS
Quick and easy method to pass the validation of the domain as it requires you to upload a text file (.txt) with hashes extracted from your CSR code. The file must be accessible from the web. Use the HTTPS method when SSL is already in use and the website is available through HTTPS: //

Fourth step – Recall process

The last step is a recall process. For SSL Extended Validation providers use the manual callback process. The operator will call you and ask to confirm your name and order. To validate the official phone number, you can use any of the options:

Option A
The certification center verifies the phone number via public yellow pages Databases such as world.192.com, please contact our sales / support managers for a more accurate list of databases and options for your regions.

Option B
Verify numbers via trusted / governmental databases such as Duns & Bradstreet, Hoover OR your local government database if it includes company phone numbers.

Option C
Verified legal opinion or accountant’s letter signed by a notary. The certification center can verify the notary legality.

The validation process of the OV / BV certificate comprises three phases:

1. domain ownership control,
2. organization verification,
3. a callback process.

The process takes about 2-5 working days in case all the documents are correct and delivered on time.

First step – Validate the organization

To pass Business / Organization validation, it may be necessary to provide some official registration documents to the certification center. Mostly they require a Business License / Incorporation / Registration Application. You can send them by post, fax or e-mail in PDF / JPG format. We strongly suggest using the email method.

Option A (most popular)
No paperwork. The legal existence of the company has been verified through the public government database using the company name or unique identification number (registration number) OR through verified third party public databases such as GLEIF, Duns & Bradstreet, Hoovers, Companies House GOV.UK, Lursoft .lv and others.

Option B (suggested)
Verifying the company with the LEI code only takes minutes / hour, not days and weeks. We strongly suggest using this method.

Option C
The company can be verified using one of the documents such as the Articles of Association, the commercial license issued by the government, the copy of a recent bank statement of the company, the copy of a recent telephone bill of the company, the copy of a recent utility bill. main users of the company (eg electricity bill, water bill, etc.).

Second step – DCV process

DCV (Domain Control Validation) is the verification of the ownership and control of domain names. It is possible to validate the domain through various methods such as validation via email, DNS CNAME and Hash file HTTP / HTTPS.

via email (most popular)
DCV via email is the most traditional method of passing ownership verification. The certification center will send an email to the administrative contact of your domain. The email contains a unique validation code and a link to a certification website to enter the code.

It is possible to use “magic five” e-mail addresses: admin @, administrator @, hostmaster @, webmaster @ and postmaster @. In some cases, WHOIS administrative e-mail can be used; private registration must be disabled.

via DNS CNAME
To validate the domain via DNS CNAME record, you must use the hashes that we extract from the CSR code you send. It takes from 10 minutes and up to 24 hours to validate the domain; it depends on your TTL DNS server.

via Hash HTTP / HTTPS file
Quick and easy method to pass the validation of the domain as it requires you to upload a text file (.txt) with hashes extracted from your CSR code. The file must be accessible from the web. Use the HTTPS method when SSL is already in use and the website is available through HTTPS: //

Third step – Recall process

The last step is a recall process. For OV / BV certificates, SSL providers use an automatic callback process. The Comodo robot calls you on the verified number and tells you a verification code. To validate the official phone number, you can use any of the options:

Option A
The certification center verifies the phone number via public yellow pages Databases such as world.192.com, please contact our sales / support managers for a more accurate list of databases and options for your regions.

Option B
Verification of numbers via trusted / governmental databases such as Duns & Bradstreet, Hoover OR your local government database if it includes company telephone numbers.

Option C
Verified legal opinion or accountant’s letter signed by a notary. The certification center can verify the notary legality.

The certification authorities provide an additional guarantee for the safety of your online business and for the functioning of the site. Warranty is one of the key elements of a certificate and can be a strong argument when choosing a certificate.

This guarantee is paid to visitors of your site who have relied on the certificate and have suffered losses directly due to an online credit card transaction and an incorrect issuance of an SSL certificate. This guarantee is paid on the residual transaction amount, which does not exceed the maximum transaction value specified for the corresponding certificate type.

VeriSign (Symantec) certificates were the first to offer a $ 1 million guarantee. Today, most major CAs have few products with that level or above, classically they are extended validation certificates.

Fraudulent and phishing websites are growing every day and it is imperative to validate the business.

The CAs carry out careful verification processes to ensure that your company is legal and able to receive OV or EV certificates.

Paying for SSL never guarantees that it will be released, even large companies may not be able to verify the same rules for everyone.

PI Domain Validation SSL certificates are the fastest issued products we have. In most cases, it only takes 5 minutes to issue SSL once the domain verification is passed. No paperwork is required, all you need is to pass the domain validation check (DCV) through one of the available methods.

First step – DCV process

DCV (Domain Control Validation) is the verification of domain name ownership and control. It is possible to validate the domain through different methods such as email validation, DNS CNAME and Hash HTTP/HTTPS files.

via email (most popular)
DCV via email is the most traditional method to pass the property verification. The certification center will send an email to the administrative contact of your domain. The email contains a unique validation code and a link to a certification website to enter the code.

You can use “magic five” email addresses: admin@, administrator@, hostmaster@, webmaster@ and postmaster@. In some cases, you can use WHOIS administrative e-mail; private registration must be disabled.

via DNS CNAME
To validate the domain via DNS CNAME record, you must use the hashes we extract from the CSR code you send. It takes 10 minutes and up to 24 hours to validate the domain; it depends on your DNS TTL server.

via HTTP/HTTPS hash file
Quick and easy way to pass domain validation as it requires you to upload a text file (.txt) with hashes extracted from your CSR code. The file must be accessible from the web. Use the HTTPS method when SSL is already in use and the website is available via HTTPS://

Second step – CAA Control

As of 8 September 2017, all CAAs (certification authorities) must comply with your CAA policy. The CAA record should allow the CAA to issue SSL for the domain name, otherwise the order would be pending until you update the record. By default, any CA can issue SSL for your domain name if no CAA record is found.

Optional STEP – Manual Control / Brand Validation

In some cases, certification centres may require manual verification if an order does not comply with internal rules. It normally takes approximately 24-48 hours to check, issue or refuse an order in such cases. There are multiple reasons why an order may be frozen for manual verification.

Information security on the web is one of the main issues that site owners need to pay close attention to. In the fast growing world of cyber threats, they must clearly understand how to prevent data leakage or protect their resources from third party access to them.

The installation of SSL certificates has become a modern standard for site security. However, such a protection mechanism is relatively new and difficult for the mass user. Let’s try to understand what this technology is and how it guarantees the security of information on web resources.

What is an SSL certificate?

Before proceeding to the point on why the site needs an SSL certificate, it is worth noting the very concept of the SSL protocol. It is a cryptographic protocol that provides reliable data transmission over the network. It is the guarantee of a secure connection between the user’s browser and the resource.

HTTP vs HTTPS

HTTPS has significantly improved the security of HTTP data. If SSL is installed on the site, then all data is transmitted via HTTPS – a secure version of the HTTP protocol. It encrypts user data and forwards it to the site owner via the TCP transport protocol. In other words, all information transmitted by the user is hidden through encryption to third parties: operators, Wi-Fi administrators and providers.

How the SSL protocol works

As you know, the basis of all coding methods is a key that helps to encode or read information. The SSL protocol uses an asymmetric cipher with two types of keys:

• Publish . This is actually an SSL certificate. It encrypts data and is used to transmit user information to the server. For example, a visitor enters his credit card number on the site and clicks on the “Pay” button.
• Private . Required to decode the message on the server. It is not transmitted together with the information, as in the case of the public key, and always remains on the server.

In order for a site to manage these connections, its owner needs an SSL certificate. It is a kind of digital signature, which is individual for each platform.

What’s inside an SSL certificate

An SSL certificate can contain the following important information:

• domain of the site on which the certificate is installed;
• company owner name;
• country, city of registration of the company;
• period of validity of the SSL certificate;
• Information on the Certification Authority;
• Serial number of the SSL certificate;
• SAN articles (multi-domain SSL);
• Trusted and untrusted certificates.

The main source of SSL certificates are the trusted certification authorities or the certification authorities (CA). These are organizations that have undeniable authority in the IT services market and use the well-known public cryptographic key. In browsers, their list is usually found in the ” Trusted Root Certification Authorities ” section.

A digital signature certified by a certificate from this center is proof of the authenticity of the company that owns the domain name and determines the owner’s right to legally use the secret key, it is called ” Trusted “.

The SSL Wildcard Certificates are a great help when you need to protect the multi-subdomains within the same domain name. Standard single domain SSL can protect a domain or its subdomain, for example, domain.tld OR sub.domain.tld

However, modern infrastructure includes multiple services that use their own subdomains. When you need to protect only a few sub-domains and you already know their names, you need to select multi-domain SSL (SAN) certificates. However, take SSL Wildcard certificates when you have many sub-domains and you may not know all the sub-domains at the moment.

The Wildcard SSL certificate protects an unlimited number of subdomains, but only for the next domain level. If you order by * .domain.tld, this means that SSL will protect the domain.tld (base domain) and all its subdomains (next level), like any domain.tld, mail.domain.tld etc., but NOT * . *. domain.tld. Basically, double jokers don’t exist, like EV jokers.

It is also possible to use the Wildcard SSL for mail and exchange servers, since most modern software can work with them as with the UCC (Unified Communication SSL certificates) SSL certificates.

There is also a new type of Wildcard certs called Multi-Domain Wildcard certificates. They are able to protect up to 250 different wildcard domains, which means unlimited subdomains under 250 domains. Most of our Wildcard certificates also come with unlimited server licenses, so you can install different variations of subdomains on different servers and IP addresses.