Organisation Validation (OV) Process and Requirements

The requirements for an Organisation Validation SSL certificate are the same regardless of which CA you go with—they’ve been standardised by the CAB Forum. Remember, they CA is going to be checking things that will demonstrate that your business is a lawful entity and that you are authorised to request a certificate on behalf of your organisation.


We’ll explain all of them – what the requirements are, how to satisfy them, what to do if you get stuck– on their dedicated pages. Just click the links.As long as you’re a legitimate organisation, this process is no problem
Remember, the reason this process even exists is to differentiate the legitimate businesses from the pretenders—including scam artists and cyber criminals. So, if you’re working for an actual business, then you have nothing to worry about.

Plus, our customer service team will be happy to help if you get stuck. You’ll have the benefit of our many years of experience behind you. Typically, the CA’s like to tell you issuance takes 1-3 business days—that’s to give themselves some cushion. But if you’re in a hurry, we may even be able to expedite the process for you.

We’ve gotten OV certificates issued in as little as 20 minutes before.
But, before you call, check and make sure that this validation section doesn’t answer your question first. We’ve designed it to be as helpful as possible.

Organisation Domain Verification

Just like with DV and EV SSL certificates, one of the crucial checks for Organisation Validated SSL is Domain Verification. This is where the Certificate Authority (CA) must verify that your organisation owns the domain that you are trying to secure.

How Do I Show Domain Ownership?

To satisfy the Domain Verification requirement you must simply prove that your organisation owns the domain that was listed on your Certificate Request.

There are several ways to do this, but the CA is going to start by looking at your domain’s WHOIS registry. WHOIS, is an internet database that stores domain registrar information. For this approach to work the WHOIS record must be publicly available. The CA will send a message to any email address listed on your WHOIS.

Since the GDPR has come into effect, many registrars have closed their WHOIS look ups or have fully redacted their client’s information on them, however some registrar’s WHOIS data is still visible and in use. If the CA is able to locate an email address from the WHOIS, they’ll send an email to that address. Once the steps listed in the email have been completed, you’ve satisfied this requirement.

The impacts of GDPR on WHOIS are still be hotly debated, so until ICANN and the CAB Forum can come up with a workaround there are a pair of other ways to satisfy the Domain Verification requirement.

  • Proof of Right Email
  • File-Based Authentication
  • DNS CNAME-Based Authentication
  • DNS TXT-Based Authentication
  • Professional Opinion Letter

Proof of Right Email

The CA can also use one of five default email addresses listed below to verify domain ownership:

  • Admin@yourdomain.com
  • Administrator@yourdomain.com
  • Webmaster@yourdomain.com
  • Hostmaster@yourdomain.com
  • Postmaster@yourdomain.com

File-Based Authentication

The CA provides you with a text file that contains a unique value. You just need to add 2 sub-folders to the publicly accessible directory for your domain and then put the text-file into those folders.

  • Folder #1: Must be named exactly “.well-known”
  • Folder #2: Must be created inside of Folder #1 and named exactly “pki-validation”

The goal of this validation method is to see the contents of your text file when you navigate to the following URL in your browser:
http:// yourdomain.com/.well-known/pki-validation/unique_filename.txt

DNS CNAME-Based Authentication

Comodo will provide you with two unique hash values that will make up your CNAME record. You must use the following format:

  • Hostname Value: unique_value_1.yourdomain.com
  • Points To Value: unique_value_2.certificateauthority.com

DNS TXT-Based Authentication (GeoTrust/Thawte/RapidSSL/DigiCert)

The CA provides you with a unique value that you will input into your DNS settings as a TXT record. The TXT record must use the following format:

  • The Host Name Value: Left blank or insert the @ symbol.
  • The TXT Value: The unique value as given by the CA.

Organisation Authentication

The first validation check for an Organisation Validation SSL certificate is called Organisation Authentication. The Certificate Authority (CA) will verify that your organisation is a legitimate legal entity. That may sound like a long and arduous task, but if your company’s registration information is publicly listed and up-to date, it’ll be a breeze.

What is Organisation Authentication?

Organisation Authentication is perhaps the most involved of all the Organisation Validation checks. Basically, the CA just wants to see that your organisation is registered and active within your location. That’s why it’s vital that all of the listed information from your organisation’s registration matches the details that you supplied in your CSR.

Note: If your organisation operates under any trade names, assumed names or DBA’s, all of that registration information needs to be up to date and accurate as well.

The primary way that the CA’s will try to verify this information is by checking online government databases in your local municipality, state or country—whatever government site publicly displays your business entity registration status.

For Australia, that means the Australian Business Register or Australian Securities and Investments Commission (ASIC) .

For New Zealand, that means the New Zealand Companies Office Companies Register .

If the details match up, then you’ll have satisfied this requirement. If not, don’t sweat. There are other methods your CA can use to authenticate your organisation.

  • Official Registration Documents
  • Dun & Bradstreet
  • Legal Opinion Letter

Official Registration Documents

You can use the business registration documents that have been issued by your local government to satisfy this requirement. Examples of these types of documents include articles of incorporation, chartered licenses and DBA statements—anything from the government showing your company is a legitimate legal entity.

Dun & Bradstreet

You can use a comprehensive DUNS Credit Report to verify specific details associated with your business entity. In Australia D&B operates as Hoovers. Their credit reports are held in high esteem by the CAs and can be used to satisfy multiple requirements.
D-U-N-S Number Information

You can also get a Legal Opinion Letter, sometimes call a Professional Opinion Letter or POL. This is a document in which an Attorney or Accountant (that is licensed and in good standing with the governing body in your location) vouches for your company’s legitimacy. It carries a lot of weight in the eyes of the CA’s. A POL can be used to satisfy 4 out of the 5 requirements for obtaining an OV SSL.

Organisation Locality Presence

One of the most straightforward validation checks for an Organisation Validated SSL certificate is proving Locality Presence. For this requirement, the Certificate Authority (CA) verifies that your organisation or company has an active legal presence in its registered location.

What is Locality Presence?

To fulfil the Locality Presence requirement, the Certificate Authority needs to verify your organisation’s full street address. The CA will attempt to verify this information by searching an Online Government database or an acceptable third-party database. They check these online sources and review the registration details – the city/state/country in your address – against the details you provided at the outset of the process.

For Australia, that means the Australian Business Register or Australian Securities and Investments Commission (ASIC) .

For New Zealand, that means the New Zealand Companies Office Companies Register .

If your business is listed in any online third-party directories that display your business name and full street address, please submit it to our support team and they will be able to see if the CA can use that listing to satisfy the locality presence requirement.

If everything checks out, you’re good to go—you have satisfied this validation check.

However, if everything doesn’t match exactly, you’ll either need to update your listing so that the data matches or utilise another method to prove your locality presence. Fortunately, there are three other ways to satisfy this requirement.

  • Official Registration Documents
  • Dun & Bradstreet
  • Legal Opinion Letter

Official Registration Documents

The CAs will accept documents from your local government (city, state or country) that verify the information you provided them during enrolment. This includes documents such as articles of incorporation, chartered licenses and DBA statements. As long as your registered address is visible, these should satisfy this requirement.

Dun & Bradstreet

Providing a comprehensive DUNS Credit Report will allow the CA to verify the physical address associated with your organisation. In Australia D&B operates as Hoovers. Dun & Bradstreet credit reports are incredibly useful for the purpose of validation as they can satisfy both this requirement and several others.
D-U-N-S Number Information

Organisation Telephone Verification

One of the easiest checks in the Organisation Validation process is Telephone Verification. Do you have a telephone number listed for your business? Is it verifiable by a third-party or government directory? If so, proceed to the next step.

What is Telephone Verification?

To satisfy the Telephone Verification check you only need an active telephone listing that’s verifiable by an acceptable online directory. The listing must display the exact same business name and physical address as the information you provided.

To check this, the first place the CA’s will go are the Online Government Databases. If your number is listed and the organisation name and address match up, you’re good to go—you’ve satisfied this requirement.

For Australia, that means the Australian Business Register or Australian Securities and Investments Commission (ASIC) .

For New Zealand, that means the New Zealand Companies Office Companies Register .

Unfortunately, the majority of government databases don’t display the phone number. You can double check your listing by searching for your business name in your government’s online business directory and see if the telephone number displays! If it doesn’t, it’s not a major problem.

  • Third-Party Directory
  • Legal Opinion Letter

Third-Party Directory

The CAs can use an existing or new telephone listing from an acceptable third-party directory.

Please contact our Support Team for a list of all accepted directories in your country.

Organisation Final Verification Call

The Final Verification call is the last requirement for an Organisation Validated SSL certificate. It’s simple, the Certificate Authority (CA) will call the verified number associated with your organisation to verify the details of the order.

How Do I Complete the Final Verification Call?

To finish the Organisation Validation process and issue your SSL certificate, the Certificate Authority will need to call and speak with whoever is listed as the Admin Contact on your order using your organisation’s verified telephone number to confirm the details of your order.

Make sure the Admin Contact is available to pick up the phone and answer the questions. It’s very simple. And it takes less than five minutes.

Now, if the listed telephone number doesn’t ring directly to their desk – as is often the case – don’t worry. The CA will attempt to work through the phone system and contact them a couple of different ways.

  • Extension or IVR
  • Transfer or Alternative Number

Extension or IVR

If the phone system uses extensions or Interactive Voice Response (IVR), then the CA will work through the phone system to connect to the Admin Contact. So, if their extension is listed (or they’ve previously provided it to the CA) or their phone can be reached by the IVR, it’ll be alright.

Transfer or Alternative Number

If they don’t have an extension or IVR, the CA can also have the receptionist (or whoever answers the business phone number) transfer the CA to them or provide the CA with their direct number.

Please Note: Mobile numbers can be used, but ONLY if they are given to the CA when they call the verified business phone number on the verified listing.


Helpful Guides

View more Guides, FAQs and information to help with your Certificate purchases.

Learning Centre

View more resources on cyber security, encryption and the internet.