One requirement that is unique to the issuance of Extended Validation (EV) SSL/TLS certificates is the need to prove your ownership of the domain for which you have requested an SSL/TLS certificate.
Most people confuse this with the usual Domain Control Validation (DCV) required for issuance of all classes and types of SSL/TLS certificates, but they’re different. Domain Control Validation or Domain Control Verification (Domain Verification for short), is meant to establish technical CONTROL of a domain by a person requesting a certificate. This could be the webmaster, web developer, consultant or some other person associated with the company or website, who wishes to install a certificate on that site, domain or application. Domain Verification is done in one of three ways; Administrator Email, DNS record creation or File Upload method. You can read all about each method here.
Domain Verification – Domain Ownership Verification: What’s the difference?
So one difference is while Domain Verification is required for all kinds of certificate requests to be completed, Domain Ownership Verification is only required for an EV certificate to be issued.
The second difference is that while Domain Verification is a technical procedure to show that the person requesting the certificate is able to verify his control of the domain in one of the three methods mentioned above, Domain Ownership Verification is a way to prove ownership of the domain in question.
For example, if John Doe requires an EV certificate for his website www.johndoe.ng, in addition to proving his control of the domain and the other EV requirements, he will have to also prove his ownership of the domain www.johndoe.ng.
This can be done in one of two ways:
1. The domain’s WHoIS record
Every domain has a WhoIS record which carries information about the domain owner. The information displayed for each domain name can usually be changed from the domain Registrar’s website or portal. For example, John Doe in this case, would have to login to his WhoGoHost or Smartweb account – whichever hosting and domains provider with whom he registered his domain. When logged in, he can navigate to where the domain information can be edited and changed. When this is done, the WhoIs record is immediately updated online and can be checked by a Certificate Authority like Certum, to verify domain ownership.
There are usually three sets of contact information that can be edited and used for this purpose; Registrant, Admin and Technical. You don’t need to change all three, only one will do. There are several WHoIS look up tools you can use to check a domain’s contact information. Some examples are; whois.domaintools.com, lookup.icann.org/en, whois.net and many others online.
As an example, see the WHoIS record for Certum.ng – https://whois.domaintools.com/certum.ng
2. Domain Purchase Receipt or Paid Invoice
Sometimes, organisations prefer not to have their contact information on their domain’s WhoIS record, so they enable the privacy feature which hides the information and just displays the Domain Registrar’s contact information instead. In such cases, a Certificate Authority cannot simply do a WhoIS lookup to verify domain ownership and issue an EV certificate. We would have to rely on a domain purchase (or renewal receipt).
This often comes in the form of a payment receipt or invoice issued by the Hosting Company or Domain Registrar, when the domain was first purchased or last renewed. An acceptable document must show the domain name, the Registrar’s name, the company who owns and has paid to purchase or renew the domain (not some individual or staff’s name), the amount paid and the duration (one year, 2 years, 20 years etc.). Most Registrars today allow the customer simply login and download this receipt or paid invoice in the form of a PDF, which we (Certum) will accept.
Leave a Reply