Organization Validation (OV) is a mid-level SSL Certificate validation process that verifies not only domain ownership but also the legitimacy of the business or organization requesting the SSL Certificate. Unlike Domain Validation (DV) SSL Certificates, which only confirm domain control, Organization Validation (OV) SSL Certificates require additional verification to ensure that the entity behind the website is a legally registered organization.
The validation process involves two distinct stages. The first stage is Domain Control Validation (DCV), which confirms that the applicant has control over the domain. The second stage is organization verification, which involves checking government business records, confirming the organization's physical address, and verifying a working telephone number. These extra steps provide a higher level of trust for website visitors and are particularly useful for businesses that want to reassure customers that they are dealing with a legitimate entity.
Once issued, an Organization Validation (OV) SSL Certificate enables HTTPS encryption, ensuring that data transferred between the website and its visitors is secure. Additionally, website users can view verified organization details within the SSL Certificate, offering an added layer of credibility that is not available with Domain Validation (DV) SSL Certificates. Trustico® offers a range of Organization Validation (OV) SSL Certificates to suit different business requirements. Discover Our Organization Validation (OV) SSL Certificate Options 🔗
How Does Organization Validation (OV) Work?
To obtain an Organization Validation (OV) SSL Certificate, the business or organization requesting it must go through a verification process conducted by the Certificate Authority (CA). This process is more thorough than Domain Validation (DV) and involves multiple steps to confirm both domain control and organizational identity.
The first step is Domain Control Validation (DCV), where the Certificate Authority (CA) confirms that the applicant has control over the domain for which the SSL Certificate is being requested. This can be completed using any of the supported Domain Control Validation (DCV) methods, including Approver E-Mail verification, Domain Name System (DNS) CNAME record verification, Domain Name System (DNS) TXT record verification, or HTTP and HTTPS file based verification. Learn About The Complete Validation Procedure 🔗
Once domain control has been confirmed, the Certificate Authority (CA) proceeds to verify the organization's identity. The Certificate Authority (CA) checks official business registration records to ensure the company is legally recognized. This may involve verifying details in government databases or requesting business documents such as incorporation papers or a business license. The organization name specified during the SSL Certificate order must be an exact match with the name recorded with the relevant government authority.
The organization's physical address and telephone number must also be validated. The Certificate Authority (CA) will confirm that the provided address matches publicly available records and will call the business using an independently verified telephone number to complete the verification. Because of these additional checks, Organization Validation (OV) SSL Certificates take longer to issue than Domain Validation (DV) SSL Certificates. While a Domain Validation (DV) SSL Certificate can be issued within minutes, an Organization Validation (OV) SSL Certificate typically takes several business days depending on the availability of the required documentation and the responsiveness of the administrative contact.
Approver E-Mail Verification Method
E-Mail verification is the most widely used Domain Control Validation (DCV) method for the domain ownership stage of Organization Validation (OV). The Certificate Authority (CA) sends a confirmation e-mail to a pre-approved address associated with the domain. The recipient must then follow the instructions in the e-mail, typically by clicking a confirmation link and entering a verification code provided in the message.
The e-mail address used for Domain Control Validation (DCV) must be one of the following pre-approved addresses : admin@yourdomain.com, administrator@yourdomain.com, hostmaster@yourdomain.com, webmaster@yourdomain.com, or postmaster@yourdomain.com. These addresses are defined by the Certificate Authority / Browser Forum (CA/Browser Forum) as acceptable for Domain Control Validation (DCV) purposes.
Important : WHOIS-based e-mail validation is being deprecated in accordance with Ballot SC-80v3. After June 15, 2025, only the five pre-approved e-mail addresses or a contact listed in the _validation-contactemail Domain Name System (DNS) record for the domain will be accepted for e-mail based Domain Control Validation (DCV).
If none of the standard pre-approved e-mail addresses are available for your domain, you may be able to configure a _validation-contactemail Domain Name System (DNS) TXT record to specify an alternative e-mail address. Learn About E-Mail Address Handling for SSL Certificates 🔗
Domain Name System (DNS) CNAME Record Verification Method
Domain Name System (DNS) CNAME record verification is an alternative Domain Control Validation (DCV) method that does not require access to any of the pre-approved e-mail addresses. This method requires you to create a specific CNAME record in your domain's Domain Name System (DNS) settings, which proves your control over the domain and allows the SSL Certificate issuance process to proceed to the organization verification stage.
The CNAME record is constructed using cryptographic hashes derived from the Certificate Signing Request (CSR) associated with your SSL Certificate order. An MD5 hash and a SHA-256 hash are generated from the DER-encoded Certificate Signing Request (CSR). The host portion of the CNAME record is an underscore followed by the MD5 hash at your domain, and the target is the SHA-256 hash split into two 32-character labels followed by sectigo.com as the canonical name. A unique value may also be included in the record for one-time use verification.
After placing your SSL Certificate order, you can switch to CNAME validation by logging into the Trustico® tracking system and changing the validation preference from Approver E-Mail to CNAME within your order details. Trustico® will provide the exact CNAME record values that need to be added to your Domain Name System (DNS) configuration. Explore Our SSL Certificate Tracking and Management Tool 🔗
Domain Name System (DNS) TXT Record Verification Method
Domain Name System (DNS) TXT record verification is another Domain Name System (DNS) based Domain Control Validation (DCV) method supported by the Certificate Authority (CA). With this approach, a unique random value token is provided at the time of your SSL Certificate order. You must then create a Domain Name System (DNS) TXT record with the host set to _pki-validation at your domain and the TXT value set to the random token provided.
The token provided for Domain Name System (DNS) TXT validation is valid for 30 days from the date of issuance and may only be used once per SSL Certificate order. If the token expires before the record is verified by the Certificate Authority (CA), a new token will need to be generated by resubmitting the validation request through the Trustico® tracking system.
Important : Each Domain Name System (DNS) TXT validation token is unique to a specific SSL Certificate order. Reusing a token from a previous order will not work. Always use the exact token value provided for your current order through the Trustico® tracking system.
HTTP and HTTPS File Based Verification Method
File based verification requires the domain owner to upload a specific verification file to a designated directory on the web server. The Certificate Authority (CA) will then check for the presence of this file at a known location to confirm domain ownership. This method is commonly used by web administrators who have direct access to their website's file system.
To complete file based validation, you will need to create a text file named using the MD5 hash value derived from your Certificate Signing Request (CSR). The contents of this file must include the SHA-256 hash of your Certificate Signing Request (CSR) on the first line, the text "sectigo.com" on the second line, and optionally a unique value on the third line. The file must be placed at the following path on your web server : http://yourdomain.com/.well-known/pki-validation/ or the HTTPS equivalent at https://yourdomain.com/.well-known/pki-validation/ using port 80 or port 443 respectively.
The verification file must be plain ASCII text without a Byte Order Mark (BOM). Both CRLF and LF line endings are acceptable. The web server must be publicly accessible on port 80 for HTTP or port 443 for HTTPS at the time the Certificate Authority (CA) performs the validation check. Learn About File Based Authentication for SSL Certificates 🔗
Warning : File based validation cannot be used for Wildcard SSL Certificates. If you are ordering a Wildcard Organization Validation (OV) SSL Certificate, you must use either Approver E-Mail or a Domain Name System (DNS) based validation method instead.
Organization Verification Requirements
After Domain Control Validation (DCV) has been completed, the Certificate Authority (CA) proceeds with the organization verification stage. This is the step that distinguishes Organization Validation (OV) SSL Certificates from Domain Validation (DV) SSL Certificates and provides the additional trust that Organization Validation (OV) is known for.
The organization name provided during the SSL Certificate order must exactly match the legal name recorded with the relevant government authority. The Certificate Authority (CA) will verify the organization's registration details against official government databases. If the organization operates under a different trading name, a Fictitious Name or Doing Business As document may be required to confirm the connection between the trading name and the legal entity.
The Certificate Authority (CA) will also verify the organization's physical address against publicly available records. The address provided must match official business registration records or be independently verifiable through a third-party source. A verification telephone call with the administrative contact listed on the SSL Certificate order will usually be required before issuance. The telephone number used for verification must be publicly listed in an approved telephone directory or verifiable through a recognized third-party source.
Tip : It is recommended that the organization be listed at Dun and Bradstreet, as it is one of the world's leading sources of commercial information and insight on businesses. Certificate Authorities (CAs) rely on Dun and Bradstreet to verify organization details during the Organization Validation (OV) process.
Sample documents that may be required to support the SSL Certificate application include Articles of Incorporation, Fictitious Name or Doing Business As documents, Business Licensing, and other official documentation proving the organization's legal existence. The administrative contact of the order will be contacted for further information if additional documentation is needed.
Why is Organization Validation (OV) Needed?
Organization Validation (OV) is important because it adds an extra layer of trust by verifying that a website is operated by a legitimate organization. While Domain Validation (DV) SSL Certificates provide encryption, they do not offer any assurance about who is behind the website. This means a malicious actor could obtain a Domain Validation (DV) SSL Certificate for a fraudulent website, creating a false sense of security. Organization Validation (OV) SSL Certificates reduce this risk by requiring verification of the organization's identity before issuance.
Websites that handle sensitive customer information, such as login credentials, e-mail addresses, and payment details, benefit from Organization Validation (OV) SSL Certificates because they provide authentication in addition to encryption. Users can check the SSL Certificate details to see the verified business name, which helps them trust that they are dealing with a legitimate company rather than a potential imposter.
Additionally, Organization Validation (OV) SSL Certificates help businesses comply with industry security standards. Some government and corporate networks require websites to have at least an Organization Validation (OV) SSL Certificate to be considered trustworthy. By choosing Organization Validation (OV) from Trustico® you can meet these security requirements while improving your organization's reputation online. Learn About How SSL Certificates Improve Search Engine Rankings 🔗
Who Should Use Organization Validation (OV) SSL Certificates?
Organization Validation (OV) SSL Certificates are best suited for businesses, non-profit organizations, educational institutions, and government entities that want to establish trust with their website visitors. They are particularly useful for e-commerce websites, financial services, healthcare providers, and any online platform that collects user data.
Unlike Domain Validation (DV) SSL Certificates, which are commonly used for personal websites and small blogs, Organization Validation (OV) SSL Certificates provide additional verification that can help reassure customers and clients that they are dealing with a verified organization. Discover Domain Validation (DV) SSL Certificates 🔗
For organizations that require an even higher level of trust and visibility, an Extended Validation (EV) SSL Certificate may be a better option. Extended Validation (EV) SSL Certificates undergo the most rigorous verification process available and provide the strongest assurance of organizational identity. However, for businesses that need strong encryption and verified identity without the more extensive Extended Validation (EV) process, Organization Validation (OV) SSL Certificates from Trustico® provide an excellent balance of security, trust, and efficiency. View Our Extended Validation (EV) SSL Certificates 🔗
Best Practices for Organization Validation (OV)
Following best practices during the Organization Validation (OV) process helps to ensure a smooth and timely SSL Certificate issuance. Generating a unique Certificate Signing Request (CSR) for each SSL Certificate order prevents token reuse issues during the Domain Control Validation (DCV) stage. If you are using a Domain Name System (DNS) based validation method, verifying that your records have propagated correctly before submitting the validation request will help avoid unnecessary delays. Learn About Certificate Signing Requests (CSR) 🔗
For the organization verification stage, ensuring that your business registration details are current and that your organization name exactly matches government records will prevent delays. Having your telephone number publicly listed and ensuring the administrative contact is available for the verification call will also help the Certificate Authority (CA) complete the process as quickly as possible.
Tip : Completing Domain Control Validation (DCV) promptly after placing your order allows the Certificate Authority (CA) to begin the organization verification stage sooner. Preparing your business documentation in advance helps to minimize the overall time to issuance for your Organization Validation (OV) SSL Certificate.
Trustico® provides all the tools and guidance needed to complete both stages of the Organization Validation (OV) process efficiently through the Trustico® order tracking system. Explore Our Reasons to Choose Trustico® for SSL Certificates 🔗
