Before issuing an SSL certificate to any customer, Certificate Authorities (CAs) authenticate that and they are the trusted third parties. There is a full process that needs to be followed for the validation of an SSL certificate to an organization.
Customer Authentication Rules
In early times, there are no hard and strict rules for CAs as there are very few steps that are required for the customer authentication before issuing the SSL certificate. Each CA has the authority to make its own process of authentication and the only thing which is required is to describe the process to its public Certification Practice Statement (CPS) in general terms. The description of CPS authentication was vague is most cases and very hard to understand.
Now customer authentication bar is raised and the common stringent authentication standards were first developed by CAs for new Extended Validation (EV) certificates. In 2008, the minimum authentication standards were detailed in front of CA/Browser forums.
Requirements Common to All certificates
The requirements of authentication and techniques are applicable to all the certificates. A CA has the responsibility to check the singing certificate request of the customer and ensure the minimum cryptographic algorithm and key size. The customer and certificate data must be checked by the CA against a high-risk applicants list. The maintenance of the internal database needs to check by the CA which includes the previously revoked or rejected certificate due to suspected phishing or another fraudulent usage.
There should be no identified location of the customer on any government denied list and this needs to be checked by the CA. these are some basic checks which CA should see and it can become one of the major CA-issued certificate advantages as compared to a self-signed certificate.
Domain Validation Certificates – Simple Authentication
Domain Validation or DV certificates is the simplest way to check the authentication. The identification of the certificate holder does not confirm by this but they do confirm the owner of the certificate holder inside the DV certificate. The process of validation is performed by using the automated method in which the email message sends by CA to the customer. The main aim is that the customer owns or controls the domain can only receive and respond to the email messages. The manual lookup of WhoIs is established to control the domain.
There is some additional step which CA takes during DV validation:
The country code is permitted by the CA along with all verified domains. The certificates and domain ownership in the DNS control is required at the time of tests.
Organization Validation (OV) Certificates – Next Level Authentication
The Organization Validation (OV) certificate is mainly required the next level of authentication. The steps involved in the OV certificate are similar to the DV certificate. To identify the location and identity of the customer, the CA takes some additional steps that include OV certificate information before issuance. The CA first checks the data for confirming the identity of the customer, address, and phone number at the time of OV. The documents which CA check for checking the data are:
The customer who requests for the OV certificate must be contacted by the CA which needs to be connected with the customer organization. Usually, CA contacts the customer by calling on the telephonic number which can be found in a public database. The other alternative is to send a link to the official email address of the customer which can be opened by the one who is having the password that is given on the CA’s order page.
Once the process of OV authentication completed, the CA check and mention the organization’s name, city, state, and country in the OV certificate. This also consists of one or more domains that are owned or controlled by the customer.
Extended Validation (EV) Certificates – High-Level Authentication
The level of authentication of an EV certificate is high and favorable users are rewarded by the browsers and applications. At the time of EV authentication, the proper registration of the customer’s organization should be confirmed by the CA. it should be active with the exact registry of government and can be regarded as a third party business database. The person who signs the Subscriber Agreement is contacted by the CA for signature verification and confirmation of name, title, and agency of the person’s organization.
The data set should be in mixed form and all of these need to be checked by the CA. To confirm consistency and conducting final cross-correlation, the EV Vetter needs to compare all the authentication data properly. The issued EV certificate consists of standard OV certificate, entity type, incorporation location, and registration number by the government.