Extended Validation (EV) SSL certificates are one of three standard SSL certificate types issued by Certificate Authorities: DV, OV, and EV. What makes EV certificates different from the others is that they provide the highest assurance that the domain is NOT associated with a bad actor. When users see a company-branded address bar next to the URL, they can know that they are on a trusted domain.
So is an EV SSL certificate right for you? In order to determine this, it’s important to understand why the cost is higher than other certificate options, the unique value it provides, and how the issuance process works.
One objection that is raised against Extended Validation Extended Validation (EV) SSL is that, for any given Certificate Authority, it tends to cost more than an Organization Validation or Domain Validation certificate.
Let’s dive into why these certificates cost more than others as well as the value they provide.
Often, the additional cost of an EV certificate can seem confusing – all SSL certificates are just bits, after all, and both OV and EV options require authentication. However, there’s much more to it than that.
For example, if it were a lock on your door, that would be a different matter. The superior lock might require more metal to manufacture, or more expensive metal or other such components. The presence of these components would help buyers viscerally to understand the additional value – along with the additional expense required to manufacture this high-end lock.
In the case of EV SSL, these additional expenses are invisible to the buyer. Because all SSL certificates occupy the same spot in your infrastructure and entail no physical component, it’s very difficult for a consumer to see that these expenses exist. That’s because these expenses occur behind the scenes.
These expenses translate to Cost of Goods Sold (COGS). These costs are specific to the set of EV certificates a company sells, so they must be defrayed across the set sold. Otherwise CAs can’t take them on. And because it is a lower-volume product than other authentication levels, that means the costs are concentrated in a smaller number of individual purchases than they would be for OV or DV certificates.
The good news is that even with the higher pricing, the cost difference between EV and OV certificates remains low, so that EV is still within reach for any company seeking its benefits. And should the volume of EV certificates increase over time, CAs may be able to decrease this cost difference even further.
The value of this certificate is higher for sites compared to other types because it leads popular browsers, like Google Chrome, to display the company name in the address bar in addition to the HTTPs padlock. This is necessary for compliance with some industry guidelines and provides additional benefits, including:
The process for a Certificate Authority to issue an Extended Validation SSL certificate is more stringent than other SSL/TLS certificates. The CA follows a validation process based on CA/Browser Forum guidelines.
The CA checks that the requesting business is a legal entity, and the validation requires sufficient disclosure of business information to perform this verification. There is an additional human intervention where the entity is contacted via phone to verify its identity. The processing could be several days, depending on the requestor’s availability during the telephone verification phase.
Before issuing an EV SSL certificate, the Certificate Authority contacts the organization via phone to verify its identity.
Authentication Process
EV shows users that the website employs best-of-breed security measures to protect transactions and ensure compliance with standards and regulations.
Before issuing an Extended Validation certificate, the Certificate Authority follows a seven-stage process based on guidelines determined by the CA/Browser Forum.
Given the rigor and information disclosure involved, cybercriminals are statistically far more likely to apply for DV or OV certificates than undergo the vetting process to acquire an EV certificate.
While no CA can know the “intent” of an organization seeking an SSL certificate, the verification process noted above strives to vet the legitimacy and authenticity of the domain at the time of issuance. EV is one of the best (visible) trust indicators in place today.
See Sectigo’s EV SSL certificates and learn how Sectigo can also help with certificate management.