Extended Validation (EV) Certificates
Understand Extended Validation SSL certificates — the most thoroughly verified certificate type. Learn about the EV validation process, visual indicators, and how to identify EV in decoded certificates.
Detailed Explanation
What Are EV Certificates?
Extended Validation (EV) certificates are SSL/TLS certificates issued after the most rigorous identity verification process defined by the CA/Browser Forum. The CA verifies not just domain ownership, but also the legal existence, physical location, and operational status of the organization.
EV Validation Process
To obtain an EV certificate, an organization must pass multiple checks:
- Domain validation — prove ownership or control of the domain
- Organization validation — verify legal registration with government records
- Physical address — confirm the organization's address through independent sources
- Phone verification — callback to a verified phone number
- Signing authority — verify that the requesting individual is authorized
- Operational existence — confirm the organization has been active for at least 3 years (or provide additional documentation)
This process typically takes 1-5 business days, compared to minutes for Domain Validation (DV) certificates.
How to Identify an EV Certificate
When you decode an EV certificate, look for the Certificate Policies extension:
X509v3 Certificate Policies:
Policy: 2.23.140.1.1
CPS: http://cps.example-ca.com
The OID 2.23.140.1.1 is the CA/Browser Forum's identifier for EV certificates. CAs must include this OID in their EV certificates. The Subject field also contains extensive organization details:
Subject:
CN = www.example.com
O = Example Corporation
L = San Francisco
ST = California
C = US
serialNumber = 12345678
businessCategory = Private Organization
jurisdictionC = US
jurisdictionST = Delaware
DV vs OV vs EV
| Aspect | DV | OV | EV |
|---|---|---|---|
| Validates | Domain control | Domain + Org identity | Domain + Org + Legal status |
| Issuance time | Minutes | 1-3 days | 1-5 days |
| Cost | Free (Let's Encrypt) | $50-200/year | $200-1000/year |
| Browser indicator | Padlock | Padlock | Padlock (previously green bar) |
| Wildcards | Yes | Yes | No |
The Green Bar Era
Before 2019, browsers displayed the organization name in a green address bar for EV certificates. Both Chrome (version 77) and Firefox (version 70) removed this visual distinction, showing only a padlock for all valid certificates. This change reflected research showing users did not notice or understand the green bar indicator.
Are EV Certificates Still Worth It?
Despite the removal of the green bar, EV certificates still provide value:
- Organization identity in the certificate — anyone who inspects the certificate can verify the legal entity
- Certificate Transparency — the verified organization name is logged publicly
- Compliance — some industry regulations or partner agreements require EV certificates
- Phishing resistance — harder for attackers to obtain because of the verification process
Use Case
Inspect an EV certificate to verify the legally registered organization operating a website, especially when evaluating the legitimacy of financial services, e-commerce, or government platforms.