CA/Browser Forum
Home » Working Groups » Server Cert WG » Extended Validation » Overview of the Extended Validation SSL Vetting Process

Overview of the Extended Validation SSL Vetting Process

Per the guidelines defined by the CA/Browser Forum, Certification Authorities (CAs) may issue Extended Validation (EV) SSL Certificates to Private Organizations, Government Entities, and Business Entities that satisfy the requirements specified below:

** Private Organizations**

The CA may issue EV Certificates to Private Organizations that meet the following requirements:

  1. The Private Organization must be a legally recognized entity whose existence was created by a filing with (or an act of) the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration (e.g., by issuance of a certificate of incorporation) or is an entity that is chartered by a state or federal regulatory agency;
  2. The Private Organization must have designated with the Incorporating or Registration Agency either a Registered Agent, or a Registered Office (as required under the laws of the Jurisdiction of Incorporation or Registration) or an equivalent facility;
  3. The Private Organization must not be designated on the records of the Incorporating or Registration Agency by labels such as “inactive,” “invalid,” “not current,” or the equivalent;
  4. The Private organization must have a verifiable physical existence and business presence;
  5. The Private Organization’s Jurisdiction of Incorporation, Registration, Charter, or License, and/or its Place of Business must not be in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA’s jurisdiction; and
  6. The Private Organization must not be listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA’s jurisdiction.

** Government Entities**

The CA may issue EV Certificates to Government Entities that satisfy the following requirements:

  1. The legal existence of the Government Entity must be established by the political subdivision in which such Government Entity operates;
  2. (The Government Entity must not be in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA’s jurisdiction;
  3. The Government Entity must not be listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA’s jurisdiction.

** Business Entities**

The CA may issue EV Certificates to Business Entities that do not qualify under the criteria listed for Private Organizations above but that do satisfy the following requirements:

  1. The Business Entity must be a legally recognized entity whose formation included the filing of certain forms with the Registration Agency in its Jurisdiction, the issuance or approval by such Registration Agency of a charter, certificate, or license, and whose existence can be verified with that Registration Agency;
  2. The Business Entity must have a verifiable physical existence and business presence;
  3. At least one Principal Individual associated with the Business Entity must be identified and validated;
  4. The identified Principal Individual must attest to the representations made in the Subscriber Agreement;
  5. Where the Business Entity represents itself under an assumed name, the CA must verify the Business Entity’s use of the assumed name pursuant to the requirements of Section 15 herein;
  6. The Business Entity and the identified Principal Individual associated with the Business Entity must not be located or residing in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA’s jurisdiction;
  7. The Business Entity and the identified Principal Individual associated with the Business Entity must not be listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA’s jurisdiction.
Extended Validation
Latest releases
Server Certificate Requirements
SC095v3: Clean-up 2025 - Apr 2, 2026

Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.14 - Ballot SMC016 - May 5, 2026

This ballot maintains consistency between the S/MIME Baseline Requirements and the TLS Baseline Requirements with changes introduced by Ballots SC096 and SC097. Specifically, this ballot: Creates a carve-out of the logging requirements for DNSSEC specifically, stating these are not in scope. For audit purposes, change management logging is able to confirm if the appropriate controls are in effect or not. Sunsets all remaining use of SHA-1 signatures in Certificates and CRLs. It is noted that most uses of SHA-1 signatures are already deprecated by SC097. With this ballot, all unexpired Subordinate CA Certificates issuing S/MIME containing the SHA-1 signature algorithm must be revoked. This proposal does not prohibit the use of SHA-1 to generate issuerKeyHash or issuerNameHash values as currently required by RFC 5019. Includes minor formatting corrections.

Network and Certificate System Security Requirements
Version 2.0.5 (Ballot NS-008) - Jul 9, 2025

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).