Obtaining an Extended Verification SSL Certificate

by Paul Reinheimer on

We decided to obtain an Extended Verification SSL certificate for WonderProxy and start running our website entirely through it (no standard http:// pages, just https:// for everything). Despite lots of regular SSL experience the process was rather foreign to us. We decided to obtain the certificate through GoDaddy for cost reasons.

Steps

  1. Register with GoDaddy and purchase an EV certificate token

  2. Flip over to their Certificate system, use the token to initiate a request

  3. Do the fun bits with OpenSSL to generate a Certificate Signing Request

  4. Hand that data off to GoDaddy
    Now this is the part where I thought the extra fees I was paying for the certificate would come into play, and GoDaddy’s team would leap into action researching my request, not so much. In fact what occurs is that your own highly paid lawyers or accountants leap into action, and bill you by the minute.

  5. Receive instructions from GoDaddy detailing the steps your Lawyer or Registered Accountant needs to follow. You need either a legal or accounting(?) opinion about the validity of your company and registration. The opinion letter has eight key elements:

  6. Your corporation is a valid, active, legal entity.

  7. You conduct business under this corporate name, and it is duly registered with the appropriate government agency

  8. The person signing & submitting the request is authorized to do so on behalf of the company

  9. The person approving the request is also authorized to do so (these were both me, it’s a small company)

  10. The company has a physical place of business and that address

  11. The company has a phone number and that phone number

  12. The company has an active bank account

  13. The company owns the domain in question

Number 7 there caused us a few issues. Due to the official Quebec registrar being closed we hadn’t obtained a Quebec registration. We were registered federally, and had a provincial tax number, just not an official enterprise number. Without this enterprise number we were unable to obtain a bank account (or verify our PayPal account), so several things were delayed all for the want of a number.

  1. Submit opinion letter to GoDaddy
  2. Fill out a few forms from GoDaddy confirming the request, including the signer and approver, file with GoDaddy
  3. GoDaddy phones the lawyer who issued the opinion letter (using the phone number in some sort of lawyer registry (in the US this would be the Bar) to confirm the information and that they in fact issued the opinion letter
  4. GoDaddy phones the signer and possibly the approver (I was both people, so there was only one phone call) to confirm the details on their forms
  5. An internal GoDaddy “Audit” department reviews the data (this isn’t the person you deal with while completing the steps
  6. Certificate Issued

Total cost was probably ~$400 in professional services and GoDaddy fees. Our goal, clearly, is to have this cost outweighed by the level of trust and security the average user has for an EV certificate. Now that we’re offering dedicated VPN plans, protecting our users privacy from start to finish is even more important.