How do I get my site verified such that it shows a green box in Chrome's address bar?

domains web-hosting https security-certificate
6,825

Solution 1

The 'green box' in the Chrome address bar isn't anything to do with verification by Google - as Stephen alluded to in the comments on your question, it's an indication that your site has an Extended Verification (EV) security certificate.

The 'green box'

This is generally a 'premium' SSL product offered by many SSL certificate providers. To get one of these certificates, the best place to start is usually your web host, who can handle the entire process of generating a certificate signing request, purchasing the certificate for you, and installing it. It is sometimes possible to do this yourself through your web hosting control panel, but you'll need to know your way around it to do this.

If you do decide to go down the route of doing it yourself, most trusted certificate providers should be able to provide you with an EV certificate. These include companies such as Comodo, Thawte, Verisign and many others. Typically they also provide instructions for setup on popular hosting control panels.

Solution 2

As Tim Malone said, this is a special type of SSL certificate that is usually sold at a premium by certificate authorities. The going rate is usually at least a couple of hundred dollars.

What Tim did not mention, and part of the reason for the elevated price, is that there is a certain amount of paperwork involved that has to be submitted to and checked by the CA that you are purchasing the certificate from. This paperwork usually includes verifying that the business requesting the certificate is duly registered with the state or country, getting an executive from the company to sign off on the request, and possibly other things. Unlike other certificates, you can't just purchase it, do a five-minute automated verification, and have the certificate installed within a few hours at most. These certificates are called "Extended Validation" for a reason - everything must be checked to make sure that the person requesting the certificate works for the company they are requesting it for and has the authority to be requesting it.

Solution 3

I think this question deserves a bit more background... There's different types of SSL/TLS certificates that can be issued by a Certificate Authority (CA), who basically acts like a notary, certifying that the domain you're accessing, is really the real site, and you're accessing it securely.

When you access a site that uses HTTPS, the site's server will send its SSL/TLS certificate and which the browser will check. A "Green lock" showing up means the site's certificate is valid, (signed by a CA), and the entire contents of the page and the connection is encrypted. A green lock tells that you are actually connected to the actual real server used by that domain.

The other type of "green lock" has the name of the business entity, and is an Extended Validation (EV) SSL/TLS certificate that is valid. Only businesses can apply for EV certificates, and these involve a more thorough issuing process by a Certificate Authority (CA) who basically really makes sure that the site google.com is actually owned by Google, Inc.

See the difference between the two: enter image description here

Often, static websites that aren't very complex, or don't store passwords, or sensitive info don't really need (but are highly encouraged) to encrypt their traffic using HTTPS and SSL certificates. As stated in that question, using HTTPS doesn't just secure the connection, but also provides authenticity which is important even for simple static sites.

For personal websites, you can get a regular DV (Domain Validation) SSL/TLS certificate. The way to do this depends on where your site is hosted, but the gist of it is you need to create a private key (2048-bit please) and with it create a Certificate Signing Request (domainame.csr) file to send to a CA to issue/sign you a certificate. After you have the CA-signed public certificate, and your private key, you tell your web server where they are, and to use SSL/TSL, the details vary depending your setup.

You can use startssl.com, to get a regular SSL certificate for free, btw. HTH

Solution 4

Other answers say how to get the certificate, but don't mention that your users need to be using your site over HTTPS to see the green bar even once you have the certificate installed.

If showing the green verification is important for you and your site, you should redirect your HTTP site to your HTTPS site so that users always use the HTTPS version that has the validation.

Share:
6,825
Stephen Ostermiller
Author by

Stephen Ostermiller

Updated on September 18, 2022

Comments

  • Stephen Ostermiller
    Stephen Ostermiller over 1 year

    How do I get my site verified by Google Chrome so it has the green box in the address bar? I honestly don't know how to do this. Also, do I have to ask Google to verify it?

    • Admin
      Admin over 7 years
      Are you asking about the green that indicates that the site has an Extended Verification (EV) security certificate for HTTPS/SSL/TLS?
    • Admin
      Admin over 7 years
      @StephenOstermiller yes
    • Admin
      Admin over 7 years
      You have to pay for it.
    • Admin
      Admin over 7 years
      Or get one free through letsencrypt.org
    • Admin
      Admin over 7 years
      Lets Encrypt does not even offer EV certificates. It is in their FAQ: letsencrypt.org/docs/faq They only offer domain validation (DV) certificates.
    • Admin
      Admin over 7 years
      And even their DV certificate offerings are limited. For example (and what I know of), they don't support wildcard certificates or certificates for IDN domain names. The latter was a big bummer for me with one domain I wanted to serve over HTTPS.
    • Admin
      Admin over 7 years
      @Auzias so if I use that site will it still have the green box?
    • Admin
      Admin over 7 years
      Yes. Though it's a box and you don't seem to understand what lies underneath.
    • Admin
      Admin over 7 years
      @Alex NO, getting a certificate from LetsEncrypt will not give you "the green box". Serving your website over HTTPS will display a lock in most browsers, but "the green box" showing your company name will only be shown if you possess an EV certificate, which LetsEncrypt does not offer.
    • Admin
      Admin over 7 years
      @MichaelKjörling Indeed, they do not grant wildcard certificates due to the security risks related to it ( security.stackexchange.com/questions/8210/… ). However, you can request a certificate that validates multiple (sub)domains. This is doable as long as you have a limited list of subdomains which doesn't change much, otherwise you'll have to pay for a wildcard certificate.
    • Admin
      Admin over 7 years
      @Alex I suggest you get some more information regarding the meaning of HTTPS, public keys, DV certificates and EV certificates before you start with this. It looks like you don't have much knowledge regarding this topic, which leads me to believe that you will make mistakes that can damage your domain and perhaps any company that is represented by that site. If you're not sure, you could get your site hosted by a provider and let them handle everything
    • Admin
      Admin over 7 years
      @GroundZero Indeed, wildcard certificates have their own problems as pertains to validation, perhaps especially when limited to DV certs, which makes them hard to issue automatically. However, IDN CN DV certs shouldn't be that difficult.
  • Derecho
    Derecho over 7 years
    It's also important to mention that EV certificates are not issued to individuals.
  • user
    user over 7 years
    "Often, static websites that aren't very complex, or don't store passwords, or sensitive info don't really need to encrypt their traffic using HTTPS and SSL certificates." People disagree. Also note that HTTP/2 isn't supported by any of the major browsers in unencrypted mode, so if you want HTTP/2, you have to talk HTTPS.
  • user
    user over 7 years
    And if it's really important, you should set up HSTS along with HTTPS.
  • dhaupin
    dhaupin over 7 years
    "Often, static websites that aren't very complex, or don't store passwords, or sensitive info don't really need to encrypt their traffic using HTTPS and SSL certificates." If you aren't encrypting every shred of data that hits your server and back to me, I don't really need to be giving you my traffic. Also, any kind of website will take a hit in search rankings if they don't use full HTTPS everywhere. Also also, there is a new address bar icon coming in Chrome that says "Not Secure" in bright red with a warning triangle if the domain is not running HTTPS. ---> i.imgur.com/ahR6dMg.png
  • unknownprotocol
    unknownprotocol over 7 years
    @dhaupin Thanks. The upcoming "Not Secure" warning is news to me, I'll have to read up on that. But even sites that use SSL certs don't encrypt all their traffic (static content)... heck this site doesn't serve everything using https.
  • unknownprotocol
    unknownprotocol over 7 years
    @MichaelKjörling I know it's always better to serve HTTPS, but for some plain info-only html sites, I think sometimes the process of getting a CA-issues certificate is more hassle than it's worth.
  • user
    user over 7 years
    It's perfectly possible to use Stack Exchange almost exclusively over HTTPS, currently excepting site-specific Meta sites and excepting images inlined in posts by users explicitly over HTTP. And the process of getting a DV SSL cert is certainly not laborious, not even before Let's Encrypt. EV certs are another matter, but for a lot of sites, EV certs don't add significant value; HTTPS as opposed to plain-text HTTP does.
  • BlueCacti
    BlueCacti over 7 years
    An EV certificate is only granted to legal entities after the CA has verified that you are allowed to purchase the cert and the domain does indeed belong to the legal entitiy. --> en.wikipedia.org/wiki/Extended_Validation_Certificate - An Extended Validation Certificate (EV) is a public key certificate that proves the legal entity controlling a web site or software package. Obtaining an EV certificate requires verification of the requesting entity's identity by a certificate authority (CA).
  • BlueCacti
    BlueCacti over 7 years
    Once you start with HTTPS, you should use an HSTS header so that clients using your (insecure) HTTP site will automatically start using the HTTPS version. There's a nice site that'll show which headers you are missing or have incorrectly configured: securityheaders.io
  • Num Lock
    Num Lock over 7 years
    @GroundZero Yes, you should use HSTS. But I don't see how this adds to the scope of the question. HSTS is not related to EV. The question is about EV specifically. You might as well mention preloading of HSTS then. Or OCSP stapling. Or key pinning. Or this or that, as well. And there is so much more you need to do right than just setting a couple of headers.
  • Stephen Ostermiller
    Stephen Ostermiller almost 7 years
    It takes more than just any SSL certificate to get the green bar. It specifically takes an extended validation (EV) certificate.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to configure DNS for hosting a domain with 000webhost.com when purchased from whois.com?
Where to buy .ha domain extesion?
Why can I access a website through IP address but not by it's domain name?
My domain's DNS is not working and my host says it could take a couple days
Setting up domain name and email servers for VPS
Avoiding SSL certificate errors with Amazon S3 subdomain
How to Add Two Domains ON 1 IP using webmin
New domain keep pointing back to old server
Domain reg transfer - will my site go down at all?
Switching from GoDaddy Hosting to Bluehost Hosting with/without transfering domain names?