Well, maybe not quite… but hopefully it helps explain the concept better.
SSL is not the trusted stamp of approval that it was maybe 10-15 years ago, business requirements and competition between CA vendors has moved it away from being a cumbersome, manual and lengthy process to the point where you can point and click your way online to an SSL web server certificate within a couple of minutes (as long as you have a valid credit card).
The downside of this is that there is only minimal verification about the entity or persons behind most SSL certificates – so just browsing an SSL-enabled site doesn’t provide much security beyond the obvious encryption of data between the client and server.
To address this, the CA vendors agreed on a more restricted version of SSL certificates that require a more extensive verification of the entity before they are issued. Browser or application vendors have in turn agreed to support this – this is where the ‘Green is good’ part of the browser bar kicks in when accessing a web site protected by an Extended Validation (EV) SSL certificate.
But what if you have a public Root CA and you want to be able to issue EV SSL certificates from it rather than go through one of the CA providers?
In that case you need to get your CA’s on the CTL for each browser that you want to ‘Go Green’ on – the following shows how IE 7+ does this.
Note that the issuing CA must also be a minimum of W2k8 R2 to be able to issue EV certificates – internally or externally.
Internet Explorer and Business Value of Extended Validation SSL certificates
Extended Validation SSL Update
Internet Explorer 8 Security – Extended Validation Certificates | TechNet
PKI Enhancements in Windows 7 and Windows Server 2008 R2
Extended Validation support for websites using internal certificates
Extended Validation Certificate