After the CSR is generated and sent to the CA, the CA conducts a verification process before issuing the certificate. The steps involved in verification depends on the type of certificate requested.
For Domain Validation (DV) certificates – if the domain name is the same as what’s listed as the Common Name on the CSR, the CA verify the domain ownership themselves (although this depends on the CA. Some may require additional form-fills or other checks). If not, the CA might mail a link to a list of email addresses on the domain (like administrator@, webmaster@, ) with a verification link, clicking on which will prove domain ownership. Further steps depend on the CA handling the request. These certificates typically take a few minutes to be issued.
For Organization Validation (OV) and Extended Validation (EV) certificates – these certificates entail more verification steps. Here, the CA verifies the physical existence and eligibility of the organization. This may involve visiting the organization in person, verifying the phone number and email address provided, etc., apart from domain control verification. These certificates typically take up to 3 days to be issued.