Yes! And we're really good at it. Unlike other CAs, where half the staff have no idea even about non-onion EV, not only do we do handle. onion but we've made a bunch of changes to our software to handle the various changes to wildcard rules, certificate duration, domain validation processes and other elements necessary to do EV for .onions.
Our system automatically ignores whois (which doesn't exist for .onion) and moves to proof of control via file upload – you'll get instructions as soon as we receive your order.
Unlike older CAs, CertSimple's certificates automatically renew yearly, rather than using longer period and emailing you to renew manually. This also works out better for Tor, since certs must be for 1 year anyway. Unlike older CAs, our system prevents you from ordering an impossible 2 year .onion cert.
Wildcards are normally banned for EV certs, but wildcards /are /allowed for .onion domains. Our UI will let you use * for .onion domains.
We handle both old style (16 character) and next-gen (56 character) .onion domain names. Old-style .onion names use a SHA-1 hash, and SHA-1 is now considered weak, so part of the validation rules is to include a SHA2-256 hash of the hidden services key in the .onion certificate itself. Our software will automatically ask you for this if needed.
Check out some of our customer's .onion sites at: