What are the Validation Requirements for Extended Validated Code Signing Certificates?
If you’re an organization developing or publishing software and you’re looking for an extra edge in the form of instant trust from Microsoft SmartScreen, Extended Validated (EV) Code Signing Certificate will be the perfect choice for you. Here, the validation steps are almost the same compared to EV SSL Certificates, but again as it’s Code Signing Certificate, there are some differences:
Below are the different requirements:
To fulfill this requirement, you will receive an Email from a Certificate Authority containing a form, just fill it up and send them back. The Enrollment form is also sometimes known as the Acknowledgement of Agreement. It’s a single page, which asks you some basic information like:
- The Organization’s name
- The Organizational contact’s official title
- The full name of the Organizational contact
- The signature of the Organizational contact
- Date & place of signing
- A contact in HR to verify that the Person (Organizational Contact) who has applied for this EV Code Signing Certificate is employed within a company.
The CA (Certificate Authority) tries to verify that the organization is active at a registered location and it’s a legal entity.
If an organization is well established and it’s been active for more than three years, this requirement will be quite easy for them. It’s similar to Organizational Authentication, but here the CA will check the requisite Online Government Data (which could be in your local municipality, state or country) which should display the incorporation date of your Organization.
To satisfy this requirement, you have to prove that your organization is established and registered, with a physical presence within that country or state. Here, the CA checks with an Online Government Database (either in your local municipality, state or country) for a physical address that should match exactly what was listed on the Enrollment Form. Moreover, Certificate Authorities (CAs) do not accept information like PO Boxes or any company registered overseas.
The Certificate Authority (CA) verifies the telephone number is valid and it’s listed in an acceptable online Telephone Directories with a verified business name with corporate identifiers like Inc., LLC and a physical address as well.
The CA (Certificate Authority) verifies via an Online Government Database (either in your local municipality, state or country) for physical address and the name of the executive; or they can contact HR/Payroll Mgr/Entity Member and speak with them to make sure that the applicant is a full-time employee and has the authority to obtain the certificate.
Final Verification Call
To satisfy this requirement, the CA (Certificate Authority), makes a final call to a verified business telephone number to speak with a specified applicant (Organizational Contact) for verifying and confirming the order details. If the number doesn’t directly connect with the organizational contact and connects with any provided Extension, IVR (Interactive Voice Response) or even if it first connects to an operator or receptionist the CA will work through the system to connect with you.
All these requirements are satisfied by verifying the information available in an Online Government Database. If that information is not found or not up to date and the verification fails, then there are other ways, like:
1. Email or Fax the Documents
If somehow you are not able to complete the Enrollment Form, you can mail the paper version to CA’s physical address, or you can even fax them.
2. Official Registration Documents
If you couldn’t complete the Organization Authentication, Operational Existence or Physical Address requirement, you can do it by providing documents issued by the local government as a proof, for example:
a. Articles of Incorporation
b. DBA Statements
c. A Chartered License
3. Legal Opinion Letter
A Legal Opinion Letter known as Professional Opinion Letter (POL), is a letter, which is provided by an accountant or attorney, vouching for the authenticity of an organization. Moreover, it helps to fulfill five different requirements:
a. Organization Authentication
b. Operational Existence
c. Physical Address
d. Telephone Verification
e. Employment Verification
4. Recognized Third-Party Directories
If Telephone Verification requirement is not satisfied, the alternate way a Certificate Authorities like Comodo/Sectigo tries to verify it is by finding the listing in a recognized third-party directories such as:
a. Yellow Pages
Note: Only third-party telephone listings from Dun and Bradstreet or Better Business Bureau are accepted by Comodo CA/Sectigo (Only for US Businesses).
5. Bank Confirmation Letter
If your organization has been in operation less than 3 years, Comodo/Sectigo can accept a letter from the Bank that says your organization has an active checking account (Demand Deposit) with them.
Once all the requirements are satisfied and the validation is finished, Comodo/Sectigo will mail a package to a verified address that contains an EV Code Signing Certificate. For more information on how to “collect” an EV Code Signing Certificate upon arrival, please refer to this article.