Code Signing Best Practices
Want to keep your software and code safe?
Enter your contact information below below to receive your FREE Best Practices PDF:
It’s great to see that you’ve decided to get that mandatory trust factor: a code signing certificate, which is needed for signing an application or software package to prevent those pesky warning messages which make users run away.
For digitally signing your software and apps, using a trusted code signing certificate is a must. It has even almost mandatory due to prevalent security threats a Code Signing Certificate helps in creating trust and authenticity among users that the software is coming from a trusted source and it hasn’t been tampered with since its signing.
However, to get a code signing certificate issued requires certain steps to be followed. If you’re not aware of the steps to take or you’re facing any difficulty while completing the process, don’t worry, you’re at the right place.
Here, we’ll discuss the 3 required steps in detail which need to be completed to get you a Code Signing Certificate issued.
We’ll try our best to keep the process of certificate issuance as easy as possible. Getting a code signing certificate issued requires three main steps to be followed:
For generating the CSR securely and without any issues, you’ll need to make use of Mozilla Firefox ESR or Internet Explorer 11 as your web browser. They’re used mainly because the browser contains a set of features that allows generating the CSR and private key. If you don’t have Mozilla Firefox ESR or Internet Explorer 11, then you’ll need to download and install one of them. If you’re not able to download or you’re facing any issue while installing it, feel free to contact us.
You’ll get one copy of your private key, and it’s generated with the CSR.
Follow the below steps to generate a code signing certificate CSR:
Once the above steps are completed, you can proceed to the second vital step of completing the validation.
For OV code signing certificates, four steps need to be fulfilled for completing the validation process, and they’re as follows:
It’s the very first step in validating a requested code signing certificate. Here, the certificate authority from which you’ve purchased a code signing certificate will do the verification of your organization to confirm its legitimacy. If you’re using a legal trade name or DBA, you’ll also have to be sure that all the registered information is up to date at the time of filings.
Usually preferred method for CAs is to verify you’re who you say you are is by verifying the information from the relevant online government database. Here, the CA checks the information regarding business maintained online by your local government, which shows you’re the registered entity. It’s one of the easiest and most time-effective methods, preferred as the first option for most of the CAs.
The physical address of the business is verified in this step: it’s checked whether the provided address of the business exists. This allows CAs to confirm that you’re a legal entity that has a physical presence with a registered location. However, CAs verify the information by looking through the available online government database. If data is not available or it doesn’t match with the provided address, then you’ll have to go with an alternative method:
Once the above two steps of Organization and Locality verification are completed, the third step of verifying the registered telephone number of the business is carried out by the CA. Here, the CA confirms whether you’ve got an active listed telephone number that is registered with your business and available on an online telephone directory.
The number listed on that online telephone directory must be identical to the number which you submitted during the initial registration process of a code signing certificate. Also, the telephone number must display the same physical address and the verified business name.
This is the last verification step before the issuance of a code signing certificate. Once the above steps are completed, you’ll receive a verification phone call from the CA, where they’ll ask some basic questions, for example, whether you’ve requested the certificate, and what’s the address of the registered business. It’ll be a pretty straightforward call where CA would like to speak with the specified applicant using the registered business telephone number, which was earlier used for confirming order details.
If you’ve made it this far, congratulations, you’ve almost completed the instructions, and you’ve just got one step to go.
Once all the verification mentioned in the above steps is completed, the CA will send you an email which will contain a collection link for your issued code signing certificate. Below are the steps for collection of your issued code signing certificate:
Now, export the code signing certificate with its associated private key from the web browser. You’ll be required to save it onto your local computer as with .p12 file extension.
Prove Your Software Is Trustworthy
Signing your code shows users that your software and updates can be trusted.
Download our free code signing best practices eBook to learn how to help keep your supply chain secure and your company, customers & end-users safe.
To get a code signing certificate isn’t a hard process. You can choose from organization validation and extended validation, which requires a verification process. If you have all the required information on hand, and it’s updated, you won’t face any issue, and your certificate will be issued without any issues.
However, it’s advised to avoid delay in submitting any required information as this can also lead to a delay in the issuance of a certificate because the certificate is not issued until the verification process is completed.