Nobody wants to download something that will affect their computer negatively and Operating Systems are well aware of this. That's why they've gone out of their way to generate warning messages anytime someone attempts to download something that may not come from a trustworthy source.
To software developers and engineers, these messages can mean the difference between someone adopting your software and someone forgetting it in their download folder. And losing users is bad for business—bad for the bottom line. So how do you become a trustworthy source? How do you prevent those messages and alerts from popping up before someone attempts to run YOUR software or code?
What is Code Signing?
Code Signing certificates allow you to sign a piece of software or code and essentially prove where it came from and that it's trustworthy. This is done with a signature, which tells the browser who made the software and that it hasn't been tampered with by a third party.
Think of code signing as a sort of digital shrink wrap. When you're at an electronics retailer or some kind of megastore and you pick up a CD, a DVD or some kind of software you'll notice it comes wrapped in clear plastic. This indicates to you that the item you're holding hasn't been tampered with since it left the manufacturer. This in turn gives you confidence that the product you're buying is safe and comes as intended.
Code Signing does the same thing. When someone attempts to download your software, it allows them to check on who developed it and assures them that it hasn't been tampered with. It gives users confidence that they're downloading what you intended. It also lets them know who you are.
These are both crucial to your success as a software developer.
How do I get Verified?
The issuing Certificate Authority (CA) requires your organization to complete a verification process. This process is how the CA makes sure you are a legitimate business. Keep in mind, by issuing this certificate – one that will be recognized by browsers and will disable those annoying alerts and warnings, thus making you appear trusted – the CA is essentially vouching for your legitimacy. This means it's in their best interest to make sure you check out and that you ARE actually legitimate.
That's why there's a fairly extensive process in place to validate your organization.
But don't worry. If you are indeed a legitimate company, this process isn't painful. And it can be finished rather quickly. Just keep in mind, it's in place to weed out the imitators and to protect consumers.
These are the steps required for Organization Validation for Code Signing:
- Identity Authentication
- Organization Authentication
- Locality Presence
- Telephone Verification
- Final Verification Call
So what are you waiting for? This process is straightforward and an absolute must for any company who develops software. Plus, you have us in your corner to help you every step of the way.
So let's get started!
Identity Authentication (Sectigo/Comodo Only)
If you have a Code Signing Certificate from Sectigo/Comodo, the first step is to complete Identity Authentication. The CA will request government-issued photo ID from the person requesting the certificate to verify they are the authorized requester. You can submit your ID with your order number directly to the CA using their online ticketing system.
The first requirement for getting an Organization Validated Code Signing certificate is called Organization Authentication. This is where the Certificate Authority (CA) attempts to verify that your organization is a legitimate legal entity that is active in its registered location.
What is Organization Authentication?
The Organization Authentication requirement is just what it sounds like: the CA is going to verify that your company is a legally registered business. This should be no problem if your records are up to date. But, keep in mind, if your company uses any trade names, assumed names or DBAs you will need to make sure that all of your registration information is accurate and reflects this beforehand.
In the majority of cases the CA will be able to verify this using an Online Government Database. The CA will check the official website in your local municipality, state or country that displays business entity registration status. It goes without saying that the details listed in the government database need to match the details you've provided the CA or else a delay will ensue in the issuance of your certificate.
If the CA can't use an Online Government Database to verify your information – either because yours doesn't have up-to-date records or doesn't provide that information at all – don't worry. There are other methods to satisfy this requirement.
- Official Registration Documents – The CA can also accept official business documents that prove your organization is a legitimate legal entity. These can include articles of incorporation, a chartered license, DBA statements or any other documents that were issued by your local government.
- Dun & Bradstreet – Dun & Bradstreet is a company that provides financial reports on other organizations. The CAs will take a comprehensive DUNS Credit Report to verify specific details associated with your company in order to satisfy this requirement as well.
- Legal Opinion Letter – A Legal Opinion Letter is a document wherein an attorney or accountant essentially vouches for the authenticity of your organization. Sometimes called a Professional Opinion Letter, or POL, this document can be a hassle to obtain but it satisfies three of the four OV requirements so its usefulness is also worth noting. You can learn more about POL's here.
Any of these methods can be used to satisfy the Organization Authentication requirement should the CAs attempts to use an Online Government Database fail.
The next requirement for an Organization Validated Code Signing certificate is called Locality Presence. This is where the Certificate Authority (CA) will attempt to verify that your organization or company has a presence in its registered location.
What is Locality Presence
To satisfy the Locality Presence requirement the CA will need to make sure that the legal entity (your organization) has a physical presence within its registered country or state. The CA doesn't need to verify the actual street address – they don't care that you're on Main Street – just the locality (city, state, province, etc.) of the address.
Usually the CA will verify this information by checking with an Online Government Database. It will look in the database of your local municipality, state or country and check that the registration details – namely the city/state in your address – match up against the details you provided at the outset of the process. If they do, you're good to go and you have satisfied this requirement.
But if everything doesn't match exactly, you will need to use an alternative method to prove your locality presence. Don't worry, there are three additional ways to satisfy this requirement.
- Official Registration Documents – The CAs can accept any documentation from your local government that verifies the information you have provided for them. This can include documents like articles of incorporation, chartered licenses or DBA statements.
- Dun & Bradstreet – Dun & Bradstreet is an organization that provides financial reporting on companies. The CAs view the information provided in these reports as unimpugnable. Providing a comprehensive DUNS Credit Report will allow the CA to verify the physical address associated with your organization.
- Legal Opinion Letter – A legal opinion letter, sometimes called a professional opinion letter or POL, is a document in which an attorney or an accountant vouches for the legitimacy of your business. Though they can be difficult, and sometimes even costly to obtain, they can also be used to satisfy three of the four requirements for an OV Code Signing Certificate. You can find out more about Professional Opinion Letters here.
Any of these methods will work to satisfy the Locality Presence requirement if the CA's attempts to use the Online Government Databases fails.
The Telephone Verification requirement for getting an Organization Validated Code Signing Certificate is fairly straightforward. You must have an active, listed telephone number associated with your organization. That's it.
What is Telephone Verification?
To satisfy the telephone verification requirement the Certificate Authority (CA) must make sure that you have an active telephone number listed. And that telephone number must be verifiable by an acceptable telephone directory. The listing must also be EXACTLY the same as the information you submitted when you registered. This includes the verified business name and the physical address.
To verify this information, the CA is going to start by looking at the Online Government Databases in your local municipality, state or country to check that the listed phone number matches, in addition to the associated name and address. If this all matches up you're good to go—you have satisfied this requirement.
However, most government databases do not display telephone numbers. This means you may have to use an alternative method to verify this information with the CA. Don't worry, there are two other ways to satisfy this requirement.
- Dun & Bradstreet – The CAs can refer to your organization's Dun & Bradstreet credit profile to verify details such as your physical address and telephone number. If you don't have a Dun & Bradstreet profile or cannot create one, you may need to provide additional documentation.
- Legal Opinion Letter – Sometimes called a Professional Opinion Letter or POL, the Legal Opinion Letter is a document where an attorney or accountant – in good standing – verifies that the information you have provided is correct and that your organization is a legitimate legal entity operating in good faith in its locality. These letters can be a hassle to obtain, but they satisfy 75% of the requirements for an OV Code Signing Certificate. To learn more about Professional Opinion Letters, click here.
Either of these methods will satisfy the Telephone Verification requirement in lieu of your number being listed in the Local Government Database.
Final Verification Call
The final requirement in the Organization Validation process is perhaps the simplest. The Certificate Authority (CA) will call you or the specified applicant (usually a site admin) in order to confirm the order details.
What is the Final Verification Call?
In order to finalize Organization Validation and issue your certificate, the CA will need to speak with you or the specified applicant using your organization's verified telephone number to confirm the details of your order.
This is as straightforward as it sounds. Just be available and the call should take about five minutes—if that.
And if the listed telephone number doesn't ring directly to your desk – as is often the case – don't worry. The CA will attempt to get in contact with you a couple of different ways.
- Extension or IVR – If your phone system has extensions or uses Interactive Voice Response (IVR) the CA will work through the system to connect with you. It will be a person on the other end of the line, so as long as your extension is listed (or you have provided it) or your phone can be reached by the IVR, you'll be fine. The CA will call you and you can satisfy this requirement.
- Transfer or Alternative Number – In lieu of having an extension or IVR, the CA can also have the operator (or just the person answering your company's phone line) transfer them or provide them with your direct number. Either way works just fine and will allow the CA to get in touch with you or the specified applicant.
From there, just answer their questions (don't worry, they're not trying to trick you with anything too challenging) and you'll have satisfied the final requirement.
Now all that's left is for the CA to issue the Code Signing certificate.