Documents Required to issue a Code Signing Certificate |
Posted: June 22, 2020 |
Everyone likes to have safe and secure online activities. When a person is online, definitely they do a lot of things and one of them is also downloading a file, which could be an application, software or something else. To make sure that the downloaded oftware or any file is safe to use, a Code Signing Certificate is offered. It’s a type of an identity certificate used by software developers and organizations to provide a digital signature on their software to boost the confidence of users that what they are downloading is from a trustworthy organization and it has been verified by a recognized third-party Certificate Authority. So, being a software developer or an organization who develops software and other executable files, they already might be knowing its importance, but again some may be new to it and they might not know the process of getting one for themselves. So, let’s see how to get the Code Signing Certificate, based upon the validation type Organizational Validation & Individual Validation, as both have a different set of requirements. Organizational Validation:For organizational validation Code Signing Certificate, four different requirements are needed, namely:
Organization Authentication:It’s the first requirement for obtaining an Organization Validation (OV) Code Signing Certificate. As its name says, Certificate Authority (CA), verifies that the organization is a legally registered business by checking lists of documents. One thing to note though, if any trade names or DBA’s is used by your company then be sure that all the registered information is correct. Locality Presence:After fulfilling the first requirement, this second one is processed which is to assure the physical presence of your organization in the locality or within the registered state or country. Telephone Verification:As its name says, Certificate Authority verifies the associated telephone number of an organization which is active and listed in an online telephone directory. To be more specific, telephone number should match exactly with the phone number which was submitted at the time of registration including business name and the physical address. Final Verification Call:The last and final requirement. Once all the above requirements are completed, someone from Certificate Authority calls to a concerned person, or to the organizational person (whose name is registered while applying for the certificate.) Simple questions like “did you order this?” or “what is the name of your company?” is asked for the final verification of the order details. Lastly, be sure to answer this call as if it didn’t happen, the delay will be caused in the issuance of the certificate. Individual Validation:When it comes to Individual Validation, its requirement differs as here Certificate Authority (CA), verifies a single developer rather than the legitimacy of an organization. Moreover, the steps are also a little different from one CA to another. Below are three different requirements:
Identity Verification:It’s the first step where Certificate Authority (CA), verifies the personal identity of the person who has applied for an Individual Validation Code Signing Certificate. Moreover, a Notary ID form has to be submitted which is notarized by a licensed Notary Public or someone equivalent to Notary Public of your country. Apart from this, some additional document has to be submitted, which depends upon the Certificate Authority you choose. If you go with Thawte or Symantec, then you have to provide one or maybe two forms of ID even if you have a valid passport containing your full name and photograph. If you don’t have a passport then you have to submit two ID Forms, for example, Driver’s License, Military ID Card and National or State ID Card and another second type of ids such as Utility Bill, Social Security Card, Medical Card or Student ID Badge. Secondly, if you go with Comodo or Sectigo, your vetting process will be more rigorous. Apart from Government Issued Identification (like Personal ID Card, Military Card, Driver’s License or Passport), you will also be asked to give two additional forms as secondary evidence (Bank Statement, Credit Card Statement, Debit Card Statement or Mortgage Statement) and also a non-financial document (like Birth Certificate, Tax Bill, Utility Bill or Lease Agreement.) Telephone Verification:Once the above step of Identity Verification is completed, Telephone Verification a second requirement begins. Here, you have to provide proof that the listed telephone number is valid and currently in use. Apart from this, it should be listed in an accepted third-party telephone directory like The Yellow Pages, Scoot and 192.com. However, Certificate Authority (CA), Comodo & Sectigo accepts only Dun & Bradstreet and the Better Business Bureau (For US business only) as an approved third-party telephone directory containing the active listing of telephone number along with your full name and physical address whereas Thawte and Symantec is satisfied with whichever number you give at the time of enrolment. Lastly, if your listing is not available in any of the accepted third-party directories, Comodo and Sectigo allow providing Legal Opinion Letter known as Professional Opinion Letter (POL), a document containing your personal information which is vouched by an attorney or accountant. Final Verification Call:It’s the last requirement. Once the above two steps are completed, you will receive a call from the Certificate Authority and you will have to answer asked questions like “did you order this?” or “what is the name of your company?” to complete this process. In case your listed phone number has an IVR or Extension or any other alternative number like handled by receptionist or an operator (and it is mentioned during enrolment), no need to worry CA will go through it. Finally, CA will send you an email including the link of a code signing certificate once the above steps are completed. Again, the requirements differ from one CA to another like telephone verification is received from a Comodo whereas Symantec does not do any call, though both verifies that you are a genuine software developer and your code is reliable.
|
|||||||||||||||||||||||||
|