Code Signing Certificate Order and Validation Process Guide

Code Signing Certificate Order And Validation

Follow the Code Signing Order Process and Validation Requirement Guide and Streamline your Digital Signing Operations!

Note: As of June 1, 2023, all Code Signing Certificates (OV and EV) must comply with the new CA/B Forum regulations to ensure that the subscriber’s private key is generated and stored in a suitable FIPS-compliant hardware.

Before moving to the bunch of effective documentation and guide, let’s understand the basic terms that is used in code signing.

Terms You Must Know To Effortlessly Understand Certificate Procedures

Certificate Authority (CA)

Certificate Authority is the highest entity, having the authority to issue and revoke a Code Signing Certificate. Whenever a publisher purchases a certificate, CA verifies its details and then only provides permission to utilize it for securing applications.

Code Signing

Code Signing refers to embedding a digital signature to the software, OS driver, or any other executable file to showcase it as coming from a legitimate source. It also helps to make the app tamper-proof by converting readable code into encrypted hash value.

Validation Procedure

The validation procedure gets performed by Certificate Authority, under which it verifies the Code Signing Certificate applicant. Under it, CA cross-verify developer/publisher’s information with the government database to confirm its legitimacy. For each validation level, the publisher needs a different set of documents and you can find all details in the provided resources.

Validation Level

Code Signing Certificates are available at three validation levels, IV (Individual Validation), OV (Organization Validation), and EV (Extended Validation). All three validation levels define the level of trust, security, and primary user. IV is for independent developers, whereas OV and EV are for organizations.

Timestamping

Timestamping is integrating date and time details with a digital signature to tell systems that the software was signed while Code Signing Certificate was valid. And it also defines that no one has tampered with the executable file. Hence, the application remains valid even after the certificate expires.

HSM (Hardware Security Module)

Hardware Security Module gets provided by the Certificate Authority with an EV Code Signing Certificate. It stores the private key associated with the certificate to allow only authorized persons to perform software signing. In addition, using an HSM for storing private keys is also a best practice approach.

Unknown Publisher Warning

Whenever an operating system discovers an end-user trying to install software from an unauthorized publisher, it shows Unknown Publisher Warning. It’s a sign to the user that the software he/she is installing can contain malware and harm the system.

Windows SmartScreen Defender Warning

SmartScreen Defender is a new-age filtering mechanism, which comes in the Windows operating system. Its primary aim is to identify non-signed applications and alert the users to not install them. Sometimes, it even autoblocks the non-signed application for security purposes.

User Account Control (UAC)

User Account Control is a built-in mechanism in Windows OS, that prevents non-administrative users from running non-signed applications and drivers. If UAC finds such executable files, it blocks their installation and permission to access system resources.

Order Process Guide:

Validation Requirements and Process Guide:

Hope you enjoyed the reading! Keep reading our other interesting stuff!

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.

Leave a comment

Your email address will not be published. Required fields are marked *