OV stands for Organization Validation, and EV stands for Extended Validation. To obtain these certificates, developers, development companies, and publishers have to fulfill a basic set of requirements. This includes furnishing the required documents, including physical address proof, telephone number, and legal documents of company creation.
In addition to this, depending on the type of code signing certificate you need, the requirements can change further. In comparison, the Individual or Standard code signing certificate requirements are less rigorous than an Organization Validation or Extended Validation code signing certificate.
Governments of different countries have a record of the companies and entities working in the country. The Certificate Authority (CAs) check these portals and lists to find the business name before assigning the certificate. Let’s discuss the requirements to get code signing certificates in detail.
Explaining OV and EV Code Signing Certificate
Organization Validation and Extended Validation certificates are different in some aspects. However, the benefit and functionality provided by these certificates is the same.
The OV and EV certificates are applicable in SSL and code signing components. In the beginning, there were only OV SSL certificates, which means that the other forms of certificates came later. This includes EV, Individual, and Domain certificates.
Recommended: Buy OV Code Signing Certificate @ $199.99/yr
However, both the OV and EV code signing certificates are called High Assurance certificates. This means to provide this certificate; the CA undertakes rigorous verification and authentication process.
These certificates provide better security and a higher form of trust to the beneficiaries. In that, the publisher of software, executables, application, etc., will get the benefit of higher trust and confidence. This is because of the extensive verification process.
Obtaining this certificate means that the publisher is a verified and a reputed individual or organization building digital solutions. As a result, anyone using the solution you have developed will do so with better trust and confidence.
As for the difference between the EV and OV code signing certificate is concerned, it’s the extra layers of validation. Rest assured that both types of certificates are more or less the same, but EV Code Signing Certificate is better in terms of the verification process. The EV certificate guarantees the highest standard of brand protections.
New Changes to the OV Certificate
The OV Code Signing Certificate is undergoing some changes at the core level, which can change its status. (From June 1, 2023)
- Now, the OV certificates will be issued on authentication of physical security, similar to the process of an EV certificate.
- The minimum requirements for an entity to secure an OV code signing certificate include FIPS 140-2 Level 2 and Common Criteria EAL 4+ compliant devices.
Hence, the entities need to show Hardware Security Modules (HSM) in the form of physical or cloud equipment. The certificates will be given to entities with physical security tokens storage systems like USB hardware devices and Key Storage and Signing devices.
Recommended: New Changes to issuing OV Code Signing
In short, the new requirements means that the same extent of verification and validation process will be required for an OV certificate as it’s required with an EV certificate.
The reason behind these changes is to make the certificates’ private security keys gain better stringent control and compliance. Also, the motive is to keep the keys out of the hands of the bad guys.
The new changes will impact the organizations and developers wanting to get an OV code signing certificate. However, the OV certificate holders need not worry about the changes, right now. But, they do need to fulfill the new requirements at the time of reissuing of the certificate.
4 Steps to Get OV and EV Code Signing Certificates
This process involves submitting the documents, verifying the beneficiary’s credentials, and ensuring compliance. Let’s go through the steps in detail.
Step 1: Checking the Organization
The first step of the process of authentication of the organization by the Certificate Authority. This involves checking whether the organization is registered within the State or Country’s official records along with the designated bodies.
The CA will check whether the records and information submitted with the government is similar to the information given at the time of securing the certificate. Moreover, in case the organization is working under a trade name, assumed name, or DBA’s, the same shall match the records submitted to the CA.
While this is the primary method adopted by a CA, there are other ways to verify the identity as well. This includes checking the official registration documents issued by the local government. Plus, they can also check the Dun & Bradstreet registry or get a Legal Opinion Letter.
The acceptable documents you can submit to the CA include the following;
- Articles of Incorporation or Organization
- Business License
- DUNS details
- Certificate of Registration of the Company
- Social Contract
- Vendor Permit
- Articles of Association
- VAT Certificate
- Seal Certificate
- Company Creation Bill
- Bank Accounts
- Certificate of Compliance
Note that you don’t have to submit all these documents, but only one out of them all. Also, make sure to check the document is acceptable in your country, as every country has a different type of acceptable document.
Step 2: Legitimizing the Physical Presence
The next step is to check the organization’s physical presence. For this, the CA will again look towards the online government database. They will verify the city, State, and Country of the organization and not the actual street or building.
Here too, if the records submitted at the time of applying does not match with the online government database, the CA will take other routes.
These are the same as we have mentioned above;
- Official Registration Document
- Dun & Bradstreet
- Legal Opinion Letter
Step 3: Verification of the Telephone Number or Listing
In the next step, the CA will check whether the applicant has a valid telephone listing. Moreover, this number must be verifiable by an acceptable online directory. It is important that the telephone listing displays the same organization name as submitted during the application process.
For this, the CA will first check the government online database. If the telephone number you have provided matches the one in the database, the requirement is satisfied. If not, the CA does have some other methods to check the telephone number.
- They will look at a 3rd-party directory. This includes checking the company listing and its associated phone numbers on Yellow Pages, Scoot, 192.com, etc.
- The last option is to get a legal opinion letter.
You can get a legal opinion letter from your CA and ask the attorney or accountant to verify it before sending it.
Step 4: Verification Call
The last verification call will happen between the CA and the specified application. Yes, the CA will call the applicant on the verified organization’s telephone number. The purpose is to confirm the details provided for the verification.
The call will take around five to ten minutes, and the VA will ask a few basic questions.
However, there are other methods to take the final verification call, including;
- The CA will go through the IVR or Extension (if present) and talk to the person at the end of the line. However, it is important to list the authentic Extension number in the application so that the CA is able to reach the designated person easily.
- The CA can also ask the person at the end of the line to transfer the call to the designated person.
All these requirements of availing an OV or EV certificate might look lengthy, but if you are running a legitimate business, there’s nothing to worry about. All you have to take care of is that the company records are verifiable with the government records and that you have the proper documentation in place.
Getting an OV or EV certificate is great for any kind of development entity. For deploying an executable software, application, etc., a code signing certificate acts as a seal of authenticity. As a result, Windows and other operating systems won’t give a warning to the end-users before downloading the software or patch on their systems.