What are the requirements to obtain an OV or EV Code Signing Certificate?

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 4.00 out of 5)
loadingLoading...
How to Get Code Signing Certificate

Check the Detailed Analysis of the Requirements associated with an OV or EV code signing certificate.

OV stands for Organization Validation, and EV stands for Extended Validation. To obtain these certificates, developers, development companies, and publishers have to fulfill a basic set of requirements. This includes furnishing the required documents, including physical address proof, telephone number, and legal documents of company creation.

In addition to this, depending on the type of code signing certificate you need, the requirements can change further. In comparison, the Individual or Standard code signing certificate requirements are less rigorous than an Organization Validation or Extended Validation code signing certificate.

Governments of different countries have a record of the companies and entities working in the country. The Certificate Authority (CAs) check these portals and lists to find the business name before assigning the certificate. Let’s discuss the requirements to get code signing certificates in detail.

Explaining OV and EV Code Signing Certificate

Organization Validation and Extended Validation certificates are different in some aspects. However, the benefit and functionality provided by these certificates is the same.

The OV and EV certificates are applicable in SSL and code signing components. In the beginning, there were only OV SSL certificates, which means that the other forms of certificates came later. This includes EV, Individual, and Domain certificates.

However, both the OV and EV code signing certificates are called High Assurance certificates. This means to provide this certificate; the CA undertakes rigorous verification and authentication process.

These certificates provide better security and a higher form of trust to the beneficiaries. In that, the publisher of software, executables, application, etc., will get the benefit of higher trust and confidence. This is because of the extensive verification process.

Obtaining this certificate means that the publisher is a verified and a reputed individual or organization building digital solutions. As a result, anyone using the solution you have developed will do so with better trust and confidence.

As for the difference between the EV and OV code signing certificate is concerned, it’s the extra layers of validation. Rest assured that both types of certificates are more or less the same, but EV Code Signing Certificate is better in terms of the verification process. The EV certificate guarantees the highest standard of brand protections.

Changes Coming to the OV Certificate

The OV Code Signing Certificate is undergoing some changes at the core level, which can change its status. Here are a few notable changes coming to OV certificates, w.e.f 15th November 2022.(Expanded to June, 2023)

  • Now, the OV certificates will be issued on authentication of physical security, similar to the process of an EV certificate.
  • The minimum requirements for an entity to secure an OV code signing certificate include FIPS 140-2 Level 2 and Common Criteria EAL 4+ compliant devices.

Hence, the entities need to show Hardware Security Modules (HSM) in the form of physical or cloud equipment. The certificates will be given to entities with physical security tokens storage systems like USB hardware devices and Key Storage and Signing devices.

Recommended: New Changes to issuing OV Code Signing

In short, the new requirements means that the same extent of verification and validation process will be required for an OV certificate as it’s required with an EV certificate.

The reason behind these changes is to make the certificates’ private security keys gain better stringent control and compliance. Also, the motive is to keep the keys out of the hands of the bad guys.

The new changes will impact the organizations and developers wanting to get an OV code signing certificate. However, the OV certificate holders need not worry about the changes, right now. But, they do need to fulfill the new requirements at the time of reissuing of the certificate.

5 Steps to Get OV and EV Code Signing Certificates

The five-step process involves submitting the documents, verifying the beneficiary’s credentials, and ensuring compliance. Let’s go through the steps in detail.

Checking the Organization

The first step of the process of authentication of the organization by the Certificate Authority. This involves checking whether the organization is registered within the State or Country’s official records along with the designated bodies.

The CA will check whether the records and information submitted with the government is similar to the information given at the time of securing the certificate. Moreover, in case the organization is working under a trade name, assumed name, or DBA’s, the same shall match the records submitted to the CA.

While this is the primary method adopted by a CA, there are other ways to verify the identity as well. This includes checking the official registration documents issued by the local government. Plus, they can also check the Dun & Bradstreet registry or get a Legal Opinion Letter.

The acceptable documents you can submit to the CA include the following;

  • Articles of Incorporation or Organization
    • Business License
    • DUNS details
    • Certificate of Registration of the Company
    • Social Contract
    • Vendor Permit
    • Articles of Association
    • VAT Certificate
    • Seal Certificate
    • Company Creation Bill
    • Bank Accounts
    • Certificate of Compliance

Note that you don’t have to submit all these documents, but only one out of them all. Also, make sure to check the document is acceptable in your country, as every country has a different type of acceptable document.

Legitimizing the Physical Presence

The next step is to check the organization’s physical presence. For this, the CA will again look towards the online government database. They will verify the city, State, and Country of the organization and not the actual street or building.

Here too, if the records submitted at the time of applying does not match with the online government database, the CA will take other routes.

These are the same as we have mentioned above;

  • Official Registration Document
  • Dun & Bradstreet
  • Legal Opinion Letter

Verification of the Telephone Number or Listing

In the next step, the CA will check whether the applicant has a valid telephone listing. Moreover, this number must be verifiable by an acceptable online directory. It is important that the telephone listing displays the same organization name as submitted during the application process.

For this, the CA will first check the government online database. If the telephone number you have provided matches the one in the database, the requirement is satisfied. If not, the CA does have some other methods to check the telephone number.

  • They will look at a 3rd-party directory. This includes checking the company listing and its associated phone numbers on Yellow Pages, Scoot, 192.com, etc.
    • The last option is to get a legal opinion letter.

You can get a legal opinion letter from your CA and ask the attorney or accountant to verify it before sending it.

Verification Call

The last verification call will happen between the CA and the specified application. Yes, the CA will call the applicant on the verified organization’s telephone number. The purpose is to confirm the details provided for the verification.

The call will take around five to ten minutes, and the VA will ask a few basic questions.

However, there are other methods to take the final verification call, including;

  • The CA will go through the IVR or Extension (if present) and talk to the person at the end of the line. However, it is important to list the authentic Extension number in the application so that the CA is able to reach the designated person easily.
  • The CA can also ask the person at the end of the line to transfer the call to the designated person.

All these requirements of availing an OV or EV certificate might look lengthy, but if you are running a legitimate business, there’s nothing to worry about. All you have to take care of is that the company records are verifiable with the government records and that you have the proper documentation in place.

Conclusion

Getting an OV or EV certificate is great for any kind of development entity. For deploying an executable software, application, etc., a code signing certificate acts as a seal of authenticity. As a result, Windows and other operating systems won’t give a warning to the end-users before downloading the software or patch on their systems.

Code Signing Certificates

Related posts:

  1. Validation Requirements to Get an Individual Code Signing Certificate Issued
  2. CA/B Forum Baseline Requirements v2.8 for Code Signing Certificates
  3. What is a Certificate Authority & Key Role of Certificate Authority
  4. OV Code Signing Vs. EV Code Signing Certificate – What’s the Difference?

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.

Leave a comment

Your email address will not be published. Required fields are marked *