EV Code Signing Certificate – What Documents You Must Submit to Get It Issued?

EV Code Signing Certificate Validation Requirement

Here’s the List of Documents You Need to Submit to Get an EV Code Signing Certificate Issued

Software development companies don’t need an explanation of why Code Signing certificates are essential. But someone looking for an extra edge such as instant trust in Microsoft SmartScreen and prevention of “Unknown Publisher” warning. In that case, the EV Code Signing certificate offered by certificate authorities like Sectigo or Comodo is the way to go.

But what documents you need to submit is also a task that shouldn’t be taken lightly, as even forgetting to submit one document can lead to a delay in issuance. Henceforth, here’s the detailed guide on what documents you’ll need to submit to complete the validation process and get the EV Code Signing certificate issued on time.

Here’s the List of Requirements You Need to Complete

  • Enrollment Form – Filling and giving back to the certificate authority
  • Organization Authentication
  • Operational Existence
  • Physical Address
  • Telephone Number in Recognized Third-Party Directories
  • Employment Verification
  • Final Verification Call

Let’s find out in detail what you must do to complete the validation process and get your software signing certificate issued.

1. Enrollment Form

It’s a simple form sent by the certificate authority once you purchase your EV Code Signing certificate. You simply need to fill out the form and send it back to the certificate authority.

Also called an Acknowledgement of Agreement, it’s a single-page form that requires basic details about:

  • Name of your Organization
  • The official title of your organization’s contact
  • Full name of the contact person of your organization
  • Signature of the Organizational contact
  • Date & place of signing
  • Contact details of your organization’s HR for verifying the person who has applied to purchase an EV Code Signing certificate is a full-time employee within the company

2. Organization Authentication

In this step, the certificate authority does the verification of your organization/company to know it’s active at a registered place and it’s legal.

3. Operational Existence

The certificate authority verifies the Online Government Data, and it could be your local municipality, state, or country that displays the Organization’s/Company’s incorporation date. Similarly, if the organization/company has been well-established and active for more than three years, then it shouldn’t be an issue.

4. Physical Address

For completing this physical address verification to prove the establishment and registration of your company/organization, you have to give proof that it really exists. The certificate authority verifies information from an Online Government Database that could be of your local municipality, state, or country. Similarly, all the information should match exactly with the information you gave in the Enrollment Form. And CAs (Certificate Authorities) don’t accept information such as PO Boxes or any company information which is registered abroad.

5. Telephone Number

Once the physical address is verified, the certificate authority verifies the telephone number. Similarly, your telephone number should be listed in acceptable and known Telephone Directories along with the verified business name, corporate identifiers such as LLC, and a complete physical address.

6. Employment Verification

In this step, the certificate authority verifies the executive name through an Online Government Database, which could be a local municipality, state, or country. And suppose the person’s name isn’t available in the online Government database; the certificate authority should have the contact details of the company’s HR/Payroll Manager or any Entity Member. So CA can contact and ensure the applicant is a full-time employee and authorized to get an EV Code Signing certificate.

7. Final Verification Call

It’s the last verification step, where the certificate authority does a final verification call by dialing a business telephone number. Here CA speaks with an applicant and confirms the order details. And if the number doesn’t connect directly with the organizational person who applied for the EV Code Signing certificate and instead connects with IVR (Interactive Voice Response), needs to dial Extension or first connect with the receptionist, the CA will go through the system.

All these validation requirements are expected to be found and verified with the information readily available in an Online Government Database. However, if any information is not found or not latest and verification doesn’t complete, then there are some alternatives, and they’re as under.

Fax or Mail the Documents

If you cannot complete the Enrollment Form for any reason, then you can mail the papers to the certificate authority’s physical address or even fax them.

Company’s Official Registration Documents

 Suppose you cannot complete verification of the Organization/Company’s operational existence or verification of Physical Address.

In that case, you have an alternative of providing documents issued by the local government like:

  • DBA Statements
  • A Chartered License
  • Articles of Incorporation

A legal Opinion Letter also called a Professional Opinion Letter (POL), is a letter issued by an accountant or an attorney who vouches for your company’s authenticity.

It helps to fulfill five different authentication requirements:

  • Organization Authentication
  • Operational Existence
  • Physical Address
  • Telephone Verification
  • Employment Verification

Telephone Numbers in Recognized Third-Party Directories

If your company’s telephone number isn’t verified, then the alternative way the certificate authority chooses to go is to find the listing of your company with a telephone number that you gave in an enrollment form with third-party directories like:

  • Scoot
  • 192.com
  • Yellow Pages

Note: Comodo and Sectigo accept Better Business Bureau telephone listings or Dun & Bradstreet only for US businesses.

Bank Confirmation Letter

If your company hasn’t been actively operating for equal to or more than 3 years, then a certificate authority like Sectigo accepts a letter from the Bank that says your company has an active checking account (Demand Deposit) with them.

And once all the verification requirements are satisfied and completed, the certificate authority will send you a physical mail package at the verified business address that includes an EV Code Signing certificate. Similarly, this EV Code Signing Certificate validation takes around 1 to 5 business days.

Get Cheap EV Code Signing Certificates

Related posts:

  1. Individual Code Signing Certificate – Documents You Need to Submit for Getting It Issued
  2. How Does the Code Signing Process Work? – Understand the Code Signing Architecture
  3. Code Sign With Azure DevOps Using a Code Signing Certificate Stored Within Azure Key Vault
  4. Dual Sign Your Software File Using SHA-256 & SHA – 1 Code Signing Certificate

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.