Code Signing

All Business Validation Certificate Authorities Changes Code Signing Configuration CPAC CSR Code CSR Decoder CSR Generation Tutorials CSR Generator DigiCert Domain Validation Extended Validation General Install SSL Certificates Installation IP Address LEI Multi Domain Payments Private Key Renewal S/MIME Types Updates Wildcard
What Is the Difference Between Code Signing vs SSL Certificates?

SSL certificates secure communications between a client (browser) and a server (website) by encrypting the data transmitted, while Code signing certificates digitally sign software and scripts to verify their authenticity and integrity.

Copy Link

How to Pass Extended Validation for Sectigo/Comodo Code Signing Certificates?

Here are the requirements for obtaining an Extended Validation (EV) code signing certificate from Sectigo/Comodo: 

  1. Enrollment Forms: Complete the necessary application forms for the certificate.
  2. Organization Authentication: Prove the organization’s legitimacy as a genuine business entity.
  3. Operational Existence: At least three years of active operation and registration.
  4. Physical Address: Provide a valid physical business address for verification.
  5. Telephone Verification: Prove the organization’s contact number through government or third-party databases.
  6. Final Verification Call: Receive a call from the CA to validate organization details and authenticity.

For an in-depth explanation of each step, consult our guide on Extended Validation for Sectigo/Comodo certificates.

Copy Link

How to Pass Organization Validation for Sectigo/Comodo Code Signing certificates?

Passing Organization Validation (OV) for a code signing cert issued by Sectigo requires the following:

  • Identity Authentication
  • Organization Authentication
  • Locality Presence
  • Telephone Verification
  • Final Verification Call

To complete each step, follow our guide on how to validate a Sectigo OV Code Signing certificate.

Copy Link

Revocation Of Code Signing Certificates

Certificate revocation is the process of invalidating a code signing certificate before its scheduled expiration date. It’s software industry-standard best practice to revoke any code signing certificate associated with a security breach, as that certificate could potentially contain compromised code.

Sectigo’s Certificate Practices Statement and license agreement require the company to revoke any certificate that to its knowledge may be used for illegal or dishonest activities.

Since the same certificate could be used for both right and wrong purposes, Sectigo relies on credible third parties to provide correct information about Sectigo certificates used for malware.

Sectigo may revoke the code signing certificate in the following instances:

  • A cybercriminal steals or alters a valid code signing certificate
  • A contractor or employee uses a valid certificate for deceptive purposes without the company’s knowledge.
  • The company’s code, website, or software is infected with malware or other cyber attacks.

As a Certificate Authority, Sectigo cannot rely on self-reporting of false positives by code signing certificate owners because they may not know that their certificates or digital goods are compromised.

Source: Sectigo’s Knowledge Base

Copy Link

What is a Code Signing Certificate?

A Code Signing Certificate is a digital file that verifies the authenticity and integrity of software by digitally signing it, ensuring it has not been tampered with and comes from a trusted source. Here’s how a code signing certificate works.

Copy Link

Code Signing Certificates: Key Length Baseline Requirements

As of June 1, 2021, and in compliance with the CA/Browser Forum Code-signing Baseline Requirements, Sectigo will require RSA keys to be a minimum of 3072 bits in size.

When generating keys and CSRs for code-signing certificates, please ensure you choose an RSA key with a 3072- or 4096-bit key size.

Only the size of the keys is to change, the rest of the process remains the same. Existing RSA 2048 bit certificates will continue to work and no changes are needed to them.

Certificates requested with ECC (elliptic curve) keys are unaffected and Sectigo will still sign certificates with keys using the NIST P-256 and P-384 curves.

Source: Sectigo’s Knowledge Base

Copy Link

How to reissue a Sectigo/Comodo Code Signing Certificate?

Here are the steps that you need to do in order to reissue your Sectigo/Comodo Code Signing certificate:

1) Login at https://secure.trust-provider.com/products/frontpage?area=ssl using the username and password that you used when you configured your Sectigo/Comodo Code Signing certificate initially;
2) Once you are logged in, find the “Replace” button and click on it;
3) You will start the reissue process for your Sectigo/Comodo Code Signing certificate.
4) Follow the steps and instructions that come next, until you complete the Sectigo Code Signing certificate reissue.

Copy Link

How to find the Private Key for My Code Signing Certificate?

Starting June 1, 2023, industry standards mandate storing code signing certificate private keys on FIPS 140 Level 2, Common Criteria EAL 4+ certified hardware. This change enhances security, aligning with EV code signing standards. Certificate Authorities can no longer support browser-based key generation or laptop/server installations. Private keys must be on FIPS 140-2 Level 2 or Common Criteria EAL 4+ certified tokens/HSMs. To sign the code, access the token/HSM and use stored certificate credentials.

In line with the new guidelines, your private key should be on the token shipped by the CA or on your Hardware Security Module.

Copy Link

I added my phone to my DUNS listing, still no validation. Why?

Some Certificate Authorities (especially Sectigo and DigiCert) may ask you to update or add your phone number to your company’s DUNS listing, as a part of your Business or Extended Validation process.

After you have contacted Dun & Bradstreet and added your phone number to your company’s DUNS listing, it may take between 5 and 40 days for Dun & Bradstreet to make your DUNS listing update available to the public. When you talk to Dun & Bradstreet over the phone, they may tell you that they added or updated your phone number. However, they only initiated process. Your phone number will appear on the Dun & Bradstreet website (https://www.dandb.com/) in about 5 to 40 days after that.

You will know that your DUNS listing has been truly updated, only when you get an email message from Dun & Bradstreet saying that your DUNS profile has been updated successfully. Your phone number will start appearing on your DUNS listing only after you get this email from them. Also, Certificates Authorities (such as Sectigo and DigiCert) can verify your phone number based on your DUNS listing only when your phone number is publicly available. That’s why you or we should contact the Certificate Authority requesting them to check your DUNS listing only after you get that confirmation by email.

In the past, we asked the Validation Department representatives from Sectigo and DigiCert to contact Dun & Bradstreet directly, and check our customer’s phone number with Dun & Bradstreet. We did that after our customers told us that they added or updated their phone number on their DUNS listing. Each time, Sectigo and DigiCert were told by the Dun & Bradstreet representatives that our customers’ DUNS listing update is “in progress” and “has not been completed yet”, and were advised to get back to Dun & Bradstreet when the customers receive an email message from Dun & Bradstreet which confirms them that their DUNS listing was updated.

If 5-40 days is too much to wait, we recommend you to go with other methods of validating your company and phone numbers, such as providing a legal letter written by a notary, an attorney, or a certified public accountant. This method will allow you to pass the Business or Extended Validation within 1-2 days.

Copy Link