Starting June 1st, 2023, improved security measures mandate that private keys for standard code signing certificates be exclusively stored on FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent certified hardware. This change aligns with the stringent protection standards of EV code signing certificates. Consequently, Certificate Authorities (CAs) ceased supporting browser-based key generation, CSR creation, and installation processes. Instead, opting for the token+ shipment method when requesting the certificate will prompt the CA to create the CSR. Those preferring HSM installation must refer to the instructions below or the respective provider’s guidelines.
- YubiKey 5 FIPS CSR Generation and Attestation
- Luna Network Attached HSM v7.x: CSR & Attestation Guide
Learn more about code signing certificate delivery methods.
Validating an EV Code Signing certificate from DigiCert/GoGetSSL involves these steps:
- Organization Authentication: The CA verifies legal entity registration using databases, documents, or a legal opinion letter.
- Operational Existence: DigiCert confirms activity for 3+ years through databases, documents, Dun & Bradstreet, bank letters, or legal opinion letters.
- Physical Address Verification: The CA validates the address via databases, documents, Dun & Bradstreet, or legal opinion letters.
- Phone Number Verification: DigiCert verifies phone numbers in directories, Dun & Bradstreet, or legal opinion letters.
- Verification Call: DigiCert confirms order details through a phone call.
- EV Approver Form: Sign and submit Agreement Form for approval.
- Final Approval: DigiCert reviews details and issues the certificate.
For in-depth information on each step, consult our guide on how to pass Extended Validation for a DigiCert/GoGetSSL certificate.
The DigiCert/GoGetSSL code signing Organization Validation (OV) process involves five steps:
- Organization Authentication: The CA confirms legal registration and active status, comparing information with official records or submitted documents.
- Physical Address Validation: DigiCert cross-references business addresses with government websites and reputable directories to ensure physical presence.
- Phone Number Verification: The Ca validates the organization’s phone number through third-party directories or official records.
- Verification Call: A DigiCert agent Initiates a call to the authorized representative, using a verified phone number, or provides a voicemail option if needed.
- Final Approval: The Ca internally reviews details and sends email instructions for certificate collection upon successful validation.
For full information, refer to our extensive guide on Organization Validation for Digicert/GoGetSSL certificates.
To obtain a GoGetSSL code signing certificate as an individual, follow these steps:
Complete an attestation letter and undergo a video check using your webcam. The CA will verify your photo ID and your identity. If you don’t have a passport, provide two IDs: an official one with your photo and name, and a second one with your name.
Verify your phone number’s validity and activity. A Google Business source is accepted.
Final Verification Call
Answer a few questions during a phone call with a CA agent to confirm your application details.
For more information check the full guide on how to pass Individual Validation for a GoGetSSL code signing certificate.
Here are the steps required to pass Individual Validation for a Sectigo/Comodo code signing certificate:
Photo ID Option:
- Submit a government photo ID.
- Send a selfie with your ID.
- Open Sectigo ticket.
- Receive the case number.
- Provide ID and financial proof.
- Include non-financial address document.
- Complete Personal Statement Declaration.
- Notarize documents.
- Open Sectigo ticket.
- Get the case number.
Please note that this is a concise overview. Refer to the detailed Individual Validation instructions for Sectigo/Comodo Code Signing certificates.
The latest Ca/Browser Forum guidelines require Code Signing certificates to be delivered on physical USB tokens or installed on an existing Hardware Security Module (HSM). Check the complete guide to code signing delivery methods for more details.
It’s challenging to eliminate phishing due to the sheer amount of attacks that occur daily. The best approach is to be vigilant in every online interaction be it via email, social media, or chat.
While simply opening an email is unlikely to directly hack your device, phishing emails often contain malicious links or attachments that, when opened, can lead to malware infections or further compromise your security.
Yes, phishing is typically carried out by hackers or cybercriminals who use social engineering techniques, fake websites, and fraudulent communications to deceive and exploit individuals or organizations.
The duration of a phishing campaign can vary, ranging from a few hours to several weeks, depending on the specific goals and tactics of the attacker.