How to Validate Sectigo/Comodo Code Signing Certificates

Sectigo/Comodo code signing certificates follow the same vetting process. Depending on the validation level you request, you must submit the necessary documentation, such as government-issued IDs and official registration documents, to validate your organization’s identity and existence in no time. This guide covers Organization Validation, Extended Validation, and Individual Validation for code signing certificates. Use the anchor links below to navigate between sections.

• Organization Validation (OV)
• Extended Validation (EV)
• Individual Validation (IV)

Organization Validation (OV)

Organization Validation (OV) verifies the legitimacy and authenticity of a company or organization applying for a code signing certificate. It ensures the applicant is legally registered and operates under a recognized jurisdiction.

The certificate authority (CA) establishes the applicant’s status by conducting checks against official databases and documents to confirm the organization’s name, address, and legal existence.

By validating the organization, code signing certificates assure users the software they are downloading or executing is from a reputable and verified source, preventing the “Unknown Publisher” warning and reducing the risk of malware or unauthorized tampering.

Passing Organization Validation for a code signing cert requires the following:

• Identity Authentication
• Organization Authentication
• Locality Presence
• Telephone Verification
• Final Verification Call

Here’s how to complete each step:

1. Identity Authentication

Sectigo (the same applies to Comodo code signing certificates) implements identity verification to ensure the applicant’s claimed identity is legitimate. It requires the submission of a government-issued photo ID, such as a passport, driver’s license, personal ID card, or military ID to Sectigo for thorough review.

To proceed with the identity verification, open a ticket with Sectigo, attaching the photo ID with the order number for validation.

2. Organization Authentication

Ensuring your organization’s legitimacy and active status is the main requirement for obtaining an Organization Validated code signing certificate. This process, known as Organization Authentication, involves the Certificate Authority (CA) verifying that your company is a legally registered entity in its designated location.

In most cases, the CA will attempt to verify your company’s status using an Online Government Database. They will cross-reference the information you provided with the official website of your local municipality, state, or country, which displays business entity registration details.

The information listed in the government database must be identical to the details you submitted to the CA to avoid any delays in certificate issuance. If an Online Government Database is unavailable or lacks up-to-date records, the CA will use one of the following alternative methods:

Official Registration Documents

You can submit official registration documents that prove your organization’s legal existence. These documents may include articles of incorporation, a chartered license, or DBA (Doing Business As) statements issued by your local government.

Dun & Bradstreet

Another way is through Dun & Bradstreet, a company specializing in financial reports on organizations. The CA can accept a comprehensive DUNS Credit Report to verify specific details associated with your company, thus meeting the Organization Authentication requirement.

Legal Opinion Letter

You also have the option of obtaining a legal opinion letter. This document involves an attorney or accountant vouching for the authenticity and legitimacy of your organization. While acquiring a legal opinion letter may take some effort, in some cases, it’s the only way to prove identity. Sectigo offers legal opinion letter samples to speed up the process (clicking the links below will download the sample forms to your default download folder):

• Sample Form:  Professional Letter – Accountant – Private Organization
• Sample Form: Professional Letter – Legal Opinion – Private Organization
• Sample Form: Professional Letter – Government Organization

Organization authentication is straightforward if you provide accurate and up-to-date details. If the attempts to use the Online Government Database fail, the alternative methods cover any jurisdiction where the CA operates.

3. Locality Presence

Another requirement for obtaining an Organization Validated code signing certificate is proving locality presence. It confirms that your company has a physical presence in its registered location.

What is Locality Presence?

Locality Presence allows the Certificate Authority (CA) to verify that your legal entity (organization) exists physically within its registered country or state. The CA confirms the locality (city, state, province, etc.) mentioned in your address rather than the specific street address.

Typically, the CA performs this verification by consulting an Online Government Database and checking the registration details, such as the city/state in your address, against the information you provided during the application process. If the details match, you’ve successfully satisfied this requirement.

Similarly to Organization Authentication, if the Online Government Database isn’t an option or there’s a discrepancy in the provided information, several alternative methods are available:

Official Registration Documents

You can submit documentation from your local government to the CA. These documents, such as articles of incorporation, chartered licenses, or DBA statements, serve as official verification of the information you provided.

Dun & Bradstreet

Dun & Bradstreet provides financial reports on companies. The CA considers the information contained in their reports as highly reliable. By presenting a comprehensive DUNS Credit Report, you allow the CA to validate the physical address associated with your organization.

Legal Opinion Letter

A legal opinion letter sometimes referred to as a professional opinion letter or POL, is a document wherein an attorney or accountant vouches for the legitimacy of your business. While obtaining such letters can be challenging and potentially costly, they serve as valid proof of your physical address.

Any alternative method will work if the CA’s attempts to verify locality presence through Online Government Databases prove unsuccessful.

4. Telephone Verification

Telephone Verification requires an active and listed telephone number associated with your organization.

What is Telephone Verification?

The Certificate Authority (CA) must ensure you possess a verifiable telephone number in an acceptable telephone directory. It should match the information you provided during registration, including the verified business name and physical address. CAs can verify your telephone via the following methods:

Official Registration Documents

To verify this, the CA initially checks the Online Government Databases in your local municipality, state, or country. They confirm if the listed phone number matches the associated name and address. If everything fits accurately, you have successfully met this requirement.

However, since most government databases do not display telephone numbers, alternative methods can be employed to verify this information with the CA.

A Third-Party Directory

The CA accepts other directories for verifying your telephone number. Typically, the CA refers to reputable sources like Dun and Bradstreet credit reports, but some listings may not be eligible.

If Sectigo gets back to you and says that your DUNS listing does not contain a phone number, then you need to contact Dun & Bradstreet and ask them to “add your company’s phone number to their business directory and on the report”.

Legal Opinion Letter

If the above two options don’t work for you, then the third and last option to validate your phone number is to ask a CPA (Certified Public Accountant), a Latin Notary, or an Attorney (Lawyer) to write, sign and send a letter to Sectigo where they confirm your company name, address and phone number. 

5. Final Verification Call

The last step in the Organization Validation process is straightforward. The Certificate Authority (CA) will initiate a verification call with you or the designated applicant, typically a site administrator, to validate the order details.

The final verification call confirms the order information and expedites the issuance of your certificate. To accomplish this, the CA will contact you or the specified applicant using the verified telephone number associated with your organization. Rest assured, the process is easy. Ensure your availability, as the call should take just a few minutes.

If the designated telephone number does not directly connect to your desk, the CA will employ alternative methods to reach you.

Alternative Methods

1. Interactive Voice Response (IVR) system: The CA will try to connect with you through the IVR. Rest assured; a human will be on the other side of the line. You’re all set if your extension is listed or you have provided it, or if your phone can be accessed via the IVR.
2. Transfer or Alternative Number: In the absence of extensions or an IVR, the CA can request the operator (or the individual answering your company’s phone line) to transfer the call or provide them with your direct number. Either method will suffice and enable the CA to contact you or the designated applicant.

Once connected, answer their questions, and you’ll have completed the final validation step.
Now, all that remains is for the CA to issue your Code Signing certificate. You will receive further instructions via email, including shipment tracking information and any additional steps necessary for setting up your certificate token.

---

Extended Validation (EV)

Congratulations on acquiring an Extended Validation Code Signing Certificate! Although the process may appear intimidating, it’s straightforward. We support you every step of the way, ensuring a smooth and speedy approval.

Now, let’s discuss the requirements for obtaining an Extended Validation (EV) certificate. These requirements are consistent across different Certificate Authorities, thanks to the CA/B Forum – the regulatory body comprising Certificate Authorities and major web browser companies. They have established the following baseline requirements that applicants must meet to obtain a valid EV certificate:

1. Enrollment Forms: You will need to fill out the necessary forms for the certificate application.
2. Organization Authentication: Your organization’s legitimacy will be verified to ensure it is a genuine business entity.
3. Operational Existence: You must demonstrate that your organization has been registered and actively operating for at least three years.
4. Physical Address: A physical business address will be required for verification purposes.
5. Telephone Verification: Your organization’s contact number will be verified through local government or third-party public databases.
6. Final Verification Call: The CA will call you to confirm the details and validate your organization.

These requirements aim to distinguish legitimate businesses from others and maintain the integrity of the EV certificate system. If you are a genuine business with a physical office, telephone lines, and other business essentials, you’ll pass Extended Validation hassle-free.

1. Enrollment Forms

Two enrollment forms are available, and they only require basic information about your organization and contact details for the person responsible for the certificate request, known as the organizational contact.

To streamline the process, you can prepare your Enrollment Forms in advance, but remember that you’ll need your vendor order ID number to submit the forms. You can download both forms below:

• EV Certificate Request (short form)
• EV Certificate Subscriber Agreement

Once you have completed the forms and gathered all the necessary information, you’re ready to submit them. Sectigo provides a validation ticketing system where you can upload them. Upon submission, you should receive a Case ID number, which you can use as a reference if you need to contact their support team.

Organizational Contact

Throughout the Extended Validation process, you will be referred to as the Organizational Contact. This simply means that you are the point of contact for your company during the certification process.

EV Code Signing certificates enable your software to bypass security warnings and eliminate unnecessary prompts during installation, resulting in a smoother and more seamless user experience. The enrollment form serves as the first step in verifying that you, as the Organizational Contact, have the authority to act on behalf of your organization.

Although this may sound rigorous, it is ultimately for the benefit of your company. As long as you are an authorized employee, there is no need to worry. This measure prevents individuals from impersonating employees and seeking certificates for deceptive software. Both your organization and the Certificate Authority want to avoid such incidents.

What info to include in the enrollment form?

Enrollment forms focus on gathering details about your organization and the Organizational Contact. You will need to provide the organization’s name, the full name of the Organizational Contact, their official job title, and the handwritten signature along with the date and place of signing.

• Name of your Organization
• The official title of your organization’s contact
• Full name of the contact person of your organization
• Signature of the Organizational contact
• Date & place of signing
• Contact details of your organization’s HR for verifying the person who has applied to purchase an EV Code Signing certificate is a full-time employee within the company

Please note that digital or stamped signatures are not accepted. Therefore, you will need to print out the form, sign it manually, and then either scan it or fax it back to the Certificate Authority. While mailing it is an option, we strongly advise against it as it will significantly delay the issuance of your certificate.

2. Organization Authentication

The goal of Organization Authentication is to verify your company’s legal registration. If your business operates under trade names, assumed names, or a DBA (Doing Business As), ensure that all information is accurate and up-to-date.

Typically, CAs rely on online government databases to authenticate your organization. They will check the official website in your country or state that displays the business entity registration status. The details listed on these databases must match the information you provide in the Enrollment Form. Any discrepancies may cause delays in certificate issuance.

However, if online resources are insufficient for organization authentication, alternative methods are available:

1. Official Registration Documents: You can provide the CA with official registration documents issued by your local government. These include articles of incorporation, chartered licenses, or DBA statements. Such documents serve as proof that your organization is a genuine and recognized business entity.
2. Legal Opinion Letter (POL): Another option is obtaining a Legal Opinion Letter, also known as a Professional Opinion Letter. This approach is particularly convenient if your company has in-house legal expertise. A POL, issued by a licensed attorney or professional accountant, vouches for your company’s legitimacy and fulfills all EV certificate requirements except the Enrollment Form. For more information and samples of POLs, check Sectigo’s guidelines.

Avoid common pitfalls like outdated or expired registration details, inaccurate listing of multiple business names, or incomplete information on the certificate or enrollment fall for a smooth and quick process.

3. Operational Existence

Proving operational existence ensures that your company has been active for at least three years. If your company hasn’t reached the three-year mark yet, alternative methods are available to verify your operational existence.

The certification authority (CA) can verify the existence of well-established companies by checking reliable online government databases that display the incorporation date. If your local municipality, state, or country maintains comprehensive records, you will meet this requirement without any paperwork.

However, if your company operates in a location with limited online records or is younger than three years, use one of the four alternative ways to prove your company’s operational existence:

1. Official Registration Documents: If your company has been operating for over three years, you can submit various documents issued by your local government, such as articles of incorporation, a charter license, or a DBA statement.
2. Dun & Bradstreet: Dun & Bradstreet is a reputable company that provides credit reports. Regardless of your company’s age, if a Dun & Bradstreet credit report is available, the CAs can utilize it to verify your Operational Existence.
3. Bank Confirmation Letter: An active checking account at a local financial institution is sufficient proof of operational existence, regardless of how long your company has been operating. You can obtain a letter from the bank verifying this information and submit it to the CA.
4. Professional Opinion Letter (POL): A notarized letter from a lawyer or accountant affirming your company’s legitimacy, known as a Professional Opinion Letter, can be used as evidence of operational existence.

By using any of these options, you can satisfy the Operational Existence requirement and move closer to obtaining an Extended Validation Code Signing Certificate.

4. Physical Address

The certificate authority (CA) verifies your company’s street address, city, state, and country through various methods. Initially, the CA checks online government databases for your company’s publicly listed address, matching the details on your certificate and enrollment form. PO Boxes and offshore registrations are not accepted. However, if government databases don’t include the required information, the following alternative verification methods exist:

1. Official Registration Documents: You can submit official registration documents issued by the local government, such as articles of incorporation, chartered license, or DBA statement.
2. Dun & Bradstreet: A third-party credit report like Dun & Bradstreet is also acceptable to verify your company’s physical address. CAs consider DUNS reports highly reliable in vetting organizations.
3. Legal Opinion Letter (POL): Obtain a signed Legal Opinion Letter, also known as a Professional Opinion Letter, from an attorney or accountant. Although acquiring a POL may take more effort without in-house legal or accounting support, it fulfills every requirement in the Extended Validation Code Signing process except the enrollment form.

If the CA’s online government database search fails, any alternative methods can prove your company’s physical address and facilitate the issuance of your Extended Validation Code Signing Certificate.

5. Telephone Verification

Your organization must have an active telephone number in an acceptable directory, matching the information on your certificate and enrollment form.

Initially, the CA attempts to verify the telephone number using online government databases, and if it doesn’t succeed, you can use two alternative methods to verify your telephone number:

1. Dun & Bradstreet: A Dun & Bradstreet credit report is acceptable. CAs consider information compiled by Dun & Bradstreet during the Extended Validation vetting process reliable. DUNS Credit Reports also serve to verify physical address and operational existence.
2. Legal Opinion Letter (POL): If your company’s telephone number is not publicly listed, a Legal Opinion Letter, also known as a Professional Opinion Letter (POL), can be used. This document, signed by an attorney or accountant, confirms the legitimacy of your company. A POL satisfies all requirements except the enrollment forms.

By employing these alternative methods, you can complete the telephone verification process for an Extended Validation Code Signing Certificate, even if online government databases do not contain the required information.

6. Final Verification Call

Now, all that remains is a brief conversation to verify the information provided. While the verification call is generally hassle-free, a few potential challenges might arise.

For instance, your company’s verified telephone number may not directly connect to your desk, as its often listed for general inquiries. Don’t worry; the CA can easily reach you by entering your extension or utilizing Interactive Voice Response (IVR) systems.

Additionally, the CA may seek assistance from your company’s phone receptionist or operator to transfer the call to your line. The CA might even contact a colleague to obtain your contact details and initiate the call using the verified telephone number.

It will make every effort to reach you, ensuring a smooth process. All you have to do is promptly answer the call and avoid letting it go to voicemail. Delaying the verification call would only prolong the issuance of your EV Code Signing Certificate, and we understand that’s not something anyone desires.

Provide accurate information and promptly attend the verification call, and you’ll be one step closer to obtaining your EV Code Signing Certificate.

What is the next step?

Once you’ve completed all the steps in the Extended Validation process, the CA will process your order and ship the USB device to your business address. You’ll receive a shipping confirmation email when it’s on its way.

---

Individual Validation (IV)

Individual Validation differs from Organizational Validation in that it verifies the identity of a single developer rather than a company. To receive a Code Singing certificate as an individual, you must provide proof of your identity to the Certificate Authority. You can do it in two ways:

Photo ID

For this option, you need to provide two documents to the Certificate Authority:

1. A copy of a government-issued photo ID, such as a driver’s license, passport, national ID, or military ID. The ID should display your name and address, and its details must match the details on your certificate request.
2. A photo of yourself (a “selfie”) holding your photo ID. Your face and the information on the ID should be visible for comparison with the copy of the ID.

You can open a ticket with Sectigo’s validation support and submit these documents. Select “Validation Support” as the case type and choose the appropriate reason for the case. Attach the required files and complete the form. You will receive a response with a case number, which you can reference in any future communication.

Face to Face

If your photo ID does not include an address or if the address does not match your order, this method of validation is suitable. It involves additional documentation and requires you to visit an authorized notary in your area to sign and notarize the documents. The following notarized documents are necessary:

• A government-issued photo ID, such as a driver’s license, passport, or military ID.
• A financial document in your name, such as a valid credit or debit card, mortgage statement, or bank statement.
• A non-financial document in your name with an address, such as a landline phone bill (not a mobile phone bill), recent utility bill, lease payment statement, birth certificate, tax bill, or court order document.
• The Personal Statement Declaration form. (access the download link).

Once you have prepared the required documentation, submit all the forms directly to the Certificate Authority’s validation team by opening a ticket. Choose “Validation Support” as the case type and select the appropriate reason for the case. Attach the necessary files and complete the form. You will receive a response with a case number for future reference.

After validation, Once you have submitted your documentation to the Certificate Authority’s validation team, they will review it and contact you via email for further correspondence. Once the certificate is approved and issued, you will receive an email containing shipping information.

---

Conclusion

Obtaining Sectigo/Comodo code signing certificates involves a thorough vetting process to verify the legitimacy and authenticity of the organization or individual applying.

For Organization Validation, identity and organization authentication, locality presence, telephone confirmation, and a final verification call are required. Extended Validation requires enrollment forms, organization authentication, operational existence, physical address proof, telephone verification, and a final confirmation call.

Individual Validation requires proof of identity through a government-issued photo ID and a selfie or notarized document. Once all the steps are complete, the CA will issue the Code Signing certificate.