Knowledge Base

Overview 

This article explains how Extended Validation (EV) Code Signing certificate validation works, what information is verified, and what customers can expect during the process. It also provides guidance to help customers respond to validation requests and understand common reasons why EV Code Signing certificate issuance may take longer. 

EV Code Signing certificates provide the highest level of publisher identity assurance and require more verification than other code signing certificate types. 

Common Questions This Article Answers 

• What is an EV Code Signing certificate? 

• Why does EV Code Signing validation require more checks than other certificates? 

• What information do I need to provide for EV Code Signing validation? 

• How does EV Code Signing help protect users? 

• What actions are required from me during EV Code Signing validation? 

 

What Is Extended Validation (EV) Code Signing Certificate Validation? 

Extended Validation (EV) Code Signing certificate validation confirms that software or executable code is published by a real, legally registered organization and that the certificate request is authorized and legitimate. 

Because EV Code Signing certificates provide the highest level of trust to operating systems and end users, they require additional documentation and verification steps defined by global industry standards, including the CA/Browser Code Signing Baseline Requirements. 

EV Code Signing certificates are issued only to verified organizations, such as registered businesses, private organizations, international organizations, and government entities. They cannot be issued to individuals. 

EV Code Signing certificates are commonly used by organizations that distribute software and need strong publisher identity assurance, including: 

• Software publishers and application developers 

• Enterprises distributing internal or public applications 

• Device driver and system‑level software vendors 

• Organizations distributing signed executables, installers, or scripts 

• Businesses that need to meet platform or operating system trust requirements 

EV Code Signing certificates help ensure that users can verify who published the software and that the code has not been altered. 

How EV Code Signing Validation Works 

EV Code Signing validation confirms three key things: 

1. The organization legally exists and is active 

2. The organization operates at a real, verified physical address 

3. The certificate request and Subscriber Agreement were approved by an authorized representative 

To complete this process, information is verified using trusted public records, government sources, and direct confirmation with the organization. 

Because of these additional checks, EV Code Signing validation typically requires more customer interaction than standard code signing certificates. 

 

What Is Verified During EV Code Signing Validation 

During EV Code Signing validation, the following information is verified: 

Organization Identity and Legal Status 

• The organization’s legally registered name 

• Confirmation that the organization is active and in good standing 

• Any registered trade name or DBA (if applicable) 

• Legal details verified directly through official government registry databases 

• Acceptable organization name format in the certificate: Legal name or DBA (Legal Name) 

Business Operations and Address 

• Confirmation that the organization is actively conducting business 

• The physical address where business operations take place 

• Verification using reliable third‑party public data sources, government sources, and, when needed, additional documentation 

• PO Boxes, virtual offices, mail forwarding addresses, or registered agent addresses are not accepted 

Contact Information (Method of Communication) 

• A verified, working business phone number and/or email address listed in reliable third‑party public data sources or government sources 

Subscriber Agreement and Request Authenticity (Callback) 

• Verification that the Subscriber Agreement was signed 

• Confirmation that the EV Code Signing certificate request was approved by an authorized representative (Subscriber Agreement signer, approver, and/or requestor) through direct contact using verified contact information 

Second Review id. Second Approval 

• A validation step where all documents used to verify organization details are reviewed by a second, expert validation specialist (second approver) 

 

What to Expect During EV Code Signing Validation 

While validation is in progress, customers are expected to: 

• Review and accept the Subscriber Agreement 

• Respond to a verification call or email confirming certificate authorization 

• Provide additional documentation if requested by the validation team 

Prompt responses help prevent delays. 

If any organization details cannot be verified, the order applicant will be contacted with guidance on how to resolve the issue. 

Customers can track validation progress and required actions through the link included in the order confirmation email. 

 

Certificate Request Authentication (Callback) 

As part of EV validation, Sectigo confirms that the certificate request and Subscriber Agreement were approved by an authorized representative of the organization (Subscriber Agreement signer, approver, and/or requestor). This is completed through a verification call (a manual callback performed by one of our specialists) or an email sent only to contact details obtained from trusted, independent sources. This step confirms that the certificate request was intentional, authorized, and legitimate. 

 

Secure Storage and Delivery of EV Code Signing Certificates 

For EV Code Signing certificates, the private signing key is generated and stored on a secure hardware device (token) rather than in software. This additional protection is required to help prevent unauthorized use of the certificate and to meet platform and industry security requirements. 

The secure device ensures that: 

• The private key cannot be copied, exported, or extracted 

• Only authorized use of the certificate is possible 

• Signed software can be trusted as coming from the verified organization 

Once validation is complete, the EV Code Signing certificate is provisioned onto the secure token and shipped to the customer. The certificate can only be used when the token is physically connected and unlocked, providing strong protection against misuse or malicious signing. 

This secure storage model helps protect users from malicious software and strengthens trust in signed applications. 

 

How to Avoid Common EV Validation Delays 

Most EV Code Signing validation delays are caused by incomplete or mismatched organization information. The following tips can help speed up the process: 

Use the Correct Legal Name 

• Enter the legally registered name of the organization in the company name field 

• Do not enter a trade name or DBA as the company name 

• If a trade name is used, it must be officially registered, verified, and entered in the appropriate field 

Provide a Verifiable Business Address 

• Use a real physical address where you or your organization operate. 

• Ensure the address matches trusted public records or government sources. 

• Do not use PO Boxes, virtual offices, mail forwarding addresses, or registered agent addresses 

Ensure Contact Information Is Publicly Verifiable 

• Use a business phone number or email address that appears in reliable third‑party data sources or government registries. 

• Avoid using personal or newly created contact details that cannot be independently verified. 

Complete the Subscriber Agreement Correctly 

• Ensure the agreement is completed by the correct individual 

• The name on the agreement must match the authorized representative 

• Delays often occur when an organization name is entered in the field where an individual name is required 

• Include the job title of the signer, approver, and/or requestor (for example, IT Manager or Software Development Lead) 

Respond Quickly to Callback Requests 

• Complete the callback (verification call or email) as soon as it is received. 

• Callbacks can only be completed using verified contact details. 

Monitor Order Status and Emails 

• Regularly check the link included in your order confirmation email. 

• Review all validation emails carefully and respond to any requests without delay. 

• Outstanding actions are the most common reason an order appears “stuck.” 

 

Frequently Asked Questions (FAQs) 

Why does EV Code Signing validation take longer than standard code signing? 

EV Code Signing certificates require verification of legal registration, business operations, address, and authorization. This additional review takes more time and may require customer follow‑up. 

Why was I asked for additional documentation? 

Additional documentation may be required if public records are missing, outdated, or unclear. This is common in certain jurisdictions or when information cannot be independently confirmed. 

Why doesn’t my trade name appear as the organization name? 

EV Code Signing certificates must include the legal name. If a trade name is verified, it appears alongside the legal name in the format: Trade Name (Legal Name). 

Why do I need to answer a phone call or email? 

This step confirms that the certificate request and Subscriber Agreement were approved by an authorized representative and helps prevent unauthorized certificate issuance. 

Why can’t the callback be completed using my provided phone number or email? 

Callback verification can only be completed using contact details that are independently verified through reliable third‑party data sources or government registries. Self‑provided or unverified contact information cannot be used for this step. 

What if the phone number or email address on file is incorrect? 

If the contact information cannot be verified, you may be asked to provide documentation showing a valid business phone number or email address. This documentation must come from a reliable third‑party data source or government registry and list the contact details under the same organization name. 

What happens if my EV Code Signing token is lost, damaged, or not received? 

EV Code Signing certificates are stored on a secure hardware token and cannot be copied or recovered. If the token is lost, damaged, or not received, you must contact validation support as soon as possible. For security reasons, a replacement requires revoking the original certificate and issuing a new one, which may involve revalidation and additional steps. 

How is the EV Code Signing token delivered? 

After validation is complete, the EV Code Signing certificate is provisioned onto a secure hardware token and shipped to the customer using a tracked delivery method. The order administrator receives an email with the tracking number and token password. The certificate can only be used with this physical device, so it is important to ensure the shipping address is correct and that the token is stored securely upon receipt. 

What should I do if my EV Code Signing order seems stuck? 

Track validation progress and required actions through the link included in your order confirmation email. Review pending items, ensure the Subscriber Agreement is completed correctly, and respond to any verification requests.