Knowledge Base

Overview 

This article explains how Organization Validation (OV) Code Signing certificate (also known as non-EV Code Signing certificate) validation works, what information is verified, and what customers can expect during the process. It also provides guidance to help customers respond to validation requests and understand common reasons why OV Code Signing certificate issuance may take longer. 

OV Code Signing certificates verify the identity of the software publisher and help ensure that signed software has not been altered since it was published. 

 

Common Questions This Article Answers 

• What is an OV Code Signing certificate? 

• Who can request an OV Code Signing certificate? 

• What information is verified during OV Code Signing validation? 

• What actions are required from me during OV Code Signing validation? 

• How does OV Code Signing help protect users? 

 

What Is Organization Validation (OV) Code Signing Certificate Validation? 

Organization Validation (OV) Code Signing certificate validation confirms that software is published by a verified organization or individual and that the certificate request is authorized and legitimate. The verification steps are defined by global industry standards, including the CA/Browser Code Signing Baseline Requirements. 

 

OV Code Signing certificates may be issued to: 

• Individuals 

• Private organizations 

• Registered business entities 

• Government entities 

• International entities 

OV Code Signing certificates are commonly used by developers and organizations that want to sign software while providing users with clear assurance of the publisher’s verified identity. 

 

OV Code Signing certificates are commonly used for: 

• Desktop applications (Windows, macOS) 

• Mobile applications 

• Scripts and executables distributed online 

• Drivers and system‑level software 

• Software that must meet operating system or platform trust requirements 

These certificates help reduce security warnings and increase user confidence when installing or running software. 

 

How OV Code Signing Validation Works 

OV Code Signing validation confirms three key things: 

1. The identity of the software publisher (organization or individual) 

2. The publisher’s physical presence and contact information 

3. That the certificate request and Subscriber Agreement were approved by the correct party 

To complete this process, information is verified using trusted public records, government sources, and direct confirmation with the applicant. 

 

What Is Verified During OV Code Signing Validation 

OV Code Signing validation includes the following checks, depending on whether the certificate is issued to an organization or an individual: 

 

Identity Verification 

For Organizations 

• Verification of the organization’s legal existence using qualified government sources 

• Confirmation of the legal entity name, jurisdiction, and active status 

• Verification of any registered trade name or DBA (if applicable) 

• Authentication of the individual requesting the certificate via an automated Video ID session, ensuring the individual and their government‑issued photo ID are legitimate. 

• Acceptable organization name format in the certificate: Legal name or registered DBA 

For Individuals 

• Proof of the individual’s legal identity using automated Video ID session using a valid, government‑issued photo ID. 

 

Physical Address Verification 

For Organizations 

• Verification of the physical business address using reliable third‑party public data sources or government sources 

• Additional documentation may be requested if the address cannot be independently confirmed 

For Individuals 

• Verification of physical presence using reliable sources, such as government‑issued identification or trusted public records 

 

Contact Information (Method of Communication) 

• A verified, working business phone number and/or email address listed in reliable third‑party public data sources or government sources 

 

Subscriber Agreement and Request Authenticity (Callback) 

• Verification that the Subscriber Agreement was signed 

• Confirms that the certificate request was legitimately authorized by the individual applicant or by an authorized representative of the organization 

• Authentication is completed using verified contact information only 

 

What to Expect During OV Code Signing Validation 

While validation is in progress, customers may be asked to: 

• Complete the Subscriber Agreement 

• Complete identity verification (organization or individual) 

• Respond to a verification call or email confirming certificate authorization 

• Provide additional documentation if requested 

Prompt responses help prevent delays. 

Customers can track validation progress and required actions using the link included in the order confirmation email. 

 

Certificate Request Authentication (Callback) 

Callback authentication is a critical part of secure and compliant OV Code Signing certificate issuance. This step helps prevent fraud, ensures regulatory compliance, and protects the trust that end users place in code signing certificates. 

For OV Code Signing certificates issued to organizations, a reliable method of communication must be used to confirm that the certificate request is authentic and properly authorized. This verification may be completed with an authorized representative of the organization or through an authoritative source associated with the organization. 

 

How Callback Authentication Works 

Callback authentication confirms that the certificate request was intentionally submitted and approved. The following callback methods may be used, depending on the situation: 

• Automated telephone callback 
  An email is sent to the applicant’s administrative contact containing a link to initiate an automated call to a verified business phone number. During the call, a verification code is provided. Entering this code completes the authentication process. 

• Automated email callback 
  A verification link is sent to a verified business email address. Clicking the link confirms authorization using a secure and traceable communication method. 

• Manual callback (phone or email) 
  Manual callbacks are used when automated methods are unavailable or when additional verification is required. These callbacks are performed by a validation specialist using verified contact details. 

All callback methods are designed to ensure secure, reliable, and efficient authentication based on the applicant’s circumstances. 

 

If You Have Trouble Completing the Callback 

• If the automated callback fails but the phone number or email address is correct, contact support via chat to request a manual callback. 

• If the phone number or email address is incorrect or cannot be verified, upload documentation showing a valid business phone number or email address for your organization. 
  This documentation must come from a reliable third‑party data source or government registry and list the contact details under the same organization name. 

 

Important Notes About Callback Verification 

• Callback authentication can only be completed using phone numbers or email addresses that are independently verified through reliable third‑party data sources or government registries. 

• Callback attempts are not made using unverified or self‑provided contact details. 

• Completing this step promptly helps prevent delays in certificate issuance. 

 

Secure Storage and Delivery of OV Code Signing Certificates 

For OV Code Signing certificates, private signing keys are stored on secure hardware devices, such as hardware tokens or hardware security modules (HSMs), in accordance with industry security requirements. 

This ensures that: 

• Private keys cannot be copied or exported 

• Certificates cannot be misused for unauthorized signing 

• Signed software remains trustworthy for end users 

After validation is complete, the certificate is provisioned onto the secure device and made available to the customer according to the selected delivery method.  

 

How to Avoid Common OV Code Signing Validation Delays 

Most OV Code Signing validation delays are caused by incomplete, mismatched, or unverified information. The following tips can help speed up the process: 

 

Use the Correct Legal Name 

• Enter the exact legal name or DBA of the organization or individual as shown in official records. 

• Do not enter a trade name or DBA unless it is officially registered. 

• If a DBA is used, ensure it is registered and linked to the legal entity. 

 

Complete Identity Verification Promptly 

• For individuals, complete the Video ID verification as soon as requested. 

• Ensure the name on your government‑issued photo ID matches the name on the order. 

• Use a clear, valid ID and follow the instructions carefully during the identity check. 

 

Provide a Verifiable Physical Address 

• Use a real physical address where you or your organization operate. 

• Ensure the address matches trusted public records or government sources. 

• Be prepared to provide additional documentation if the address cannot be independently confirmed. 

 

Ensure Contact Information Is Publicly Verifiable 

• Use a business phone number or email address that appears in reliable third‑party data sources or government registries. 

• Avoid using personal or newly created contact details that cannot be independently verified. 

 

Complete the Subscriber Agreement Correctly 

• Ensure the Subscriber Agreement is completed by the correct individual. 

• The signer does not need to be the order administrator, but must be authorized. 

• Incomplete or unsigned agreements will prevent certificate issuance. 

 

Respond Quickly to Callback Requests 

• Complete the callback (verification call or email) as soon as it is received. 

• Callbacks can only be completed using verified contact details. 

• If the automated callback fails but your contact information is correct, request a manual callback promptly. 

 

Monitor Order Status and Emails 

• Regularly check the link included in your order confirmation email. 

• Review all validation emails carefully and respond to any requests without delay. 
• Outstanding actions are the most common reason an order appears “stuck.” 

 

How to Avoid Common OV SSL/TLS Validation Delays 

Most OV SSL/TLS validation delays are caused by information that cannot be independently verified or by pending customer actions. The tips below can help ensure a faster validation process: 

 

Use a Verifiable Company Name 

• Enter the organization or individual name exactly as it appears in reliable third-party data sources or government registries. 

 

Provide a Verifiable Address 

• Ensure the address matches trusted public records or government sources. 

• Be prepared to provide additional documentation if discrepancies are found. 

 

Ensure Contact Information Is Publicly Verifiable 

• Use a business phone number or email address that appears in reliable third‑party data sources or government registries. 

• Avoid using personal, temporary, or newly created contact details that cannot be independently verified. 

 

Complete Domain Control Verification (DCV) Carefully 

• Use only the most recent DCV email (verification links expire). 

• Follow the instructions exactly for the selected DCV method. 

• Incorrect values, expired links, or incomplete steps are a common cause of delays. 

 

Complete the Subscriber Agreement Promptly 

• Ensure the Subscriber Agreement is reviewed and accepted as soon as it is received. 

• The agreement must be completed by the correct individual (individual applicant or authorized representative). 

• Unsigned or incomplete agreements will block certificate issuance. 

 

Respond Quickly to Callback Requests 

• Complete the verification call or email as soon as it is received. 

• Callbacks can only be completed using verified contact details. 

• If the automated callback fails but your contact information is correct, request a manual callback promptly. 

 

Monitor Order Status and Emails 

• Regularly check the Validation Manager link included in your order confirmation email. 

• Review all validation‑related emails carefully. 

• Outstanding customer actions are the most common reason an OV order appears “stuck.” 

 

Frequently Asked Questions (FAQs) 

Why can OV Code Signing validation take longer than expected? 

OV Code Signing certificates require several verification steps, including identity, legal registration, address, and authorization checks. Because these checks may require customer action, document review, or additional confirmation, issuance can sometimes take longer. 

 

Why was I asked to verify my identity? 

Identity verification helps confirm that the software publisher is real and authorized to sign code, which protects users from malicious or fraudulent software. 

 

Why do I need to complete a callback (verification call or email)?  

The callback confirms that the certificate request was intentionally submitted and approved by the correct individual or organization. This step helps prevent unauthorized or fraudulent certificate issuance. 

 

How does the callback process work? 

Callback authentication is completed using a verified business phone number or email address. Depending on the situation, this may be done through an automated call, an automated email verification link, or a manual callback. All methods use secure and traceable communication channels. 

 

Why can’t the callback be completed using my provided phone number or email? 

Callback verification can only be completed using contact details that are independently verified through reliable third‑party data sources or government registries. Self‑provided or unverified contact information cannot be used for this step. 

 

What should I do if the automated callback fails? 

If the automated callback does not work but the phone number or email address is correct, you can contact support via chat to request a manual callback. Manual callbacks are performed using the same verified contact details. 

 

What if the phone number or email address on file is incorrect? 

If the contact information cannot be verified, you may be asked to provide documentation showing a valid business phone number or email address. This documentation must come from a reliable third‑party data source or government registry and list the contact details under the same organization name. 

 

What happens if my OV Code Signing token is lost, damaged, or not received? 

OV Code Signing certificates are stored on a secure hardware token and cannot be copied or recovered. If the token is lost, damaged, or not received, you must contact validation support as soon as possible. For security reasons, a replacement requires revoking the original certificate and issuing a new one, which may involve revalidation and additional steps. 

 

How is the OV Code Signing token delivered? 

After validation is complete, the OV Code Signing certificate is provisioned onto a secure hardware token and shipped to the customer using a tracked delivery method. The order administrator receives an email with the tracking number and token password. The certificate can only be used with this physical device, so it is important to ensure the shipping address is correct and that the token is stored securely upon receipt. 

 

What should I do if my OV Code Signing order seems stuck? 

Track validation progress and required actions through the link included in your order confirmation email. Review pending items, ensure the Subscriber Agreement is completed correctly, and respond to any verification requests.