Abstract: OV and EV Code Signing certificates from SSL require independent verification of your organization’s identity, address, and phone number before issuance, and that verification depends on your business appearing in a recognized third-party data source known as a Qualified Independent Information Source (QIIS). The Dun & Bradstreet D-U-N-S number is SSL’s preferred QIIS because its comprehensive, continuously updated business profiles allow validation agents to quickly confirm your details, often shortening the issuance time.
This guide covers how D-U-N-S numbers work, what to review before placing your order, how reliably the order authorization requirement connects to your business listing, and what additional steps apply for EV Code Signing certificates.
When you apply for an OV Code Signing or EV Code Signing certificate from SSL, the validation process requires more than a purchase and a few clicks. Unlike Domain Validated (DV) SSL/TLS certificates, which only confirm control of a domain name, code signing certificates require SSL to verify the identity and legitimacy of the organization or individual behind the signing key. This is what gives signed software its value: end users and operating systems can trust that the code came from a real, accountable entity.
A central part of that verification process depends on one concept: whether your business can be found and confirmed through a recognized, publicly accessible data source. This guide explains how the D-U-N-S number and other qualified business listings factor into that process, and what you should do before submitting your certificate order.
SSL, as a publicly trusted Certificate Authority (CA), is required by industry standards to verify the identity, physical address, and a reliable method of communication for any organization receiving an OV or EV certificate. For code signing specifically, this verification step is mandatory before any certificate is issued, with no exception. There is no “placeholder” certificate issued while OV or EV code signing validation is in progress, which is why it pays to have your business information in order before you start.
The key word here is “independent.” SSL cannot simply take your word for it, nor can it rely solely on documents you supply. A QIIS must be a source that SSL has no control over, that updates its records regularly, and that the CA/Browser Forum recognizes as trustworthy for validation purposes.
For SSL’s validation team, a D-U-N-S number does two things. First, it provides a direct line to a comprehensive, cross-referenced business profile that includes your legal name, physical address, telephone number/email address, and operating status. Second, because D&B’s database is updated continuously and carries significant reputational weight in the business world, it reduces the back-and-forth that sometimes occurs when validation agents have to chase down secondary documentation.
In practical terms, submitting a valid D-U-N-S number when ordering your certificate can meaningfully accelerate the issuance process. You can enter your D-U-N-S number directly in the Company Details section of your SSL account portal during the order process.
If your company already has a D-U-N-S number but you have never claimed the listing, you may find that the information on file is incomplete or outdated, especially if the record was generated automatically from a third-party data source rather than submitted directly by your organization. Before using your D-U-N-S number for certificate validation, log in to D&B’s self-service portal and confirm that the following fields are accurate:
If your listed phone number routes to a disconnected line, a generic voicemail, or an answering service that cannot confirm your identity, or if the email address is inactive or unattended, the verification requirement cannot be satisfied, and the validation process will be stalled.
Please ensure that the phone number and/or email address listed in your business records are reachable by someone authorized to confirm certificate requests on behalf of your organization.
For EV specifically, applicants must also submit a signed copy of the EV Subscriber Agreement. The D-U-N-S number or an alternative QIIS record serves as one of two required document submissions. The other options for that third item are a business profile from another qualified source, such as ZoomInfo or OpenCorporates, or an attestation letter from a licensed attorney, accountant, or civil-law notary.
For organizations operating outside of the United States, jurisdiction-specific registries are often the strongest path. SSL’s validation team is familiar with registries in dozens of countries and can help you identify the best source for your region.
If you appear in a legitimate business directory that is not on SSL’s pre-approved list, you can submit a link to your listing for review. SSL’s validation team will evaluate it on a case-by-case basis for potential approval.
Audit your business listing before ordering. Whether you are using D&B, a government registry, or another source, verify that your legal name, address, and phone number are current and consistent across all sources.
Use the exact legal name. The business name on your certificate order must match the one that appears in your QIIS record. DBAs, trade names, or informal abbreviations can cause mismatches that require additional documentation to resolve.
Ensure your phone number/email address is reachable. Order authorization via a publicly listed method of communication is a required step. The number or email in your business listing must reach a person who can confirm the certificate request.
Plan for processing time if updating D&B records. Changes to a D&B record can take several business days to propagate. If you need to update your listing, do it before placing your certificate order, not after.
For a complete list of accepted business listings and QIIS sources, see SSL’s Acceptable Business Listings for Validation.
When you apply for an OV Code Signing or EV Code Signing certificate from SSL, the validation process requires more than a purchase and a few clicks. Unlike Domain Validated (DV) SSL/TLS certificates, which only confirm control of a domain name, code signing certificates require SSL to verify the identity and legitimacy of the organization or individual behind the signing key. This is what gives signed software its value: end users and operating systems can trust that the code came from a real, accountable entity.
A central part of that verification process depends on one concept: whether your business can be found and confirmed through a recognized, publicly accessible data source. This guide explains how the D-U-N-S number and other qualified business listings factor into that process, and what you should do before submitting your certificate order.
Why Business Verification Is Required for Code Signing
Code signing certificates are not simply about encrypting a connection. They bind a cryptographic signature to your organization’s identity, which gets displayed to end users when they install or run your software. If a trusted third party cannot independently confirm that identity, the certificate cannot be issued.SSL, as a publicly trusted Certificate Authority (CA), is required by industry standards to verify the identity, physical address, and a reliable method of communication for any organization receiving an OV or EV certificate. For code signing specifically, this verification step is mandatory before any certificate is issued, with no exception. There is no “placeholder” certificate issued while OV or EV code signing validation is in progress, which is why it pays to have your business information in order before you start.
What Is a QIIS?
The term Qualified Independent Information Source (QIIS) refers to a publicly accessible database that is regularly updated and considered reliable for identity verification purposes. CAs use QIIS records to independently confirm that the details submitted by a certificate applicant, such as the organization name, address, and phone number, match what is on file with a reputable third party.The key word here is “independent.” SSL cannot simply take your word for it, nor can it rely solely on documents you supply. A QIIS must be a source that SSL has no control over, that updates its records regularly, and that the CA/Browser Forum recognizes as trustworthy for validation purposes.
The D-U-N-S Number: SSL’s Preferred Verification Path
Among all the qualified data sources SSL accepts, the Dun & Bradstreet D-U-N-S number is the preferred option for both OV and EV validation. D-U-N-S stands for Data Universal Numbering System, and it is a nine-digit identifier assigned to individual business locations by Dun & Bradstreet (D&B). More than 500 million businesses worldwide are listed in D&B’s database, and major institutions, government agencies, and CAs consistently recognize D&B records as authoritative.For SSL’s validation team, a D-U-N-S number does two things. First, it provides a direct line to a comprehensive, cross-referenced business profile that includes your legal name, physical address, telephone number/email address, and operating status. Second, because D&B’s database is updated continuously and carries significant reputational weight in the business world, it reduces the back-and-forth that sometimes occurs when validation agents have to chase down secondary documentation.
In practical terms, submitting a valid D-U-N-S number when ordering your certificate can meaningfully accelerate the issuance process. You can enter your D-U-N-S number directly in the Company Details section of your SSL account portal during the order process.
Getting or Claiming Your D-U-N-S Number
If your organization does not yet have a D-U-N-S number, you can request one at no charge through Dun & Bradstreet’s website at dnb.com. Standard processing typically takes a few business days. Expedited options are available for a fee if you need a number more quickly.If your company already has a D-U-N-S number but you have never claimed the listing, you may find that the information on file is incomplete or outdated, especially if the record was generated automatically from a third-party data source rather than submitted directly by your organization. Before using your D-U-N-S number for certificate validation, log in to D&B’s self-service portal and confirm that the following fields are accurate:
- Legal business name (exactly as it appears in government registration records)
- Physical address (no P.O. Box; a verifiable street address is required)
- Business telephone number (this is the number SSL will use for callback verification)
- Business status (active and in good standing)
The Order Authorization and Why Your Phone Number/Public Email Address Matters
For both OV and EV Code Signing certificates, SSL is required to complete a verification with your organization. This communication must be sent to a phone number or email address listed in an independent, verifiable source. This means the phone number or email address in your D-U-N-S record (or other Qualified Information Source) must be used so SSL can successfully reach you.If your listed phone number routes to a disconnected line, a generic voicemail, or an answering service that cannot confirm your identity, or if the email address is inactive or unattended, the verification requirement cannot be satisfied, and the validation process will be stalled.
Please ensure that the phone number and/or email address listed in your business records are reachable by someone authorized to confirm certificate requests on behalf of your organization.
OV Code Signing: Additional Note for Newer Organizations
For OV Code Signing certificates, if your organization has been in existence for fewer than three years, SSL also requires a scan of the certificate requester’s government-issued photo ID. This is an additional layer of verification for newer entities whose business history is more limited, and it applies regardless of which QIIS you use for primary validation.EV Code Signing: A Higher Standard
Extended Validation (EV) Code Signing certificates carry the most rigorous identity requirements of any code signing product. In addition to verifying your organization’s legal name, address, and phone number, SSL’s vetting process for EV certificates confirms operational existence, verifies trade or assumed names if applicable, and confirms the authority of the individual signing the EV request forms.For EV specifically, applicants must also submit a signed copy of the EV Subscriber Agreement. The D-U-N-S number or an alternative QIIS record serves as one of two required document submissions. The other options for that third item are a business profile from another qualified source, such as ZoomInfo or OpenCorporates, or an attestation letter from a licensed attorney, accountant, or civil-law notary.
Other Accepted Business Listings
If your organization does not have a D-U-N-S number or if Dun & Bradstreet does not carry a record for your jurisdiction, there are many other QIIS sources that SSL accepts for OV and EV validation. These include national and regional government business registries, legal and trade databases, and other commercially maintained directories. A partial list includes government business portals like Companies House (UK), the California Secretary of State, the Florida Division of Corporations, the Delaware Division of Corporations, OpenCorporates, and ZoomInfo, among many others.For organizations operating outside of the United States, jurisdiction-specific registries are often the strongest path. SSL’s validation team is familiar with registries in dozens of countries and can help you identify the best source for your region.
If you appear in a legitimate business directory that is not on SSL’s pre-approved list, you can submit a link to your listing for review. SSL’s validation team will evaluate it on a case-by-case basis for potential approval.
Tips for a Smoother Validation Experience
There are a few straightforward steps you can take to avoid unnecessary delays when applying for a code signing certificate:Audit your business listing before ordering. Whether you are using D&B, a government registry, or another source, verify that your legal name, address, and phone number are current and consistent across all sources.
Use the exact legal name. The business name on your certificate order must match the one that appears in your QIIS record. DBAs, trade names, or informal abbreviations can cause mismatches that require additional documentation to resolve.
Ensure your phone number/email address is reachable. Order authorization via a publicly listed method of communication is a required step. The number or email in your business listing must reach a person who can confirm the certificate request.
Plan for processing time if updating D&B records. Changes to a D&B record can take several business days to propagate. If you need to update your listing, do it before placing your certificate order, not after.
Next Steps
If you are ready to move forward with an OV or EV Code Signing certificate, you can begin the ordering process directly through your SSL account. If you have questions about which validation path applies to your situation, or need help locating your business listing, SSL’s support team is available via chat or email at Support@SSL.com, or by chatting with us live in the lower right corner of this page.For a complete list of accepted business listings and QIIS sources, see SSL’s Acceptable Business Listings for Validation.
