These are the steps to apply for and grant a certificate:

  1. Apply for a SPC.A software publisher’s request for certification is sent to the LRA. (In a simpler model, it is sent to the CA.) It is expected that CAs and LRAs will have Web sites that walk the applicant through the application process. Applicants will be able to look at the entire policy and practices statements of the CA or LRA. The utilities an applicant needs to generate signatures, such as Authenticode, should also be available.The applicant must generate a key pair using either hardware or software encryption technology. The public key is sent to the LRA during the application process. For individuals, all of the necessary information can be transferred online. For commercial publishers, because of the identity requirements, proof of identification must be sent by mail or courier.
  2. Verify the applicant’s credentials.Depending on the contract between the CA and the LRA, these companies will examine the evidence to verify an applicant’s credentials. To do this, they may employ external contractors such as Dun & Bradstreet.
  3. Generate and issue the software publisher X.509 certificate.After the CA has decided that the applicant meets the policy criteria, it generates a SPC. The SPC contains multiple certificates conforming to the industry standard X.509 certificate format with Version 3 extensions. The SPC is distributed in a digital signature with the publisher’s software file to identify the publisher and provide the publisher’s public key. The digital signature is also used by the receiver of the file to verify that the file has not been modified since it was signed.The SPC is stored by the CA for reference, and a copy is returned to the applicant via electronic mail.

    The publisher should review the contents of the certificate and verify that the public key works with the private key. After accepting the certificate, the publisher should include a copy in all published software signed with the private key.

    Commercial developers can expect a response to their application in less than two weeks. While there is no limit to the number of certificates commercial software publishers can obtain, it is up to the publisher to determine who gets a certificate, and how code is signed and distributed.

  4. Distribute signed software.The publisher can now begin signing and distributing software on the Internet. Publishers use utility programs to sign the software they intend to publish. The utility programs use the private key to generate a digital signature on a digest of the binary file and create a signature file containing the signed content of a public key certificate standard (PKCS) #7 signed-data object. (For more information about PKCS #7, see the RSA specification listed in Appendix D: Suggested Reading.) The PKCS #7 signed-data object also contains a copy of the SPC. For portable executable (PE) image format files, the PKCS #7 signature file contents are stored in the binary file itself, in an additional section.