Unprofessional, hopeless, Sectigo

In February I applied for an AuthentiCode code-signing certificate for personal projects. I decided to go with KSoftware, a reseller of Sectigo certificates. That was February 15th.

TL;DR: More than two months and dozens of emails later I’m none the wiser and still have no certificate I can work with.

As you may know getting a code-signing certificate as an individual is a daunting task. Sometimes I feel that OV¹ is tougher to get through than creating a shell company and applying for an EV² certificate as such. I have some prior experience getting code-signing certificates from StartCom, Symantec and Certum, in several cases with renewals. Until Sectigo Symantec was the most troublesome to get, because they require you to see a notary which will validate your documents and attest that you are you in a legally binding fashion. Unfortunately the whole process — US-centric as all code-signing businesses are — completely misses the fact that a Notar in Germany is far more official than a notary in common law countries. Oh well.

Either way, so I set out to get a code-signing certificate. The first bummer of course was that definite instruction not to use anything other than actual Internet Explorer. Not Edge, not Firefox, not Chrome or any other browser. It had to be Internet Explorer for reasons beyond my comprehension³.

Now, I have two official addresses and that’s not only perfectly legal in Germany, it’s also nothing uncommon. I decided to go with the address which hasn’t changed for more than two decades; but that happens to be the address which is not on my national ID card. Bad decision. Because the actual requirements were only vaguely described prior to the order, one of my first actions was going to be to have them correct the address.

Anyway, the first thing I got was an email from Sectigo Certification Authority, followed within seconds by an email from KSoftware. The latter email⁴ instructed me open a ticket with the Sectigo validation department.

This is were my woes started. Despite using Internet Explorer as instructed, I was unable to even open said ticket with Sectigo. They required some sort of verification number (four digit code) akin to a CAPTCHA, but whatever I did I was unable submit the form successfully; although the code had allegedly been accepted. Curiously the generation of the CSR and private key on my end worked perfectly fine mere minutes before in the exact same instance of Internet Explorer⁵. I have a GIF of this and if I ever manage to redact my personal details in that GIF I’ll include the futile attempts to submit the form here.

Due to my failure to submit the form I sent an email to the reseller about half an hour⁶ after the order confirmation was received. The ticket got confirmed and mere twelve minutes later⁷ I received my first email from the Sectigo Validation Team with subject “Information Required Order [order number]”.

On the web form where I was supposed to open a ticket there was no mention of code-signing certificates for individuals, by the way. Everything seemed to be geared at validation of companies. As it later⁸ turned out, this seems to be quite intentional. However, that prompted me to send another email to the reseller asking about this odd fact and also noting that — as I now had learned further in the process — I would not be able to have them validate my address from the order as it wasn’t the one from the national ID.

Fast-forward 48 hours (2021-02-18 00:00 CET). I still hadn’t heard back from either Sectigo or the reseller. So from the looks of it the ticket had indeed not been successfully submitted⁹.

That night I received an email back from the reseller. He advised to call the Sectigo Validation Team and gave me a number and he also mentioned there would not be any need to cancel the order just in order to get the address changed.

On 2021-02-23 20:31 CET I called the number I had been given. After I was put through to the correct person, said person promised me to open a ticket on my behalf. I received the respective confirmation nine minutes later¹⁰ with a link where I’d be able to upload the requested documentation. The email still contained the original address from the order, not the one I had just spelled out over the phone to the Sectigo representative.

And so I tried the best to meet all the criteria and uploaded a selfie with my ID, a phone bill, a utility bill¹¹ and scanned versions of the national ID¹².

The next morning I awoke to an email from the Sectigo Validation Team¹³. At the very least it stated what the problem was:

We are unable to accept the ID card since the image is not clear. We are unable to read the name and address.

So while I was initially stumped, I quickly realized that I had mislabeled the scanned images and therefore attached the backside of the ID twice. The front side was not included. Now, little quiz: where do you think the address is on a German national ID card? Yep, that’s right. It’s on the backside. Yet they proclaimed that they couldn’t read it. This wasn’t a low resolution image either, the address was readable, so I guess whatever image viewer they were using didn’t actually use the orientation flag in the file and so they saw it (perhaps) bottom-up or 90° turned. This is obviously an obstacle no one could possibly expect Sectigo to overcome.

So I follow the new link and all previously uploaded documents are shown as rejected, not just the image they had complained about. Imagine a deep sigh from me at this point and some minutes of shaking my head in disbelief.

So I scanned the images again, made sure that the orientation would be correct and then commented in the respective field that the previous bills I had included should be reused. After submitting the form and getting confirmation I sent an email to the reseller¹⁴. I stated the issues I had encountered and expressed my hope that the freshly uploaded images would fix the issue.

A few hours later¹⁵ I receive a new “Information Required” email from Sectigo stating:

Provide a back side of government issued photo ID to verify your address.

Note : The photo ID document submitted previously was not readable.

Yep, this is starting to get ridiculous. I verify my images again, upload them again having them labeled (i.e. file names) appropriately. In the comment field I remark once again that the bills are to be reused as previously uploaded.

Yet a few hours later¹⁶ I receive another “Information Required” email from them. This time the formatting is somewhat garbled, I guess because I’m not using a Microsoft-sanctioned email client. It states:

*Note:Recent=dated within the last 6 months. Documents must match the name and address on the order

Another deep sigh slips my mouth and I shake my head in disbelief once again. So I upload something I had previously uploaded once again and try to point out to them that with the combined utility bill which I get exactly once annually it will be rather hard to produce a copy that is no older than six months, because the next one is due in about four months.

Somehow I got through to them and indeed I received an email on 2021-02-24 08:42 CET titled “Your Code Signing Certificate is ready!”.

That’s it, I think. Finally. Sure it’s been ten days, but finally I’ll have the certificate. So I head to the collection link with the same Internet Explorer I had used during generation of the CSR and collect my certificate. Upon a closer look I notice they embedded my address right in the certificate.

WHAT THE FUCK?

Seriously? Not only should this be a gross violation of the provisions of the EU GDPR, but it’s simply ridiculous. I could do with city or even ZIP code, which in a bigger city narrows it down quite a bit, but my full address to be embedded in every future executable I was going to sign? No way!

So I sit down typing another email to the reseller, pointing out the issue and asking to make use of the unconditional money-back guarantee if there is no way to fix it. Before my closing words I wrote:

It was by no means clear beforehand that not only would I have to “strip” (privacy-wise) to the CA, but also to the rest of the world.

It was after this email that I found this article describing similar woes, with a happy end, though.

What followed next was an email at 2021-02-25 23:07 CET from the reseller, telling me to log into some secure area of the Sectigo website. This allowed me to request the certificate to be reissued with changed details. So I removed the street address but left ZIP code and city name intact.

On 2021-02-26 17:49 CET I received my second email titled “Your Code Signing Certificate is ready!” and headed over to the link, entered the code from the email and collected my certificate.

Guess what. Full address was still in the certificate. Although still is an improper wording, because I made a slight change to the city name which was Frankfurt Am Main but should have been Frankfurt am Main. So that change went through, my removal of street address and house number did not.

At 2021-02-26 22:50 CET I found myself sending the next email to the reseller, describing the situation and asking if I should use a placeholder such as “n/a” instead of simply removing the field contents.

On 2021-03-01 21:18 CET I received another email from the reseller advising me to try getting the certificate reissued once more. So I tried again — this time entering “n/a” instead of the street address — and notifying the reseller at 2021-03-01 21:56 CET about the fact.

Hooray … another email titled “Your Code Signing Certificate is ready!” arrived at 2021-03-02 00:29 CET.

In the morning I sent an email back to the reseller at 2021-03-02 00:29 CET telling him I had collected the certificate a third time and once again the street address was included in the certificate.

And if you are doubting me as I was doubting myself throughout this whacky process, rest assured that I have made sure that the certificates were indeed distinct certificates, issued on the days I received the emails with individual serial numbers but all using the same private key.

The next day¹⁷ the reseller responded admitting he also had no idea what was going on, but advising to try once more.

So I did and notified the reseller of the fact¹⁸. This is from where it spiraled downward ever since …

Next day¹⁹ I received another email from the reseller saying:

I think we have it now. They were holding it while they contacted me but I just gave them the go-ahead. I’m keeping my fingers crossed.

So I sent another email to the reseller on²⁰ just to notice that while I was typing my email one from Sectigo had arrived.

I hadn’t heard back from Sectigo until March 8th²¹. That email was about a callback. So evidently I was now somehow back in the validation stage. Way to go, Sectigo!

What’s more, I hadn’t given them any phone number up until that point, except in the phone bill. That is, I hadn’t given my landline or mobile phone number in any other way.

So I headed over to the link they gave, entered the code and sent another email²² to the reseller explaining that their email had arrived while I was typing my previous email to him.

What’s notable about that callback email was that they had a totally awkward phone number “on record” for me. To reiterate: I had not given them my phone number, let alone this one. For the time being I surmised that they must have taken some number from the utility bill or my phone bill as phone number — I was wrong about that as it later turned out. However, since I hadn’t noted down the number they had given, I had nothing to research further — a negligence on my part.

So in my email to the reseller²³ I quoted the Sectigo website which showed after I entered my correct landline and mobile phone numbers:

We are still checking your phone number. Please visit this page later.

In order to verify your phone number we will need to verify it with a third party source. Some common sources we check are: 1) Dunn & Bradstreet: www.dnb.com 2) Commonly accepted online phone directories such as superpages.com, yellowpages.com, yell.com, etc. Note that these sources vary from country to country. 3) Better Business Bureau: www.bbb.org 4) If you know a third party data source or phone directory that we can use to verify this number – please send us an email to callback@sectigo.com

If we are unable to verify the phone number through the sources listed above we will require either a legal opinion signed by a licensed attorney, or an accountant letter signed by a chartered accountant or certified public accountant or equivalent.

Uhm, what? Being an individual I am now held against some validation standards for businesses? I have to admit that none of those phone directories made any sense whatsoever to me. They are simply nothing I have ever heard of or used — well, the process is US-centric, so why am I surprised? Anyway, at this point I was under the misconception that these were directories listing phone numbers of individuals. Guess I should have visited those sites.

As you would expect no callback ever arrived on either of my phone numbers. But I kept receiving emails about the pending callback. Since they all used the same “email verification code” as the first once, there was no way to review or resubmit the corrected data from 2021-03-08.

On 2021-03-09 21:05 CET an email arrives from the reseller, apologizing for the situtation and stating that Sectigo claimed they’re sorting it out. In an email I sent 2021-03-11 00:50 CET I bemoan the fact that I am unable to review or resubmit another correction, given the unchanged “email verification code”. In another email dated 2021-03-12 17:55 CET the reseller expresses surprise that Sectigo is asking for “validation docs” again; well only the phone number and callback but I am clearly back in validation, yes.

Meanwhile Sectigo keeps sending those callback emails with the same “email verification code” they gave on 2021-03-08. I tried a few times, but I wasn’t allowed to review or resubmit a correction with that code again.

On 2021-03-18 22:01 CET — it’s been over a month since my initial order — I ask the reseller for any news. The swift response²⁴ surprises me:

the last I heard was last week when [name redacted] re-sent the callback email. You still didn’t get that at all?

In my response next day²⁵ I try to explain that the issue isn’t not getting those emails but that since my initial correction submitted on 2021-03-08 I was unable to review or resubmit anything and that I also hadn’t received a call.

On 2021-03-23 18:12 CET I receive another email from the reseller with an apology, stating he was going to call Sectigo right away.

Finally on 2021-03-25 14:37 CET another callback email arrives from Sectigo, this time with a new “email verification code”. Yay … finally I am able to do something again. So I head over to the site, enter the new code and am greeted with that other mysterious phone number which I was presented before on 2021-03-08 already. This time I note it down. The number has some resemblance with my landline number, but the digits are in the wrong order and some seem outright wrong.

So once again I enter my landline and mobile phone number, describing in the comment field that the number they have on record for me has got nothing to do with me and then submit.

After that it was time to check where that mysterious phone number came from. And lo and behold an inverted search for the number brought up a business of a chef who apparently is giving cooking courses at his business address. The address as well as the ZIP code had no semblance to the details Sectigo had on file for me. The only things that matched were our legal names (first and last name) as well as the city name. So that poor chef must have received dozens of calls from Sectigo attempting to validate his business against my application for a code-signing certificate as an individual.

Wow, just wow. Apparently when you think it can’t get worse, Sectigo proves you wrong once again.

So I let the reseller know in an email sent at 2021-03-25 23:26 CET that Sectigo had apparently taken the liberty to look up my name in Frankfurt and came up with a business address owned by a person of the same legal name who has got nothing to do with me. I couldn’t help but remark that despite Frankfurt not being a particularly big city, the general practicioner I see has at least three people with my exact name on file. And they cater only part of the city anyway …

Ten minutes after I sent my email I get another callback email from Sectigo²⁶ with a new “email verification code”. So once again a deep sigh slips my mouth, I head over to the site, enter my mobile and landline number for good measure, remark on the apparent misunderstanding in the comment field and submit. Next morning an email arrives from Sectigo²⁷ titled “Action Required for your Order [order number]” (coloring as per the original, identifying numbers redacted):

ACTION REQUIRED: We are unable to verify the phone number provided.

We have vetting a current phone number for you would be +49 69XXXXXXXX
You have provided this phone number: +49 179 YYYYYYY, we are unable to verify this number.

• Update/register your details (including telephone number) with a third party independent source (including local/national registration agencies and reputable third party databases). For example you hold an D&B Duns number 3ZZZZZZZZ, were we obtained +49 69XXXXXXX. If this can be updated to reflect +49 179 YYYYYYY

Oh really? So they are unable to validate my private phone number against a business which isn’t in any way associated with me? Now that’s surprising.

As an explanation:

• +49 69XXXXXXXX — phone number of the business run by that person with the same legal name
• +49 179 YYYYYYY — my mobile phone number

After that I kept receiving those Sectigo callback emails and so I sent an email on 2021-03-27 21:44 CET. Quoting myself (D&B Duns number redacted):

I give up. Clearly they’re completely incompetent as a CA if they can’t even distinguish the case of individual vs. business and nilly-willy look up a business that happens to come along as “somewhat similar” to the applying individual in order to verify the individual:

https://www.dnb.com/business-directory/top-results.html?term=3ZZZZZZZZ

Apologies for the strong language, but that’s next-level stupid.

This has dragged on for well over a month now and there is no particular reason why I’m back to the verification stage either, when the only thing that was asked of them was to remove the street address from the created certificate after having finished verification already.

Find attached their latest emails. Now I even know where they found “my” phone number/details (D&B Duns number: 3ZZZZZZZZ). Same legal name? Must be the one we’re dealing with! 🤨

On 2021-03-30 19:45 CEST (yes, we switched to daylight saving) I received an response from the reseller:

[…] the certificate and replacement was issued last week. I’m having them re-send the collection email. Ignore those requests, I have no idea what in the world kind of loop this order is stuck in but I’m going to get it sorted out! I’m showing it was issued Friday…

I responded on 2021-03-30 22:05 CEST that I was looking forward to the resolution. At 2021-04-06 11:24 CEST I notified the reseller that I had meanwhile received three more of those callback emails from Sectigo but no means of collecting the certificate.

Three more callback emails from Sectigo later on 2021-04-08 21:56 CEST I sent another email pointing out I hadn’t heard back regarding collecting the certificate.

The last response from the reseller timestamped 2021-04-12 21:48 CEST was:

I have no idea what could have gone wrong there, the replacement was issued on March 25th and should have been delivered same-day. I’m showing it’s issued, but you didn’t get another collection link then, did you?

I confirmed that I hadn’t gotten any collection link and that’s that. No further communication from Sectigo or the reseller ever since.

One clarification: other than the response times — which in part can probably be attributed to time zone differences — I attribute the failures squarely to Sectigo. Is this due diligence? How on Earth can they go look up my legal name in some business directory, pick the phone number from there and initiate validation calls when 1.) I already had passed validation and 2.) I was applying as an individual and not a business.

// Oliver

PS: I am tempted to open a ticket with the CA/Browser Forum or get in touch with them some other way, but I am unsure if they are really also responsible for code-signing certificates as well. But I am of the opinion that this severe lack of professionalism on part of Sectigo should be reported.

1. owner validation [↩]
2. extended validation [↩]
3. As a side-note: previous CAs often made this a recommendation, but they would usually also work on other browsers. [↩]
4. 2021-02-15 22:36 CET [↩]
5. And no, with Internet Explorer I am not using any sort of content-blocking, so this should have worked. [↩]
6. 2021-02-15 23:09 CET [↩]
7. 2021-02-15 23:21 [↩]
8. about one and a half weeks later [↩]
9. I remember having used forms which simply would show no appropriate indication of success, all the while the form had been submitted successfully. This wasn’t the case here. [↩]
10. 2021-02-23 20:40 CET [↩]
11. Albeit older than requested, because we only get one annually and therefore mine was older than six months. [↩]
12. Fun fact: a few years back this was illegal in Germany. You were not legally allowed to reproduce the national ID in any form, be it using a scanner, a copier or a photo. The rules surrounding that have been relaxed meanwhile. [↩]
13. 2021-02-24 0608 CET [↩]
14. 2021-02-24 08:22 CET [↩]
15. 2021-02-24 12:52 CET [↩]
16. 2021-02-24 16:08 CET [↩]
17. 2021-03-03 16:28 CET [↩]
18. 2021-03-03 23:11 CET [↩]
19. 2021-03-04 21:42 CET [↩]
20. 2021-03-08 17:29 CET [↩]
21. 2021-03-08 17:22 CET [↩]
22. 2021-03-08 17:48 CET [↩]
23. still 2021-03-08 17:48 CET [↩]
24. 2021-03-18 23:27 CET [↩]
25. 2021-03-19 15:03 CET [↩]
26. 2021-03-25 23:36 CET [↩]
27. 2021-03-26 09:15 CET [↩]