DigiCert EV Code Signing Certificate Benefits
- Extended Validation. The DigiCert EV Code Signing Certificate undergoes the most rigorous organizational vetting available. DigiCert verifies your company’s legal existence, physical address, operational status, and phone number through government registries and independent sources. Only organizations with at least three years of business history are eligible. Your verified publisher name appears in the certificate details, giving end users clear confirmation of who signed the software.
- Encryption strength. This certificate supports RSA 3072-bit or 4096-bit keys, along with ECC P-256 elliptic curve cryptography. All signatures use the SHA-256 hashing algorithm, meeting current CA/B Forum and NIST security requirements.
- Platform compatibility. The DigiCert EV Code Signing Certificate works across all major signing platforms: Microsoft Authenticode (kernel and user mode, including .exe, .dll, .cab, .msi, .ocx), Java (JAR), Adobe AIR, Apple macOS applications, Mozilla objects, and Microsoft Office VBA macros. It supports both 32-bit and 64-bit file signing.
- Timestamping. Every signature can include an RFC 3161 compliant timestamp that records the exact moment of signing. This preserves signature validity after the certificate expires, so your distributed software remains trusted for its entire lifecycle without requiring re-signing.
- Two-factor authentication. The private key is stored on FIPS 140-2 compliant hardware, either a USB token or a hardware security module (HSM). Signing requires both physical access to the hardware and authentication credentials, preventing unauthorized use even if one factor is compromised.
- “Unknown Publisher” warning prevention. Software signed with a valid DigiCert EV Code Signing Certificate displays your verified publisher name during installation instead of triggering security warnings. This directly improves download completion rates and user confidence across Windows, macOS, and major browsers.
Private Key Storage Options
CA/B Forum rules require all code signing certificate private keys to be stored on hardware certified to FIPS 140-2 Level 2 or Common Criteria EAL 4+ standards. When you buy the DigiCert EV Code Signing Certificate through SSL Dragon, you have three delivery options.
- The first is a DigiCert-provided USB token: DigiCert ships a SafeNet eToken to your address with the certificate pre-loaded. This is the simplest option for most buyers. Plug the token into your computer and sign using tools like SignTool.exe or JarSigner.
- The second option is to use your own FIPS-compliant token. If you already own a compatible SafeNet eToken (models 5110 CC, 5110 FIPS, or 5110+ FIPS), you can install the certificate onto your existing hardware and skip the additional token cost.
- The third option is to install on an existing HSM. Organizations using Azure Key Vault, AWS CloudHSM, Google Cloud HSM, or a YubiKey can generate a CSR on their own hardware and submit it with the order. This approach suits teams that need centralized, network-accessible signing infrastructure.
Beyond these three methods, DigiCert also offers KeyLocker, a proprietary cloud-based HSM that meets FIPS 140-2 Level 3 standards. KeyLocker replaces physical tokens entirely, allows signing from anywhere, and integrates directly with CI/CD pipelines for automated build-and-sign workflows. Each KeyLocker unit includes 1,000 signing operations per certificate validity period.
Windows Driver Signing and SmartScreen
Kernel-mode driver signing. An EV code signing certificate is required to register a Windows Hardware Dev Center account. Since Windows 10 version 1607, all kernel-mode drivers must be submitted through the Dev Center and signed by Microsoft. Without an EV certificate, you cannot create the account needed to submit drivers. This requirement makes the DigiCert EV Code Signing Certificate essential for hardware developers and anyone publishing Windows device drivers.
Microsoft SmartScreen reputation. SmartScreen is the reputation-based security filter built into Windows that evaluates downloaded applications before allowing them to run. Before March 2024, EV-signed software bypassed SmartScreen warnings instantly. Microsoft has since updated this behavior: both EV and OV (Organization Validation) signed software now builds SmartScreen reputation organically through download volume and usage patterns.
EV certificates remain the highest-assurance certificate type, and the thorough identity vetting behind them still contributes to stronger overall publisher trust. However, instant SmartScreen bypass is no longer a guaranteed benefit of EV code signing. Many reseller sites still make this outdated claim. We believe in giving you the accurate, current picture so you can make an informed purchase decision.
DigiCert EV vs. Standard (OV) Code Signing
Since June 2023, all code signing certificates (including OV) require private key storage on FIPS 140-2 compliant hardware. This has narrowed the practical security gap between the two validation levels. However, EV code signing retains several exclusive advantages.
The most important is the kernel-mode driver signing requirement: only EV certificates satisfy the Windows Hardware Dev Center registration prerequisite. EV certificates also display full organizational details, including verified company name and address, in the certificate itself. This provides a level of publisher identity assurance that OV cannot match.
If you do not need kernel-mode driver signing and your primary concern is cost, Sectigo EV Code Signing and Comodo EV Code Signing are available at lower price points. For standard OV code signing needs, DigiCert’s OV Code Signing Certificate may be sufficient. DigiCert EV’s advantage lies in the combination of the highest CA brand recognition, KeyLocker cloud HSM integration, and the strongest identity verification in the industry.
EV Validation Process
The Extended Validation process verifies your organization through multiple checks. DigiCert confirms legal existence using government registries or equivalent databases (such as Dun & Bradstreet), validates your physical address, and verifies a listed phone number. An authorized contact within your organization must complete a verification callback.
When all documentation is in order, issuance typically takes 1 to 7 business days. Organizations that hold a Legal Entity Identifier (LEI) code can accelerate the validation process, as LEI provides pre-verified organizational data that CAs can reference directly.
Certificate Specifications
| Validation Level | Extended Validation (EV) |
| Issuing CA | DigiCert |
| Key Size | RSA 3072-bit or 4096-bit / ECC P-256 |
| Hashing Algorithm | SHA-256 |
| Maximum Validity | Up to 460 days (per CA/B Forum Ballot CSC-31, effective March 2026) |
| Private Key Storage | FIPS 140-2 Level 2+ HSM or hardware token (mandatory) |
| Platforms | MS Authenticode, Java, Adobe AIR, Apple, Mozilla, MS Office VBA, Windows Kernel Mode |
| Timestamping | Included (RFC 3161) |
| Reissuance | Unlimited |
| Refund Period | 25 days |
Note on validity: Before March 2026, DigiCert could issue code signing certificates with up to 39 months of validity. Under CA/B Forum Ballot CSC-31, all code signing certificates issued from March 1, 2026 onward are limited to a maximum of 460 days (approximately 15 months). Certificates issued before this date remain valid until their original expiration. For more on code signing best practices, see our tutorials section.
Frequently Asked Questions
What changed with EV code signing and Microsoft SmartScreen?
In March 2024, Microsoft updated SmartScreen so that EV-signed software no longer receives automatic reputation bypass. Both EV and OV code signing certificates now build SmartScreen reputation through organic download volume. EV remains the highest-assurance certificate type and is still mandatory for Windows kernel-mode driver signing, but the automatic SmartScreen advantage that many sites still advertise is no longer in effect.
Do I need an EV code signing certificate to sign Windows drivers?
Yes. An EV code signing certificate is required to register a Windows Hardware Dev Center dashboard account. Microsoft requires this account for submitting kernel-mode drivers on Windows 10 and later. You can use either an EV or OV certificate to sign individual driver submissions once the account is established, but the initial registration requires EV.
What is the maximum validity for DigiCert EV Code Signing certificates in 2026?
As of March 1, 2026, all newly issued code signing certificates are limited to a maximum of 460 days, per CA/B Forum Ballot CSC-31. This applies to both EV and OV certificates across all certificate authorities. Previously, certificates could be issued with up to 39 months of validity.
Can I use DigiCert KeyLocker instead of a physical USB token?
Yes. DigiCert KeyLocker is a cloud-based HSM that meets FIPS 140-2 Level 3 standards. It stores your private key securely in the cloud, eliminates the need for a physical token, and supports CI/CD pipeline integration for automated code signing. Each KeyLocker unit includes 1,000 cryptographic operations.
What is the DigiCert “Class 3” code signing certificate?
“Class 3” was Symantec’s legacy naming convention for high-assurance code signing certificates. DigiCert acquired Symantec’s certificate business in 2017 and rebranded these products under the DigiCert name. The DigiCert EV Code Signing Certificate is the current equivalent of the former Symantec Class 3 EV Code Signing product.
