SSL Dragon Single

DigiCert EV Code Signing

DigiCert
PayPalCredit/Debit Card via StripeBitcoin, Ethereum & Altcoins
Dedicated Support
GLEIF logo representing the Global Legal Entity Identifier Foundation
25 Days Refund

The DigiCert EV Code Signing Certificate is a premium Extended Validation (EV) code signing certificate issued by DigiCert, the world’s largest high-assurance certificate authority. It digitally signs software, applications, drivers, and executable files to verify publisher identity, protect code integrity, and eliminate “Unknown Publisher” warnings.

For organizations that publish Windows kernel-mode drivers or need the strongest possible publisher identity assurance, the DigiCert EV Code Signing Certificate is the industry standard.

validation icon
Extended Validation
clock icon
Issued in 1-7 business days
mobile icon
Mobile friendly
trust-icon
Unlimited free reissues
Code Signing
Protects code; Keeps users safe
Emails & Documents
Verify Identity: Make your software more accessible
LEI code icon
Speed up with LEI: Quick Validation
paperwork icon
Validation methods: DV (EMAIL, DNS, HTTP / HTTPS) and EV (Public databases / Paperwork)

DigiCert EV Code Signing Certificate Benefits

  • Extended Validation. The DigiCert EV Code Signing Certificate undergoes the most rigorous organizational vetting available. DigiCert verifies your company’s legal existence, physical address, operational status, and phone number through government registries and independent sources. Only organizations with at least three years of business history are eligible. Your verified publisher name appears in the certificate details, giving end users clear confirmation of who signed the software.
  • Encryption strength. This certificate supports RSA 3072-bit or 4096-bit keys, along with ECC P-256 elliptic curve cryptography. All signatures use the SHA-256 hashing algorithm, meeting current CA/B Forum and NIST security requirements.
  • Platform compatibility. The DigiCert EV Code Signing Certificate works across all major signing platforms: Microsoft Authenticode (kernel and user mode, including .exe, .dll, .cab, .msi, .ocx), Java (JAR), Adobe AIR, Apple macOS applications, Mozilla objects, and Microsoft Office VBA macros. It supports both 32-bit and 64-bit file signing.
  • Timestamping. Every signature can include an RFC 3161 compliant timestamp that records the exact moment of signing. This preserves signature validity after the certificate expires, so your distributed software remains trusted for its entire lifecycle without requiring re-signing.
  • Two-factor authentication. The private key is stored on FIPS 140-2 compliant hardware, either a USB token or a hardware security module (HSM). Signing requires both physical access to the hardware and authentication credentials, preventing unauthorized use even if one factor is compromised.
  • “Unknown Publisher” warning prevention. Software signed with a valid DigiCert EV Code Signing Certificate displays your verified publisher name during installation instead of triggering security warnings. This directly improves download completion rates and user confidence across Windows, macOS, and major browsers.

Private Key Storage Options

CA/B Forum rules require all code signing certificate private keys to be stored on hardware certified to FIPS 140-2 Level 2 or Common Criteria EAL 4+ standards. When you buy the DigiCert EV Code Signing Certificate through SSL Dragon, you have three delivery options.

  • The first is a DigiCert-provided USB token: DigiCert ships a SafeNet eToken to your address with the certificate pre-loaded. This is the simplest option for most buyers. Plug the token into your computer and sign using tools like SignTool.exe or JarSigner.
  • The second option is to use your own FIPS-compliant token. If you already own a compatible SafeNet eToken (models 5110 CC, 5110 FIPS, or 5110+ FIPS), you can install the certificate onto your existing hardware and skip the additional token cost.
  • The third option is to install on an existing HSM. Organizations using Azure Key Vault, AWS CloudHSM, Google Cloud HSM, or a YubiKey can generate a CSR on their own hardware and submit it with the order. This approach suits teams that need centralized, network-accessible signing infrastructure.

Beyond these three methods, DigiCert also offers KeyLocker, a proprietary cloud-based HSM that meets FIPS 140-2 Level 3 standards. KeyLocker replaces physical tokens entirely, allows signing from anywhere, and integrates directly with CI/CD pipelines for automated build-and-sign workflows. Each KeyLocker unit includes 1,000 signing operations per certificate validity period.

Windows Driver Signing and SmartScreen

Kernel-mode driver signing. An EV code signing certificate is required to register a Windows Hardware Dev Center account. Since Windows 10 version 1607, all kernel-mode drivers must be submitted through the Dev Center and signed by Microsoft. Without an EV certificate, you cannot create the account needed to submit drivers. This requirement makes the DigiCert EV Code Signing Certificate essential for hardware developers and anyone publishing Windows device drivers.

Microsoft SmartScreen reputation. SmartScreen is the reputation-based security filter built into Windows that evaluates downloaded applications before allowing them to run. Before March 2024, EV-signed software bypassed SmartScreen warnings instantly. Microsoft has since updated this behavior: both EV and OV (Organization Validation) signed software now builds SmartScreen reputation organically through download volume and usage patterns.

EV certificates remain the highest-assurance certificate type, and the thorough identity vetting behind them still contributes to stronger overall publisher trust. However, instant SmartScreen bypass is no longer a guaranteed benefit of EV code signing. Many reseller sites still make this outdated claim. We believe in giving you the accurate, current picture so you can make an informed purchase decision.

DigiCert EV vs. Standard (OV) Code Signing

Since June 2023, all code signing certificates (including OV) require private key storage on FIPS 140-2 compliant hardware. This has narrowed the practical security gap between the two validation levels. However, EV code signing retains several exclusive advantages.

The most important is the kernel-mode driver signing requirement: only EV certificates satisfy the Windows Hardware Dev Center registration prerequisite. EV certificates also display full organizational details, including verified company name and address, in the certificate itself. This provides a level of publisher identity assurance that OV cannot match.

If you do not need kernel-mode driver signing and your primary concern is cost, Sectigo EV Code Signing and Comodo EV Code Signing are available at lower price points. For standard OV code signing needs, DigiCert’s OV Code Signing Certificate may be sufficient. DigiCert EV’s advantage lies in the combination of the highest CA brand recognition, KeyLocker cloud HSM integration, and the strongest identity verification in the industry.

EV Validation Process

The Extended Validation process verifies your organization through multiple checks. DigiCert confirms legal existence using government registries or equivalent databases (such as Dun & Bradstreet), validates your physical address, and verifies a listed phone number. An authorized contact within your organization must complete a verification callback.

When all documentation is in order, issuance typically takes 1 to 7 business days. Organizations that hold a Legal Entity Identifier (LEI) code can accelerate the validation process, as LEI provides pre-verified organizational data that CAs can reference directly.

Certificate Specifications

Validation Level Extended Validation (EV)
Issuing CA DigiCert
Key Size RSA 3072-bit or 4096-bit / ECC P-256
Hashing Algorithm SHA-256
Maximum Validity Up to 460 days (per CA/B Forum Ballot CSC-31, effective March 2026)
Private Key Storage FIPS 140-2 Level 2+ HSM or hardware token (mandatory)
Platforms MS Authenticode, Java, Adobe AIR, Apple, Mozilla, MS Office VBA, Windows Kernel Mode
Timestamping Included (RFC 3161)
Reissuance Unlimited
Refund Period 25 days

Note on validity: Before March 2026, DigiCert could issue code signing certificates with up to 39 months of validity. Under CA/B Forum Ballot CSC-31, all code signing certificates issued from March 1, 2026 onward are limited to a maximum of 460 days (approximately 15 months). Certificates issued before this date remain valid until their original expiration. For more on code signing best practices, see our tutorials section.

Frequently Asked Questions

What changed with EV code signing and Microsoft SmartScreen?

In March 2024, Microsoft updated SmartScreen so that EV-signed software no longer receives automatic reputation bypass. Both EV and OV code signing certificates now build SmartScreen reputation through organic download volume. EV remains the highest-assurance certificate type and is still mandatory for Windows kernel-mode driver signing, but the automatic SmartScreen advantage that many sites still advertise is no longer in effect.

Do I need an EV code signing certificate to sign Windows drivers?

Yes. An EV code signing certificate is required to register a Windows Hardware Dev Center dashboard account. Microsoft requires this account for submitting kernel-mode drivers on Windows 10 and later. You can use either an EV or OV certificate to sign individual driver submissions once the account is established, but the initial registration requires EV.

What is the maximum validity for DigiCert EV Code Signing certificates in 2026?

As of March 1, 2026, all newly issued code signing certificates are limited to a maximum of 460 days, per CA/B Forum Ballot CSC-31. This applies to both EV and OV certificates across all certificate authorities. Previously, certificates could be issued with up to 39 months of validity.

Can I use DigiCert KeyLocker instead of a physical USB token?

Yes. DigiCert KeyLocker is a cloud-based HSM that meets FIPS 140-2 Level 3 standards. It stores your private key securely in the cloud, eliminates the need for a physical token, and supports CI/CD pipeline integration for automated code signing. Each KeyLocker unit includes 1,000 cryptographic operations.

What is the DigiCert “Class 3” code signing certificate?

“Class 3” was Symantec’s legacy naming convention for high-assurance code signing certificates. DigiCert acquired Symantec’s certificate business in 2017 and rebranded these products under the DigiCert name. The DigiCert EV Code Signing Certificate is the current equivalent of the former Symantec Class 3 EV Code Signing product.

Refund

25 days

Certificate Encryption

Up to 256-bit

Key Encryption

2048 bit

Our Clients & Key Figures

Volvo logo
Netflix logo with a red background, displaying the text Netflix in white.
Koton logo featuring stylized text and a light background.
Dufry logo
Phillips logo
Northrop Grumman Logo
Yale logo
Harvard logo
Oxford Logo
Rockefeller Logo
Goodwill Logo
Sapient Logo
Hawaii Logo
Army Logo
Force Logo
Schneider Logo
Cisco Logo
Cornell Logo

Rated 4.8 out of 5 by 1235 customers

avatar-male-4
Christopher Broderick
June 15, 2022, , united kingdom

Great selection of certificates with a clear definition of properties for each certificate makes it easy to choose the right one.

avatar-male-5
Munro James
October 31, 2020, Victoria, AU

Easier and cheaper than going directly and ordering via the vendor, thank you for the information and the simple shopping experience.

avatar-female-4
Kelly Mark
October 29, 2020, Dublin, IE

Excellent customer service when I ordered the wrong cert! The support team then helped me get the correct cert and refunded me on the incorrect cert I bought! Very fast and a happy customer.

Real customers ratings and reviews at Shopper Approved. Read them all.