SSL Dragon Single

Sectigo EV Code Signing

Sectigo Logo
Billed
for
PayPalCredit/Debit Card via StripeBitcoin, Ethereum & Altcoins
A cheaper icon
Want Cheaper?
Buy Multiple Years
Dedicated Support
GLEIF logo representing the Global Legal Entity Identifier Foundation
25 Days Refund

The Sectigo EV Code Signing Certificate is an Extended Validation (EV) code signing certificate that provides the highest level of publisher identity verification available for digitally signing software, scripts, drivers, and executables.

Issued by Sectigo, the world’s largest commercial certificate authority (formerly Comodo CA), it confirms your organization’s legal identity through a rigorous vetting process, secures your private key on dedicated hardware, and protects software integrity by ensuring any tampering with your code is immediately detected.

The result: no more “unknown publisher” warnings, verifiable code integrity, and maximum end-user trust. If you previously used a Comodo EV Code Signing Certificate, this is its current version under the Sectigo brand.

validation icon
Extended Validation
clock icon
Issued in 1-7 business days
mobile icon
Mobile friendly
trust-icon
Unlimited free reissues
Emails & Documents
Verify Identity: Make your software more accessible
LEI code icon
Speed up with LEI: Quick Validation
paperwork icon
Validation methods: DV (EMAIL, DNS, HTTP / HTTPS) and EV (Public databases / Paperwork)
Code Signing
Protects code; Keeps users safe

Key Features of the Sectigo EV Code Signing Certificate

  • Extended Validation. Sectigo verifies your organization’s legal existence, physical address, jurisdiction, and operational status before issuing the certificate. An authorized representative must also pass a telephone callback. This level of identity verification is the strictest the industry offers, and issuance typically takes 1–7 business days once documentation is submitted.
  • Private key security. Your private key is stored on FIPS 140-2 Level 2 (or higher) compliant hardware, as required by the CA/Browser Forum since June 2023. Because signing requires both the physical token (or HSM access) and a PIN, this functions as two-factor authentication for every signing operation. You can choose from three delivery options: a USB token shipped by Sectigo, your own compatible FIPS-compliant token (such as a YubiKey FIPS or SafeNet), or a cloud-based Hardware Security Module (HSM) like Google Cloud KMS or Azure Key Vault. Cloud-based key storage integrates with CI/CD pipelines for automated signing workflows, while key attestation verifies that the private key was generated and stored on compliant hardware.
  • Platform compatibility. The certificate supports Microsoft Authenticode for both kernel-mode and user-mode files (.exe, .dll, .cab, .msi, .ocx, .xap, .xpi), Java (JAR), Adobe AIR, Apple applications and plug-ins, Mozilla object files, and MS Office Macro/VBA. It works with all major 32-bit and 64-bit formats.
  • Encryption strength. Signatures use SHA-256 hashing with a minimum 3072-bit RSA key. Elliptic Curve Cryptography (ECC) is also available for organizations that require it.
  • Timestamping. Built-in RFC 3161 timestamping records the exact moment of signing, ensuring your digital signatures remain valid indefinitely, even after the certificate expires. Always timestamp every signature to avoid re-signing published software at renewal time.
  • Unlimited signing. One certificate covers unlimited applications, updates, drivers, and patches published under the same organization for the full duration of its validity.

Microsoft SmartScreen and EV Code Signing

Microsoft SmartScreen is a Windows security feature that evaluates application reputation and warns users when they try to install software from an unrecognized publisher. For years, EV code signing certificates granted instant SmartScreen reputation, bypassing these warnings from the first download.

That changed in March 2024, when Microsoft altered how SmartScreen interacts with EV certificates. By August 2024, all EV code signing OIDs were removed from the Microsoft Trusted Root Program. The result: OV and EV signed applications are now evaluated equally. Reputation builds organically through downloads and user engagement, regardless of certificate type.

This doesn’t make EV code signing less valuable. It still provides the strongest identity verification available, displays your verified publisher name to end users, and is required for submitting kernel-mode drivers through the Windows Hardware Dev Center (WHDC). The organization details embedded in an EV certificate (name, address, jurisdiction, business type) give your software a more credible foundation from which to build SmartScreen trust. EV simply no longer skips the process entirely.

Many competitor pages still claim EV provides instant SmartScreen bypass. That information is outdated.

EV vs. OV Code Signing: What’s the Difference?

The main difference between Extended Validation (EV) and Organization Validation (OV) code signing lies in the depth of identity verification. EV requires Sectigo to confirm your organization’s legal existence, physical address, jurisdiction, and operational status through government databases, third-party sources (such as DUNS or LEI), and a telephone callback. OV verifies the organization’s identity with less extensive documentation.

Since June 2023, both certificate types require private key storage on FIPS 140-2 Level 2 compliant hardware. Before this change, only EV had this requirement, which was a significant differentiator. Today, the hardware security model is identical.

Where EV remains uniquely necessary is Windows kernel-mode driver signing. Access to the Windows Hardware Dev Center Dashboard requires an EV code signing certificate. If you develop or distribute drivers for Windows 10 (Build 1607 and later), OV is not an option. EV certificates also display richer identity details in the certificate’s subject field, including organization address and business type.

For teams that don’t sign kernel-mode drivers and are working with a tighter budget, the Sectigo Code Signing Certificate (OV) is a capable alternative at a lower price point. Note that EV code signing certs are only available to registered organizations. Individual developers who need a personal code signing certificate should look at Sectigo’s OV individual validation option instead.

Comodo EV Code Signing vs. Sectigo EV Code Signing

They are the same product. Comodo CA was acquired by Francisco Partners in 2017 and rebranded to Sectigo in 2018. The underlying root certificates, validation process, and certificate features are identical. All new certificates are issued under the Sectigo name, though you may still see “Comodo” referenced in older documentation or certificate chains.

If you’re searching for a Comodo EV Code Signing Certificate, the Sectigo EV Code Signing Certificate listed here is its direct successor. You can also find it listed under its legacy name on our Comodo EV Code Signing product page.

Certificate Validity and Recent Industry Changes

As of March 1, 2026, the CA/Browser Forum reduced the maximum validity for all publicly trusted code signing certificates from 39 months to 460 days (approximately 15 months) under Ballot CSC-31. This applies to both EV and OV certificates.

In practice, Sectigo now issues code signing certificates with a maximum one-year validity for token-based delivery. Multi-year subscriptions are still available at SSL Dragon, and they remain the most cost-effective way to buy: a 3-year plan brings the EV code signing certificate cost down to $287/yr compared to $409 for a single year. Sectigo issues a fresh certificate (with a new FIPS-compliant token, if applicable) each year, and free reissuance is included throughout the subscription period.

Certificates issued before March 1, 2026, with longer validity periods remain valid until their original expiration date. And as always, properly timestamped signatures continue to be trusted long after the signing certificate expires.

 

How to Get Your Sectigo EV Code Signing Certificate

Start by choosing your subscription length and delivery method at SSL Dragon. You can opt for a Sectigo-provided USB token (shipped to your registered business address), install on an existing FIPS-compliant token or HSM, or use a cloud HSM.

After purchase, Sectigo initiates the EV validation process. You’ll need to submit two enrollment documents: the EV Certificate Request Form and the EV Subscriber Agreement. Sectigo then verifies your organization through government databases, DUNS or LEI listings, and a telephone callback to a verified number. Expect 1–7 business days, though organizations with up-to-date registration details and a verifiable phone number often complete faster. Our step-by-step Sectigo code signing validation guide walks you through every stage.

Once approved, you receive your certificate on the token or download it to your HSM. From there, use Microsoft SignTool, jarsigner, or your preferred signing utility to start signing.

Frequently Asked Questions

Is this the same as the Comodo EV Code Signing Certificate?

Yes. Sectigo was formerly Comodo CA. The company rebranded in 2018, but the product, validation process, and root certificates are identical. This is the direct replacement for the Comodo EV Code Signing Certificate.

Does EV code signing still bypass Microsoft SmartScreen?

No. Since March 2024, EV code signing certificates no longer provide instant SmartScreen reputation. Both OV and EV signed applications build reputation organically through downloads and usage. EV remains the highest-trust certificate and is still required for kernel-mode driver signing through the Windows Hardware Dev Center.

What hardware do I need for the private key?

Your private key must be stored on FIPS 140-2 Level 2 (or higher) compliant hardware. Options include a USB token shipped by Sectigo, your own compatible token (YubiKey FIPS, SafeNet 5110), or a cloud HSM such as Google Cloud KMS or Azure Key Vault.

Does the Sectigo EV Code Signing Certificate work for Windows driver signing?

Yes. EV code signing is required to access the Windows Hardware Dev Center Dashboard, where kernel-mode drivers targeting Windows 10 (Build 1607 and later) must be submitted.

How long is the certificate valid?

Under the current CA/Browser Forum rules (effective March 1, 2026), code signing certificates have a maximum validity of 460 days. Sectigo issues one-year certificates as standard. Multi-year subscriptions at SSL Dragon include free annual reissuance for the duration of the plan.

What happens when the certificate expires?

Signatures that were timestamped while the certificate was active remain valid indefinitely. Only new signing operations require a current, active certificate. This is why timestamping every signature is essential.

Refund

25 days

Certificate Encryption

Up to 256-bit

Key Encryption

2048 bit

Secure Hash Algorithm

SHA-2

Our Clients & Key Figures

Volvo logo
Netflix logo with a red background, displaying the text Netflix in white.
Koton logo featuring stylized text and a light background.
Dufry logo
Phillips logo
Northrop Grumman Logo
Yale logo
Harvard logo
Oxford Logo
Rockefeller Logo
Goodwill Logo
Sapient Logo
Hawaii Logo
Army Logo
Force Logo
Schneider Logo
Cisco Logo
Cornell Logo

Rated 4.8 out of 5 by 1239 customers

avatar-male-3
Christopher Broderick
June 15, 2022, , united kingdom
Great selection of certificates with a clear definition of properties for each certificate makes it easy to choose the right one.
avatar-male-3
Munro James
October 31, 2020, Victoria, AU

Easier and cheaper than going directly and ordering via the vendor, thank you for the information and the simple shopping experience.

avatar-female-2
Kelly Mark
October 29, 2020, Dublin, IE

Excellent customer service when I ordered the wrong cert! The support team then helped me get the correct cert and refunded me on the incorrect cert I bought! Very fast and a happy customer.

Real customers ratings and reviews at Shopper Approved. Read them all.