hero digicert Image

Code Signing Certificates

OV and EV code signing certificates from Comodo, Sectigo, DigiCert, and GoGetSSL, starting at $219/year. Most orders issue in 1–7 business days and ship with a hardware token, or you can sign via cloud HSM. Backed by a 25-day money-back guarantee.

Icon showing a support headset with the text 'Support'
Dedicated Support
GLEIF logo with embedded text 'GLEIF Accredited'
25 Days Refund

OV vs EV Code Signing Certificates

Two validation tiers exist, and the buyer’s choice between them comes down to who signs and what they sign.

OV / IndividualEV
Identity vettingBusiness or individualRegistered organization (no individuals)
SmartScreen behaviorBuilds reputation per file hashBuilds reputation per file hash
Windows kernel-mode driver signingNot eligibleEligible
Starting price (SSL Dragon)$219/yr$287/yr
Best forUser-mode apps, scripts, lower budgetDriver signing, identity assurance, procurement

A note on SmartScreen: a 2024 update to the Microsoft Trusted Root Program changed how reputation accumulates. SmartScreen reputation now builds by file hash and download volume regardless of certificate type. EV no longer grants instant SmartScreen trust. Both OV and EV signed binaries build reputation the same way once they’re in the wild.

Pick OV if you sign user-mode applications and want the lower price tier. Pick EV if you sign Windows kernel-mode drivers, need maximum identity assurance, or have procurement that names EV explicitly.

Hardware Token, Cloud HSM, or Bring Your Own Device

Since June 1, 2023, the CA/Browser Forum requires every publicly-trusted certificate’s private key to be generated and stored on hardware meeting FIPS 140-2 Level 2 or Common Criteria EAL 4+. Downloadable .pfx files are no longer issued. Buyers pick one of three delivery routes:

  1. CA-shipped USB token. The CA mails a pre-loaded FIPS 140-2 Level 2 USB token (typically a YubiKey) to the verified address on the order.
  2. Bring-your-own compliant device. If your team already operates a FIPS 140-2 Level 2 or Common Criteria EAL 4+ HSM or token, the CA issues against an attestation from that device.
  3. Cloud HSM signing service. The private key is generated and held in a CA-managed cloud HSM such as DigiCert KeyLocker, Sectigo cloud signing, or SSL.com eSigner. No physical token to ship, and signing fits cleanly into CI/CD pipelines.

A USB token is simplest for occasional manual signing; cloud signing fits better for automated builds. All three routes share the same Public Key Infrastructure (PKI): the certificate binds your verified identity to a public key, hardware protects the private key, and the resulting digital signature is what Windows verifies.

Setup steps are in our code signing tutorials.

New 460-Day Validity Limit (Effective March 2026)

As of March 1, 2026, publicly-trusted certificates have a maximum validity of 460 days (about 15 months), down from the previous 39-month maximum. The change comes from CA/Browser Forum Ballot CSC-31. Multi-year orders are still sold, but the certificate itself is reissued inside the purchased term rather than spanning it.

What this means at the order level:

  • A single new certificate is capped at ~15 months of validity
  • 2-year and 3-year orders remain available, with reissuance during the term
  • HSM-installed orders may cover the full purchased term but require annual reissuance
  • Certificates issued before March 1, 2026 stay valid until their original expiration

Properly timestamped code stays trusted past the certificate’s expiration, so software you’ve already signed and shipped is unaffected. Only the renewal cadence shifts.

Compare Code Signing Certificates by CA and Price

SSL Dragon stocks options from four Certificate Authorities. Here’s how the OV and EV options line up on starting price, hardware delivery, and issuance time.

CertificateValidationStarting PriceHardware DeliveryIssuance
Comodo Code SigningOV / Individual$219/yrUSB token or HSM1–7 days
Sectigo Code Signing SSLOV / Individual$219/yrUSB token or HSM1–7 days
GoGetSSL Code Signing SSLOV / Individual$289/yrUSB token or HSM1–7 days
DigiCert Code SigningOV$400/yrUSB token, HSM, or KeyLocker cloud1–7 days
Comodo EV Code SigningEV$287/yrUSB token or HSM1–7 days
Sectigo EV Code SigningEV$287/yrUSB token or HSM1–7 days
GoGetSSL Code Signing EV SSLEV$369/yrUSB token or HSM1–7 days
DigiCert EV Code SigningEV$685/yrUSB token, HSM, or KeyLocker cloud1–7 days

Comodo and Sectigo OV both start at $219/year and are the cheapest publicly-trusted options on this page. DigiCert sits at the premium end, $400 for OV and $685 for EV, and is usually chosen by buyers whose contracts or compliance frameworks specifically name DigiCert. GoGetSSL is the value pick at the EV tier at $369/year. All four CAs ship hardware tokens, with DigiCert also offering KeyLocker cloud signing for HSM-free workflows.

Why Free Code Signing Isn’t Realistic

No publicly-trusted Certificate Authority offers free code signing as of 2026.

Two real costs make it unworkable:

  1. The CA must verify the publisher’s identity (organization or individual)
  2. Since June 2023 the private key must live on FIPS-compliant hardware that someone has to pay for

Self-signed certificates can be generated with OpenSSL and cost nothing, but Windows, macOS, and browsers don’t trust them, so they leave the “Unknown Publisher” warning in place. If price is the deciding factor, Comodo Code Signing and Sectigo Code Signing OV (or Individual Validation for solo developers) are the entry-level SKUs at $219/year.

What You Can Sign with a Code Signing Certificate

A certificate from any CA SSL Dragon carries can sign:

  • Windows binaries and installers: .exe, .dll, .cab, .ocx, .msi, and .xap files signed via Microsoft Authenticode
  • Windows drivers: user-mode drivers (OV or EV) and kernel-mode drivers (EV only)
  • Java applications: .jar files signed with jarsigner
  • Scripts and macros: PowerShell scripts, VBScript, and Microsoft Office VBA macros
  • Other formats: Adobe AIR packages, Mozilla object files, and Microsoft Silverlight (legacy but still valid)
  • Firmware and IoT software
  • Containers and software packages

The same certificate covers most of the list above; the kernel-mode driver case is the one that forces the EV tier.

Code Signing vs SSL/TLS Certificates

An SSL/TLS certificate encrypts the connection between a browser and a website. A code signing certificate digitally signs software so the operating system can verify who published it and that the file hasn’t changed.

The two aren’t interchangeable: one secures a domain, the other proves the origin of an executable. Both are X.509 certificates issued by a Certificate Authority, which is why they get confused.

Frequently Asked Questions

What is a code signing certificate?

It’s an X.509 certificate that lets a publisher attach a verifiable digital signature to software. Unlike a CSR (just the order request submitted to the CA), the issued certificate binds a vetted identity to a public key that operating systems use to confirm a file’s origin.

Copy Link

What’s the difference between OV and EV?

EV vetting typically takes 3–5 business days longer than OV, and only EV qualifies for kernel-mode driver signing. Pricing, identity checks, and the SmartScreen behavior comparison are all in the OV vs EV section above.

Copy Link

Do I need a hardware token for code signing?

A hardware token is one of three options. Cloud signing services such as DigiCert KeyLocker and SSL.com eSigner skip the physical token entirely: the key sits in a CA-managed HSM and you sign over an API, which works well for CI/CD. See the hardware delivery section above.

Copy Link

How long is a code signing certificate valid?

Maximum 460 days per issuance under current rules. Always sign with a timestamping authority (DigiCert’s tsa.digicert.com or Sectigo’s timestamp.sectigo.com) so binaries stay trusted past expiration. Full context in the 460-Day Validity section above.

Copy Link

Can I get a free code signing certificate?

No publicly-trusted CA issues them. The full reasoning and the cheapest paid alternatives are in the Why Free Code Signing Isn’t Realistic section above.

Copy Link

Which certificate do I need for Windows kernel-mode drivers?

Any EV code signing certificate. Microsoft’s WHQL portal and attestation signing flow both reject non-EV certificates outright.

Copy Link

How long does code signing issuance take?

1–7 business days depending on the CA and validation level. EV usually takes longer than OV because the organization vetting is more involved, so plan extra time on a tight release deadline.

Copy Link

Does code signing work on macOS and Linux?

Yes for general signing of cross-platform binaries, including .jar files and many container formats. macOS App Store distribution requires a separate Apple Developer ID program; Linux signing is less standardized but supported across most package formats.

Copy Link

Don’t know what you need?

Use our SSL Wizard to select what options apply to you, and we’ll help you find the right SSL certificate.

Don’t know what you need?

SSL Dragon setup wizard interface with buttons and instructional text

Our Clients & Key Figures

Volvo logo
Netflix logo with a red background, displaying the text Netflix in white.
Koton logo featuring stylized text and a light background.
Dufry logo
Phillips logo
Northrop Grumman Logo
Yale logo
Harvard logo
Oxford Logo
Rockefeller Logo
Goodwill Logo
Sapient Logo
Hawaii Logo
Army Logo
Force Logo
Schneider Logo
Cisco Logo
Cornell Logo

Rated 4.8 out of 5 by 1232 customers

avatar-male-2
Christopher Broderick
Haziran 15, 2022, , bi̇rleşi̇k krallik

Her sertifikanın özelliklerinin net bir şekilde tanımlandığı harika sertifika seçenekleri, doğru olanı seçmeyi kolaylaştırır.

avatar-male-5
Munro James
Ekim 31, 2020, Victoria, AU

Doğrudan gidip satıcı üzerinden sipariş vermekten daha kolay ve daha ucuz, bilgi ve basit alışveriş deneyimi için teşekkür ederim.

avatar-female-4
Kelly Mark
Ekim 29, 2020, Dublin, IE

Yanlış sertifika sipariş ettiğimde mükemmel müşteri hizmetleri! Destek ekibi daha sonra doğru sertifikayı almama yardımcı oldu ve satın aldığım yanlış sertifika için bana para iadesi yaptı! Çok hızlı ve mutlu bir müşteri.

Real customers ratings and reviews at Shopper Approved. Read them all.