OV and EV code signing certificates from Comodo, Sectigo, DigiCert, and GoGetSSL, starting at $219/year. Most orders issue in 1–7 business days and ship with a hardware token, or you can sign via cloud HSM. Backed by a 25-day money-back guarantee.


OV vs EV Code Signing Certificates
Two validation tiers exist, and the buyer’s choice between them comes down to who signs and what they sign.
- OV (Organization Validation) is the standard tier. The CA verifies the legal existence of a registered business and issues to that organization. Comodo and Sectigo also issue OV-equivalent certificates to verified individuals, sometimes called Individual Validation (IV), for solo developers without a registered company. SSL Dragon’s OV options start at $219/year.
- EV (Extended Validation) requires deeper business vetting under the CA/Browser Forum’s EV guidelines. Only registered organizations qualify; individuals do not. EV is the only tier accepted for signing Windows kernel-mode drivers, and many enterprise procurement and audit policies mandate it. SSL Dragon’s EV options start at $287/year.
| OV / Individual | EV | |
|---|---|---|
| Identity vetting | Business or individual | Registered organization (no individuals) |
| SmartScreen behavior | Builds reputation per file hash | Builds reputation per file hash |
| Windows kernel-mode driver signing | Not eligible | Eligible |
| Starting price (SSL Dragon) | $219/yr | $287/yr |
| Best for | User-mode apps, scripts, lower budget | Driver signing, identity assurance, procurement |
A note on SmartScreen: a 2024 update to the Microsoft Trusted Root Program changed how reputation accumulates. SmartScreen reputation now builds by file hash and download volume regardless of certificate type. EV no longer grants instant SmartScreen trust. Both OV and EV signed binaries build reputation the same way once they’re in the wild.
Pick OV if you sign user-mode applications and want the lower price tier. Pick EV if you sign Windows kernel-mode drivers, need maximum identity assurance, or have procurement that names EV explicitly.
Hardware Token, Cloud HSM, or Bring Your Own Device
Since June 1, 2023, the CA/Browser Forum requires every publicly-trusted certificate’s private key to be generated and stored on hardware meeting FIPS 140-2 Level 2 or Common Criteria EAL 4+. Downloadable .pfx files are no longer issued. Buyers pick one of three delivery routes:
- CA-shipped USB token. The CA mails a pre-loaded FIPS 140-2 Level 2 USB token (typically a YubiKey) to the verified address on the order.
- Bring-your-own compliant device. If your team already operates a FIPS 140-2 Level 2 or Common Criteria EAL 4+ HSM or token, the CA issues against an attestation from that device.
- Cloud HSM signing service. The private key is generated and held in a CA-managed cloud HSM such as DigiCert KeyLocker, Sectigo cloud signing, or SSL.com eSigner. No physical token to ship, and signing fits cleanly into CI/CD pipelines.
A USB token is simplest for occasional manual signing; cloud signing fits better for automated builds. All three routes share the same Public Key Infrastructure (PKI): the certificate binds your verified identity to a public key, hardware protects the private key, and the resulting digital signature is what Windows verifies.
Setup steps are in our code signing tutorials.
New 460-Day Validity Limit (Effective March 2026)
As of March 1, 2026, publicly-trusted certificates have a maximum validity of 460 days (about 15 months), down from the previous 39-month maximum. The change comes from CA/Browser Forum Ballot CSC-31. Multi-year orders are still sold, but the certificate itself is reissued inside the purchased term rather than spanning it.
What this means at the order level:
- A single new certificate is capped at ~15 months of validity
- 2-year and 3-year orders remain available, with reissuance during the term
- HSM-installed orders may cover the full purchased term but require annual reissuance
- Certificates issued before March 1, 2026 stay valid until their original expiration
Properly timestamped code stays trusted past the certificate’s expiration, so software you’ve already signed and shipped is unaffected. Only the renewal cadence shifts.
Compare Code Signing Certificates by CA and Price
SSL Dragon stocks options from four Certificate Authorities. Here’s how the OV and EV options line up on starting price, hardware delivery, and issuance time.
| Certificate | Validation | Starting Price | Hardware Delivery | Issuance |
|---|---|---|---|---|
| Comodo Code Signing | OV / Individual | $219/yr | USB token or HSM | 1–7 days |
| Sectigo Code Signing SSL | OV / Individual | $219/yr | USB token or HSM | 1–7 days |
| GoGetSSL Code Signing SSL | OV / Individual | $289/yr | USB token or HSM | 1–7 days |
| DigiCert Code Signing | OV | $400/yr | USB token, HSM, or KeyLocker cloud | 1–7 days |
| Comodo EV Code Signing | EV | $287/yr | USB token or HSM | 1–7 days |
| Sectigo EV Code Signing | EV | $287/yr | USB token or HSM | 1–7 days |
| GoGetSSL Code Signing EV SSL | EV | $369/yr | USB token or HSM | 1–7 days |
| DigiCert EV Code Signing | EV | $685/yr | USB token, HSM, or KeyLocker cloud | 1–7 days |
Comodo and Sectigo OV both start at $219/year and are the cheapest publicly-trusted options on this page. DigiCert sits at the premium end, $400 for OV and $685 for EV, and is usually chosen by buyers whose contracts or compliance frameworks specifically name DigiCert. GoGetSSL is the value pick at the EV tier at $369/year. All four CAs ship hardware tokens, with DigiCert also offering KeyLocker cloud signing for HSM-free workflows.
Why Free Code Signing Isn’t Realistic
No publicly-trusted Certificate Authority offers free code signing as of 2026.
Two real costs make it unworkable:
- The CA must verify the publisher’s identity (organization or individual)
- Since June 2023 the private key must live on FIPS-compliant hardware that someone has to pay for
Self-signed certificates can be generated with OpenSSL and cost nothing, but Windows, macOS, and browsers don’t trust them, so they leave the “Unknown Publisher” warning in place. If price is the deciding factor, Comodo Code Signing and Sectigo Code Signing OV (or Individual Validation for solo developers) are the entry-level SKUs at $219/year.
What You Can Sign with a Code Signing Certificate
A certificate from any CA SSL Dragon carries can sign:
- Windows binaries and installers: .exe, .dll, .cab, .ocx, .msi, and .xap files signed via Microsoft Authenticode
- Windows drivers: user-mode drivers (OV or EV) and kernel-mode drivers (EV only)
- Java applications: .jar files signed with jarsigner
- Scripts and macros: PowerShell scripts, VBScript, and Microsoft Office VBA macros
- Other formats: Adobe AIR packages, Mozilla object files, and Microsoft Silverlight (legacy but still valid)
- Firmware and IoT software
- Containers and software packages
The same certificate covers most of the list above; the kernel-mode driver case is the one that forces the EV tier.
Code Signing vs SSL/TLS Certificates
An SSL/TLS certificate encrypts the connection between a browser and a website. A code signing certificate digitally signs software so the operating system can verify who published it and that the file hasn’t changed.
The two aren’t interchangeable: one secures a domain, the other proves the origin of an executable. Both are X.509 certificates issued by a Certificate Authority, which is why they get confused.
Frequently Asked Questions
It’s an X.509 certificate that lets a publisher attach a verifiable digital signature to software. Unlike a CSR (just the order request submitted to the CA), the issued certificate binds a vetted identity to a public key that operating systems use to confirm a file’s origin.
Copy Link
EV vetting typically takes 3–5 business days longer than OV, and only EV qualifies for kernel-mode driver signing. Pricing, identity checks, and the SmartScreen behavior comparison are all in the OV vs EV section above.
Copy Link
A hardware token is one of three options. Cloud signing services such as DigiCert KeyLocker and SSL.com eSigner skip the physical token entirely: the key sits in a CA-managed HSM and you sign over an API, which works well for CI/CD. See the hardware delivery section above.
Copy Link
Maximum 460 days per issuance under current rules. Always sign with a timestamping authority (DigiCert’s tsa.digicert.com or Sectigo’s timestamp.sectigo.com) so binaries stay trusted past expiration. Full context in the 460-Day Validity section above.
Copy Link
No publicly-trusted CA issues them. The full reasoning and the cheapest paid alternatives are in the Why Free Code Signing Isn’t Realistic section above.
Copy Link
Any EV code signing certificate. Microsoft’s WHQL portal and attestation signing flow both reject non-EV certificates outright.
Copy Link
1–7 business days depending on the CA and validation level. EV usually takes longer than OV because the organization vetting is more involved, so plan extra time on a tight release deadline.
Copy Link
Yes for general signing of cross-platform binaries, including .jar files and many container formats. macOS App Store distribution requires a separate Apple Developer ID program; Linux signing is less standardized but supported across most package formats.
Copy Link
Don’t know what you need?
Use our SSL Wizard to select what options apply to you, and we’ll help you find the right SSL certificate.
Don’t know what you need?

