An EV code signing certificate authenticates your software under the strictest identity vetting in the public PKI, with prices starting at $287/year through SSL Dragon. We offer Extended Validation (EV) code signing certificates issued by trusted certificate authorities including Sectigo (formerly Comodo), DigiCert, and GoGetSSL. Issuance runs 1 to 7 business days once vetting completes, with a 25-day money-back guarantee on every order.


When You Need EV Code Signing (and When OV Is Enough)
EV is the only workable tier in three buyer scenarios:
- Signing Windows kernel-mode drivers. The Windows Hardware Dev Center portal and WHQL submission flow reject anything below EV.
- Procurement contracts or audit frameworks that name Extended Validation explicitly. Once the spec says EV, OV won’t satisfy the buyer’s checklist.
- Enterprise software publishers who need maximum identity assurance. Useful when installers reach customers in regulated industries.
For everything else, OV is the right pick. Encryption is identical across both tiers; the difference sits in identity assurance and what Microsoft’s Authenticode infrastructure accepts for kernel-mode signing. Individual developers, user-mode applications, scripts, macros, and lower-budget signing programs are all served by OV at a lower price with lighter vetting.
If your scenario doesn’t require EV, our OV code signing certificate page covers the cheaper alternative.
Compare EV Code Signing Certificates from Comodo, Sectigo, DigiCert, and GoGetSSL
All EV certificates on this page issue against the same CA/Browser Forum EV requirements, so the choice usually comes down to brand mandate, budget, and whether you need a cloud signing path.
| Certificate | Starting Price | Hardware Delivery | Issuance Time | Best For |
|---|---|---|---|---|
| Comodo EV Code Signing | $287/yr | USB token or HSM | 1–7 days | Lowest-priced EV option |
| Sectigo EV Code Signing | $287/yr | USB token or HSM | 1–7 days | Lowest-priced EV option (alternate brand) |
| GoGetSSL Code Signing EV SSL | $369/yr | USB token or HSM | 1–7 days | Mid-tier EV with strong international coverage |
| DigiCert EV Code Signing | $685/yr | USB token, HSM, or KeyLocker cloud | 1–7 days | Procurement and compliance frameworks naming DigiCert |
If you have no brand requirement and want the lowest price, Comodo EV Code Signing at $287/year is the entry point. Pick DigiCert when KeyLocker cloud signing is part of your build pipeline or a procurement framework names DigiCert directly. GoGetSSL sits between, with broader international vetting reach.
How Your EV Certificate Is Delivered
Every EV code signing key now lives on certified hardware under the June 2023 CA/Browser Forum mandate. Three EV-specific delivery routes are available across the certificates on this page:
- CA-shipped USB token. Best for occasional manual signing. The CA pre-loads the private key onto a FIPS 140-2 Level 2 device, typically a YubiKey FIPS, and ships it to your registered organization.
- Your own HSM or compliant device. If you already operate a hardware security module rated FIPS 140-2 Level 2 or Common Criteria EAL 4+, the CA issues against an attestation file from your device.
- Cloud HSM signing service. DigiCert KeyLocker is the cloud HSM option available on this page. Signing happens over an API, which suits CI/CD pipelines and removes the physical token from the workflow.
For automated builds, or signing on Linux or macOS where a Windows-tethered USB token is awkward, cloud signing is the route to evaluate first.
Microsoft SmartScreen and EV Code Signing
Until early 2024, an EV signature on a Windows binary was treated by Microsoft SmartScreen as an instant reputation booster, and the marketing pages of most CAs still imply this. The March 2024 Microsoft Trusted Root Program update changed how reputation is calculated.
SmartScreen now scores trust by file hash and download volume regardless of whether the binary was signed under EV or OV; both tiers accumulate reputation the same way once a build is in the wild. Buy EV for the kernel-mode driver and procurement reasons, not for a SmartScreen shortcut that no longer exists.
Code Signing Certificate Validity Under the New 460-Day Rule
Effective March 1, 2026, CA/Browser Forum Ballot CSC-31 (passed November 2025) caps every code signing certificate’s maximum validity at 460 days. Multi-year orders are still sold; certificates are reissued during the term. HSM-installed orders may cover the full purchased term but require annual reissuance.
Code signed with a valid timestamp from a TSA, such as DigiCert’s or Sectigo’s timestamp service, stays trusted past certificate expiry, so old releases keep working.
Frequently Asked Questions
EV requires registered-organization vetting and is the only tier accepted for Windows kernel-mode drivers; OV permits individual developers at lower cost. EV vetting typically takes 3–5 business days longer than OV.
Copy Link
For kernel-mode drivers, yes; Microsoft’s WHQL portal rejects anything below EV. User-mode drivers can be signed with OV under the same Authenticode flow as ordinary applications.
Copy Link
Comodo EV and Sectigo EV both start at $287/year, the joint-lowest EV options on this page. Multi-year orders lower the per-year cost, with annual reissuance under the 460-day rule.
Copy Link
Yes. DigiCert KeyLocker cloud HSM signing lets you sign over an API with no token, and it covers macOS or Linux build agents where a USB token isn’t practical.
Copy Link
No. Code signed with a valid timestamp stays trusted past expiry; only new signing ends. Use tsa.digicert.com or timestamp.sectigo.com as a free TSA.
Copy Link
Don’t know what you need?
Use our SSL Wizard to select your options, and we’ll help you find the right SSL certificate.
Don’t know what you need?

