Developers need to verify certificate type compatibility, validation requirements, key storage security, platform support, and total costs before purchasing a code signing certificate. The wrong choice can delay releases, create security vulnerabilities, or waste budget on features you don’t need.
Code signing certificates authenticate your software and confirm it hasn’t been tampered with since you signed it. Microsoft, Apple, and other platforms require signed code to avoid security warnings that scare users away.
Asking the right questions before purchase prevents common mistakes:
- Buying an OV certificate when you need EV validation for SmartScreen reputation
- Choosing a CA that doesn’t support your CI/CD tools
- Discovering hidden renewal costs after commitment
- Missing platform-specific signing requirements
Code Signing Certificate Buying Guide
- Use OV Code Signing for internal tools or low-volume public apps
- Use EV Code Signing for public Windows software that needs instant SmartScreen trust
- EV certificates require hardware-based key storage
- Always require RFC 3161 timestamping
- Compare 3-year total cost, not just the first-year price
Who This Guide Is For
This guide is written for:
- Software developers releasing public Windows or macOS applications
- DevOps teams managing automated CI/CD signing pipelines
- Security teams responsible for software supply chain integrity
- ISVs and SaaS companies distributing signed installers or updates
What Type of Code Signing Certificate Do I Need?
You need either an Organization Validation (OV) or Extended Validation (EV) code signing certificate depending on whether you require immediate SmartScreen reputation on Windows.
|
Certificate Type |
Annual Cost |
SmartScreen Reputation |
Hardware Required |
Best For |
|
Individual Validation |
$80-$200 |
None |
No |
Personal projects |
|
Organization Validation (OV) |
$100-$400 |
Builds over time |
No |
Most applications |
|
Extended Validation (EV) |
$300-$600 |
Immediate |
Yes |
Public Windows software |
EV certificates require stricter validation but provide immediate SmartScreen reputation, eliminating download warnings from day one. The tradeoff is higher cost and mandatory hardware token storage. Understanding the differences between OV and EV code signing certificates helps you make the right choice for your distribution needs.
Which Operating Systems and Platforms Must Be Supported?
Your certificate must explicitly support every platform where you distribute software – Windows, macOS, Linux, mobile platforms, and specialized systems like kernel drivers.
|
Platform |
Certificate Requirement |
Special Notes |
|
Windows executables |
Standard OV/EV |
Most CAs support by default |
|
Windows kernel drivers |
EV only |
Required since July 2021 |
|
macOS applications |
OV/EV from trusted CA |
Convert to Keychain format |
|
iOS apps |
Apple Developer Program |
Separate from commercial CAs ($99/year) |
|
Android APKs |
Android keystore |
Different system than certificates |
|
Java applications |
Standard code signing |
Requires JKS/PKCS12 format |
Driver signing for Windows kernel-mode code requires EV certificates exclusively. According to Microsoft’s driver signing documentation, all kernel-mode drivers submitted after July 2021 must be EV signed.
If you’re developing Java applications, you’ll need to understand how Java code signing certificates work since they use different keystore formats than Windows executables.
Action steps before purchase:
- List every file type you sign (.exe, .dll, .app, .jar, etc.)
- Identify all distribution platforms and app stores
- Check if you need kernel driver signing capabilities
- Verify certificate supports legacy OS versions you must support
Do I Need an EV (Extended Validation) Certificate for Trust & SmartScreen?
You need an EV certificate if you distribute Windows software to users outside your organization and want to avoid SmartScreen warnings immediately.
Windows SmartScreen builds reputation based on download frequency and user feedback. Analysis from SSLInsights Code Signing Certificate Windows Applications guide indicates newly signed applications typically need 500-2,000 downloads before SmartScreen stops warning users.
OV vs EV Decision Factors:
|
Factor |
Choose OV |
Choose EV |
|
Target users |
Internal teams |
Public consumers |
|
Download volume |
Low (<500/month) |
High (500+/month) |
|
CI/CD automation |
Required |
Can work around |
|
Time to market |
Can wait for reputation |
Need immediate trust |
EV certificates cost 2-3x more than OV certificates and require hardware security modules or USB tokens for private key storage. You can’t automate EV signing in cloud CI/CD pipelines the same way as OV certificates.
How Will the Private Key Be Stored and Secured?
Your private key storage method determines both security and workflow compatibility – hardware tokens provide maximum security but complicate automation, while cloud HSMs enable CI/CD integration with proper access controls.
Private Key Storage Options:
|
Storage Method |
Security Level |
Automation Support |
EV Compatible |
|
USB hardware token |
Highest |
No |
Yes |
|
Cloud HSM (Azure Key Vault, AWS CloudHSM) |
High |
Yes |
Limited |
|
Password-protected PFX file |
Medium |
Yes |
No |
|
Unencrypted PFX on build server |
Low (unacceptable) |
Yes |
No |
EV certificates mandate hardware storage on FIPS 140-2 Level 2 certified USB tokens or HSMs. OV certificates offer more flexibility through cloud HSM services or password-protected PFX files.
A 2024 NCSC report on software supply chain security identified exposed code signing keys as a primary attack vector for malware distribution.
Which Certificate Authority (CA) Should I Trust?
Choose a CA that’s trusted by your target platforms, offers reliable support, and maintains clean security practices.
|
CA Name |
Typical OV Price |
Typical EV Price |
Support Quality |
Validation Speed |
|
DigiCert |
$300-$500 |
$500-$700 |
Premium (24/7 phone) |
2-5 days |
|
Sectigo |
$150-$300 |
$300-$500 |
Good (business hours) |
1-4 days |
|
GlobalSign |
$200-$400 |
$400-$600 |
Good (24/7 email) |
2-4 days |
|
Entrust |
$250-$450 |
$450-$650 |
Premium (24/7 phone) |
2-5 days |
Verify your CA appears in these trust programs:
- Microsoft Trusted Root Certificate Program (Windows)
- Apple Root Certificate Program (macOS, iOS)
- Mozilla NSS (Linux distributions, Firefox)
- Oracle Java Trusted Certificate Program
Mozilla’s CA incident dashboard tracks CA incidents and trust status as of 2025. When evaluating providers, consider reading comparisons of leading code signing certificate providers to see which offers the best combination of trust, support, and pricing.
How Long Is the Certificate Valid?
Code signing certificates are currently valid for one or three years, with industry standards moving toward shorter validity periods.
One-year certificates cost less upfront and let you switch CAs annually. Three-year certificates offer 15-20% total discounts and reduce renewal overhead but lock you into a single CA.
Certificate expiration doesn’t invalidate previously signed software. Applications signed with an expired certificate continue working as long as the signature included a timestamp from when the certificate was valid.
What Validation Documents Are Required?
CAs require business registration documents, identity verification, and additional authentication depending on validation level.
OV Certificate Validation Requirements:
- Business registration documents (Articles of Incorporation, business license)
- Authorized representative identity verification (government-issued photo ID)
- Company phone number verification via callback
EV Certificate Additional Requirements:
- Dun & Bradstreet DUNS number or equivalent business registry entry
- Physical business address verification (no P.O. boxes)
- Operational existence verification (1-3 years in business)
Typical Validation Timelines:
|
Certificate Type |
Total Time |
Common Delays |
|
OV |
1-5 business days |
Name mismatches, unavailable contacts |
|
EV |
3-7 business days |
Missing DUNS number, address issues |
Gather documents before purchasing. Incomplete documentation extends validation timelines and can delay product releases. If you’re preparing to apply, review the detailed guide on how to get a code signing certificate to understand the complete process.
Will This Certificate Work With My Build & CI/CD Pipeline?
Certificate compatibility with your build tools depends on key format support, API availability, and whether you’re using hardware tokens or cloud HSMs.
Cloud CI/CD Integration:
|
Platform |
Cloud HSM Support |
Hardware Token Support |
Complexity |
|
Azure DevOps |
Native Azure integration |
No (cloud agents) |
Low |
|
GitHub Actions |
Via third-party actions |
No (cloud agents) |
Medium |
|
Jenkins |
Plugin-dependent |
Yes (dedicated agents) |
High |
Hardware EV tokens complicate automation since you can’t plug a USB token into cloud build agents.
Solutions for EV certificate automation:
- Dedicated on-premise signing servers that cloud agents call via API
- Cloud HSM services that meet EV requirements (limited availability)
- Manual signing as final release step (breaks full automation)
Test your complete signing workflow during CA evaluation. Some CAs offer trial certificates for integration testing.
Does the Certificate Support Timestamping?
Your certificate must support RFC 3161 timestamping to keep signed software trusted after certificate expiration – this is non-negotiable for production software.
Timestamping adds cryptographic proof that code was signed while the certificate was valid. Without timestamps, signatures become invalid when certificates expire.
Impact of Missing Timestamps:
|
Scenario |
With Timestamp |
Without Timestamp |
|
Certificate expires |
Software remains trusted |
Security warnings appear |
|
User downloads old version |
Signature validates |
Signature fails |
According to NIST’s guidance on software supply chain security (SP 800-204D), timestamp validation is a required step in software supply chain verification. Learn more about what time stamping is and why it’s essential for long-term code trust.
Verify during purchase:
- Timestamp servers have high availability (99.9%+ uptime SLA)
- Multiple timestamp URLs are available for redundancy
- Support for SHA256 algorithm (not just deprecated SHA1)
What Happens If My Certificate Is Compromised or Revoked?
Certificate compromise requires immediate revocation, which invalidates all previously signed software and forces emergency re-signing with a new certificate.
|
Compromise Type |
Software Impact |
Recovery Timeline |
|
Private key exposure |
All signed software distrusted |
1-7 days |
|
Employee departure |
Software remains trusted (typically) |
1-3 days |
|
Malware signed with your cert |
Only malicious software flagged |
24-48 hours |
Recovery steps:
- Stop using the compromised certificate immediately
- Report compromise to CA with incident details
- Obtain new certificate (validation may be expedited)
- Re-sign all software versions still in distribution
- Distribute updated signed versions through all channels
- Notify users, partners, and distribution channels
Timestamped signatures survive revocation only if the timestamp proves signing occurred before compromise.
Are There Hidden Costs?
Certificate sticker prices exclude renewal markup, replacement fees, reissuance charges, and required hardware costs.
Total Cost of Ownership:
|
Cost Category |
Typical Amount |
Often Overlooked? |
|
Base certificate price |
$100-$600 |
No |
|
Hardware USB token (EV) |
$50-$150 |
Yes |
|
Reissuance fees |
$50-$200 |
Yes |
|
Renewal price increase |
20-40% markup |
Yes |
|
Premium support |
$200-$500/year |
Sometimes |
Request total cost estimates including:
- All years you plan to use the certificate (factor in renewals)
- Anticipated reissuance scenarios (company changes, errors)
- Hardware requirements (tokens, HSMs, backup devices)
- Support tier needs (basic vs premium)
A $200 certificate with unlimited free reissuance beats a $150 certificate that charges $75 per reissuance if you anticipate organizational changes.
Will My Signed Software Be Trusted Globally?
Global trust depends on your CA’s presence in platform trust stores worldwide and compliance with regional signing requirements that vary by country.
|
Region |
Special Requirements |
Impact on Distribution |
|
China |
CNNIC-approved CAs for some apps |
Apps may require separate signing |
|
Russia |
GOST-compliant signatures for gov software |
Need Russian CA for gov sector |
|
European Union |
Qualified certificates for some uses |
Standard certs usually sufficient |
Windows in China uses the China Internet Network Information Center (CNNIC) root program alongside Microsoft’s global program.
Export regulations affect code signing:
- U.S.-based CAs cannot issue certificates to sanctioned countries
- Organizations in Cuba, Iran, North Korea, Syria face restrictions
- May need certificates from CAs in different jurisdictions
How Easy Is Renewal and Re-Verification?
Certificate renewal requires repeating validation steps, though established customers often receive streamlined processing.
|
Renewal Scenario |
OV Timeline |
EV Timeline |
|
No changes |
1-3 days |
2-4 days |
|
Organization name change |
3-5 days |
5-7 days |
|
Address change |
2-4 days |
3-5 days |
Renewal reminder schedule:
- 90 days before expiration: Review validation information
- 60 days before: Initiate renewal, gather documents
- 30 days before: Complete validation
- 7 days before: Deploy to production
Is Support Available When Something Breaks?
Certificate authorities vary wildly in support quality – expect 24/7 phone support from premium CAs and email-only support during business hours from budget providers.
|
CA Tier |
Phone Support |
Email Response |
Documentation |
|
Premium (DigiCert, Entrust) |
24/7 included |
<4 hours |
Comprehensive |
|
Mid-tier (Sectigo, GlobalSign) |
Business hours |
<24 hours |
Good |
|
Budget (SSL.com, others) |
Email callback |
24-48 hours |
Basic |
Common support scenarios:
- Certificate installation problems on specific platforms
- Signing tool integration errors
- Validation document questions
- Private key corruption or loss recovery
- Timestamp server failures
- SmartScreen reputation issues
Budget providers offering rock-bottom prices typically provide minimal support. Premium CAs charge more but include responsive technical assistance worth the difference when releases depend on working signatures.
Choosing the Right Code Signing Certificate
The right code signing certificate balances security requirements, platform compatibility, workflow integration, and total cost of ownership.
Start with these foundation steps:
- List every platform and file type you sign (.exe, .dll, .app, .jar, .msi)
- Determine whether EV validation is worth extra cost for Windows distribution
- Map current and future CI/CD pipeline signing requirements
- Calculate 3-year total cost including hardware, support, and reissuance
Final checklist before purchase:
- Certificate supports all required platforms and file types
- CA is trusted in all regions where you distribute software
- Private key storage method compatible with your infrastructure
- Validation requirements are achievable with your business structure
- Support level matches your technical expertise and risk tolerance
- Total 3-year cost fits budget including renewals and hardware
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
