A Sectigo Code Signing Certificate is a digital credential that lets software publishers cryptographically sign their executables, scripts, and installers. The signature proves the code comes from a verified source and has not been altered since signing - which stops Windows SmartScreen, macOS Gatekeeper, and antivirus tools from blocking or flagging the download.
Definition: A Sectigo code signing certificate is a public-key certificate issued by Sectigo (formerly Comodo CA) that binds a verified publisher identity to a cryptographic key pair. When a developer signs software with that key, the resulting digital signature travels with the file, allowing any device to verify authorship and detect tampering before execution.
What Is the Difference Between OV and EV Sectigo Code Signing Certificates?
Sectigo offers two validation tiers - Organization Validation (OV) and Extended Validation (EV) - and the right choice depends on your distribution target, regulatory environment, and key-storage setup.
| Feature | OV Code Signing | EV Code Signing |
| Validation depth | Business name, address, domain | Full legal entity + physical + executive verification |
| Key storage | FIPS 140-2 Level 2 HSM or token | FIPS 140-2 Level 2+ HSM or hardware token (mandatory) |
| Windows kernel drivers | Not accepted | Required for all kernel-mode submissions |
| Issuance time | 1–3 business days | 3–7 business days (documentation review) |
| Price range (Sectigo) | ~$220–$399 per year | ~$290–$500 per year |
| Private key delivery | Cloud HSM or digital file | Hardware USB token (shipped by courier) |
Both OV and EV certificates now build SmartScreen reputation organically through download volume, following Microsoft's March 2024 SmartScreen update that removed the previous instant-bypass advantage EV certificates once held.
For a deeper side-by-side breakdown, see the full OV vs EV code signing comparison.
What Are the Key Requirements for Sectigo Code Signing in 2026?
As of March 1, 2026, the CA/Browser Forum Ballot CSC-31 reduced the maximum validity of publicly trusted code signing certificates to 460 days - roughly 15 months. Any certificate issued on or after that date must comply with the new limit, according to the CA/Browser Forum Ballot CSC-31 standards.
Key storage rules changed earlier, in June 2023, when the CA/B Forum required all code signing private keys to be stored on FIPS 140-2 Level 2-certified hardware. Software-only storage - PFX files kept on a developer workstation - is no longer permitted for publicly trusted certificates.
The table below summarizes the 2026 requirements:
| Requirement | Standard (2026) |
| Maximum certificate validity | 460 days (CA/Browser Forum Ballot CSC-31, effective March 2026) |
| Minimum RSA key size | 3072 bits |
| Hash algorithm | SHA-256 or stronger |
| Key storage | FIPS 140-2 Level 2 HSM or hardware USB token |
| Timestamping | RFC 3161-compliant TSA required to preserve signature after expiry |
| Windows kernel-mode drivers | EV certificate required for Hardware Dev Center submission |
Teams managing USB tokens should review the HSM key storage requirements to determine whether migrating to a cloud HSM reduces the burden of the new annual renewal cycle.
How Do You Install and Use a Sectigo Code Signing Certificate?
The setup process differs between OV and EV certificates. OV certificates are issued digitally; EV certificates arrive on a physical USB token shipped by courier. Both require FIPS-compliant hardware for the private key before signing.
Follow these steps to get started:
- Generate a Certificate Signing Request (CSR) using OpenSSL or IIS, specifying a 3072-bit RSA key or an ECDSA P-256 key.
- Submit the CSR through Sectigo's portal, along with business verification documents. OV requires name, address, and domain confirmation. EV adds executive identity checks.
- For OV: import the issued certificate into your FIPS-compliant HSM or token using the Certificate Manager. For EV: install SafeNet Authentication Client, insert the shipped USB token, and change the default PIN.
- Run the signing command - for Windows, use SignTool.exe: SignTool sign /fd SHA256 /tr http://timestamp.sectigo.com /td SHA256 YourApp.exe
- Verify the signature using SignTool verify /pa /v YourApp.exe to confirm the chain resolves to a trusted root.
For the SafeNet token flow in detail, see the SafeNet Authentication Client setup guide covering Windows and Linux installation.
Timestamping is not optional - without an RFC 3161 timestamp, signatures become invalid the moment the certificate expires. Sectigo provides a free TSA endpoint at http://timestamp.sectigo.com. Read more about code signing time stamping to understand how the timestamp token is embedded and verified.
How Does Sectigo Compare to Other Code Signing Certificate Authorities?
Sectigo consistently ranks among the top two or three code signing CAs for independent developers and small to mid-sized software companies. Its advantage is pricing - OV certificates start at roughly $220 per year through resellers, compared to DigiCert's $409 per year.
Where Sectigo trails DigiCert is in enterprise support response times and root store ubiquity on specialized platforms. For medical device firmware and financial-services software, DigiCert's deeper regulatory relationships often justify the price gap. GlobalSign is a strong alternative for teams running cloud-native CI/CD pipelines, since its cloud HSM option avoids USB token shipping entirely.
The certificate authority market reached $173.1 million in 2023 and is projected to grow at a CAGR of 11.4% through 2032, reaching $442.2 million, reflecting the increasing adoption of code authentication across software supply chains.
What Common Mistakes Do Developers Make With Code Signing Certificates?
Skipping the timestamp is the single most frequent error. A signed file without an RFC 3161 timestamp becomes unverifiable the day the certificate expires, breaking trust for every user who downloads the software after that point.
Other errors that cause real-world distribution failures:
- Signing with SHA-1 instead of SHA-256 - Windows has deprecated SHA-1 signatures and will block unsigned or SHA-1-signed code on modern versions.
- Choosing OV when EV is required - kernel-mode drivers submitted to Microsoft's Hardware Dev Center require an EV certificate; OV submissions are rejected outright.
- Storing the private key in a PFX file on a shared build server - this violates CA/B Forum Baseline Requirements and can trigger certificate revocation by Sectigo.
- Not planning for the 460-day renewal window - teams that previously operated on 3-year cycles must now renew annually, and missing the deadline causes a signing outage.
- Using the wrong signing tool API - macOS signing uses codesign and notarytool, not SignTool; attempting to use a Windows-issued Sectigo certificate on macOS without proper platform support fails at submission.
Who Is the Best Provider of Sectigo Code Signing Certificate
The best provider for Sectigo Code Signing Certificates in 2025 is generally determined by price, reliability, support, and turnaround time. Reputable third-party resellers consistently offer the best combination of discounted pricing and responsive support compared to buying directly from Sectigo.
Top Sectigo Code Signing Certificate Providers
- SectigoStore: Frequently recommended for competitive pricing (starting at ~$220/year for OV and ~$290/year for EV), fast issuance, and a user-centric support experience, including a 30-day refund policy.
- TheSSLStore: Trusted for established reseller experience, they offer OV certificates at ~$288/year and EV at ~$380/year, with a seasoned reputation for hassle-free purchases and strong after-sales support.
- SSL2Buy: Reliable for price transparency, offering OV at around $322/year and EV at $423/year, with global support.
- Codesigningstore: Recognized for good discounts below Sectigo’s direct website pricing, quick fulfillment, and full refund policy. User reviews rate its support as fast and effective with a high satisfaction rate among developers.
- Direct from Sectigo: Buying directly guarantees authenticity, but it’s generally pricier and less discount-friendly than resellers.
| Provider | OV Price (USD/Yr) | EV Price (USD/Yr) | Customer Ratings | Notable Features |
| SectigoStore | ~$220 [Buy Now] |
~$290 [Buy Now] |
 |
Fast issuance, support, discounts |
| TheSSLStore | ~$288 [Buy Now] |
~$380 [Buy Now] |
|
Established reputation, support |
| SSL2Buy | ~$322 | ~$423 |  |
Transparent pricing, global reach |
| Sectigo Direct | ~$380 | ~$500 | |
Direct authenticity, highest price |
Is a Sectigo Code Signing Certificate Worth It for Small Developers?
For any developer distributing software publicly on Windows, a Sectigo OV certificate is the practical minimum. Without a trusted signature, SmartScreen displays a "Windows protected your PC" warning for every download, and many users abandon the install immediately.
The $220-per-year OV price point is low enough that most independent developers can justify the cost against even modest conversion improvements. Signing with OV does not eliminate SmartScreen warnings instantly - reputation builds through download volume - but it does stop the full blocking screen and allows users to proceed with a single click.
Developers publishing kernel-mode drivers, medical device firmware, or software that must pass enterprise security review have no equivalent alternative to EV. Sectigo's EV pricing at $290 to $500 annually is the most cost-effective option in that tier, according to comparisons of leading code signing certificate providers published in 2026.
Final Thoughts
Sectigo code signing certificates remain among the most cost-accessible options for developers who need a publicly trusted signing credential in 2026. The 460-day maximum validity now mandates annual renewal planning, and hardware-based key storage is non-negotiable for all newly issued certificates.
The immediate next step is straightforward: decide whether your distribution scenario requires OV or EV, confirm your key storage hardware is FIPS 140-2 Level 2 compliant, and schedule your first renewal before the current certificate reaches 400 days. Building that renewal workflow now prevents a signing outage when the CA/Browser Forum moves validity periods shorter still - which current trajectory strongly suggests is coming.
Frequently Asked Questions About Sectigo Code Signing Certificate
Does Sectigo provide a free timestamping server?
Yes. Sectigo operates a free RFC 3161-compliant timestamping server at http://timestamp.sectigo.com. Including a timestamp during signing ensures the digital signature remains verifiable after the certificate's 460-day validity expires.
How long does Sectigo validation take for OV vs EV certificates?
OV validation typically completes in 1 to 3 business days. EV validation takes 3 to 7 business days because it requires additional legal entity checks, physical address confirmation, and executive identity verification. Having business registration documents ready before applying shortens the timeline.
Can I use one Sectigo code signing certificate to sign multiple applications?
Yes. A single Sectigo code signing certificate covers unlimited signing operations during its validity period. Each application receives a unique timestamp, but all signatures share the same publisher identity bound to the certificate.
What happens if my Sectigo certificate expires before I renew it?
Signatures applied before expiry remain valid indefinitely, provided a timestamp was included during signing. New signing operations after the expiry date require a fresh certificate. The 460-day limit now means annual renewal is mandatory rather than optional.
Does EV code signing still bypass Microsoft SmartScreen warnings in 2026?
No. Since March 2024, Microsoft updated SmartScreen to treat OV and EV certificates equally. Neither type bypasses warnings automatically. Both build SmartScreen reputation through download volume and user behavior patterns over time.
What key size does Sectigo require for code signing certificates?
Sectigo requires a minimum RSA key size of 3072 bits as of 2026, in line with CA/Browser Forum Baseline Requirements for code signing. Alternatively, ECDSA keys using the P-256 curve are accepted and produce smaller signature overhead with equivalent security.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
