What is a Code Signing Certificate?
A code signing certificate is a digital certificate that provides a globally accepted proof of identity of a software publisher and is obtainable from a publicly trusted Certificate Authority (CA) like SSL.com. Software companies use code signing certificates to provide proof that they are the developers of an application. Code signing certificates also prevent tampering of code and ensure that a file is free from unauthorized modifications, malware and is safe to install. Code signing certificates are an essential security feature when software is being distributed, sold, and downloaded online. Digitally signing your code with trusted SSL.com certificates lets users and operating systems know that your software is authentic and safe to install. You can always contact our sales team to explain these options and provide a quote.Need a code signing certificate? SSL.com has options to meet whatever your needs may be, learn more about our certificates.
Choosing the Right Code Signing Certificate
Organization Validation (OV) and Individual Validation (IV) certificates are referred to as High Assurance certificates because they require more validation and thus provide more trust, . For OV and IV certs, the CA will verify the actual organization or individual person that is attempting to get the certificate. The organization’s or individual’s name is also listed in the certificate, giving added trust that the certificate holder is reputable. OV certificates are often used by corporations, governments and other entities that want to provide an extra layer of confidence for their visitors. Aside from SSL/TLS certificates, OV and IV are also commonly used for code signing, document signing, client authentication, and S/MIME email certificates. For more information as to requirements, please refer to SSL.com’s OV and IV requirements. The Individual Validation (IV) Code Signing Certificate applies digital signatures with a personal name, perfect for independent software developers and individual project contributors who wish to increase confidence and trust from their users. EV certificates, also known as enterprise code signing certificates, provide the maximum amount of trust to visitors, and also require the most effort by the CA to validate. EV certificates may only be issued to businesses and other registered organizations, not to individuals. SSL.com Sole Proprietorship EV Code Signing Certificates add an individual’s identity to the standard EV code signing certificate. This validation option enables a sole proprietorship or individual contributor to include their name in the digital signature. The Sole Proprietorship validation option is also for enterprises that require an extra layer of security by including an individual’s validated identity in the digital signature. To know more about the features of these certificates, you can read our article, Which Code Signing Certificate do I Need? EV or OV? At a quick glance, the defining features of OV and EV code signing certificates are listed below.IV Code Signing Certificate:
- Applies digital signatures with a personal name
- Perfect for independent software developers and individual project contributors
OV Code Signing Certificate:
- Verifies your identity as the software publisher
- Shields your software from tampering and malware infection
EV Code Signing Certificate:
- Ability to sign both pre-Windows 10 and Windows 10 Drivers
- Instant Microsoft SmartScreen Reputation
- Non-expiration of signature and time stamping
- Ability to Sign on the Cloud using eSigner
- Sole Proprietorship EV Code Signing Certificates add an individual’s identity to the standard EV Code Signing Certificate
Setting up and Using Your SSL.com Account
If you haven’t already, start by creating an account on SSL.com. Your account has the capability of creating multiple teams as well as inviting multiple users with specific role and rights assignments.The Validation Process
In order to validate and issue an OV or IV certificate, SSL.com must verify your identity, physical address, and telephone number via verifiable online resources and/or valid verification documents. For further details on the requirements, you can read What Are The Requirements for SSL.com OV and IV Certificates? Additionally for IV Code Signing Certificate orders, applicants will have to submit a front and back image of an ID plus an image of them holding the ID next to their face. Per guidelines set by the CA/Browser Forum, extra documentation must be provided to issue an EV certificate. Head over to FAQ: Extended Validation (EV) Process to know all the requirements for EV certs. For entities requesting EV Code Signing Certificates, SSL.com will conduct validation both through trusted online resources and/or valid documents as well as extra documentation per guidelines set by the CA/Browser Forum.New key storage requirements for OV and IV Code Signing Certificates
Starting June 1, 2023, SSL.com ’s Organization Validation (OV) and Individual Validation (IV) Code Signing Certificates will only be issued either on Federal Information Processing Standard 140-2 (FIPS 140-2) USB tokens or through our eSigner cloud code signing service. This change is in compliance with the Certificate Authority/Browser (CA/B) Forum’s new key storage requirements to increase security for code signing keys. The previous rule allowed OV and IV code signing certificates to be issued as downloadable files from the internet. Since the new requirements only allow the use of encrypted USB tokens or cloud-based FIPS compliant hardware appliances to store the certificate and private key, it is expected that instances of code signing keys being stolen and misused by malicious actors will be greatly reduced. Click this link to learn more about the SSL.com eSigner cloud code signing solution.Key Storage and Signing Methods for Extended Validation Code Signing Certificates
USB Token
SSL.com ships code signing certificates that are pre-installed on Yubikey FIPS tokens and Thales SafeNet (Gemalto) USB tokens. Thales SafeNet tokens are equipped to handle RSA keys up to 3072 bits, crucial for kernel mode signing and a prerequisite in certain software development environments such as driver signing for Microsoft systems. Through a procedure known as remote attestation, customers of SSL.com, regardless of their location, can create a key pair directly on their YubiKey along with an attestation certificate that verifies the private key’s generation on the device. The attestation certificate can subsequently be used to renew an expired certificate that is in the Yubikey. Support for remote attestation is one feature that is currently not available for Thales token customers. For a more detailed comparison between the features of Yubikeys and Thales SafeNet tokens, please refer to this SSL.com article: Yubikey FIPS tokens vs Thales/Gemalto USB tokens. Both Yubikey and Thales SafeNet tokens are designed to boost security without substantially compromising user experience. The choice between them should be guided by the organization’s security approach and operational needs. However, as physical devices, they can be lost or stolen, posing significant security risks and potentially incurring high replacement costs. In a modern remote work setting, the logistics of distributing and maintaining these hardware tokens can pose significant challenges for IT teams, requiring notable expenses and manpower. Additionally, these tokens do not offer the same level of convenience as cloud-based solutions, especially for developers working within a CI/CD pipeline.Cloud HSM
A second option for EV code signing is to use a networked HSM in the cloud to host code signing certificates and keys. This method offers a comparable level of security as a USB token when the HSM is configured to have non-exportable keys during the key generation. With the key material accessible in the cloud, integration with CI/CD services becomes easier as does team collaboration with the same certificate and key material. It should be noted that this method may require expertise with the particular cloud service provider. For the issuance of code signing certificates, SSL.com supports various Cloud HSMs, including Azure Key Vault (Premium Tier), Azure Key Vault Managed HSM, Azure Dedicated HSM, Amazon Web Services (AWS) CloudHSM, and Google Cloud HSM. To get more details on each one, you can read our guide: Supported Cloud HSMs for Document Signing and EV Code Signing.- To know how you can use your HSM account and hire a professional for Cloud HSM Attestation, you can read our article Bring Your Own Auditor Cloud HSM Attestation.
- SSL.com is currently developing and testing attestation procedures for a wide range of HSM platforms. You can fill out this inquiry form to find out if we are testing an HSM platform that was not listed above.
eSigner: Code Signing as a Service
Thirdly, a modern and very convenient approach to EV Code Signing is dealing with code signing as a service. SSL.com’s eSigner cloud code signing service is an example of this method. With eSigner, SSL.com handles both the public key infrastructure (PKI) and HSMs for code signing. The non-exportable signing keys are stored in eSigner’s HSMs, where neither the customer nor SSL.com can view them. This way, the security standard is as high as with tokens and cloud HSMs, but there is no need for the client to deal with them directly. The eSigner environment includes a number of signing options to accommodate the needs of a variety of customers, from individual developers to complex organizations.eSigner Signing Options
- With SSL.com’s eSigner service, you can use your SSL.com Extended Validation Code Signing Certificate to sign code from any internet-connected device without any additional hardware. After enrolling your EV Code Signing certificate order in eSigner, you can sign code with either the eSigner Express web app, eSigner CodeSignTool or through SSL.com’s CSC-compliant code signing API.
eSigner Supported File Types
- You can read our guide, eSigner Supported File Types, to know which file types are supported by eSigner Express and eSigner API.
Getting Started with Your Code Signing Certificate:
Upon receiving your new code signing certificate, you may have questions on how to use it and which applications it can be integrated with. The linked guides below answer common questions you may have about how to get started with your new certificate.- How to buy Code Signing and EV Code Signing Certificates from SSL.com
- How to install an SSL.com OV code signing certificate on Windows 10
- FAQ: Getting Started With Your EV Code Signing Certificate
- Register with Windows Hardware Developer Program to sign drivers with EV Code Signing
- How to use your OV or EV code signing certificate with Microsoft’s SignTool and SSL.com’s SSL Manager
Getting Started with eSigner Cloud Code Signing
- Service Features of eSigner
- Enroll in eSigner
- Choosing a signature subscription
- Frequently asked questions about eSigner
- How to View and Reset eSigner QR Code or Reset PIN
- Team Sharing for eSigner Document and EV Code Signing Certificates
Using Your Yubikeys
Certificates like EV Code Signing ordered from SSL.com come with the option of coming pre-installed in a Hardware Security Module (HSM) like a FIPS 140-2 validated security key USB token. If your certificate has not yet been validated, you can include the number of tokens you require when ordering and before completing the validation process. In case your certificate has already been issued, you still have the option of ordering additional tokens. To know how to add Yubikeys to your EV Code Signing cert, click this guide: How to Add YubiKeys to your Certificate Order If you already have a Yubikey, you can refer to the following guides on how to operate it:- YubiKey Quick Instructions
- How to Unblock YubiKey PIN
- How to Access Your Yubikey FIPS PIN and PUK
- What if my EV Code Signing Token is Blank?
- How to Install SSL.com Root and Intermediate Certificates on YubiKey
- How to Conduct Key Generation and Attestation with Yubikey
Automation and Integration
eSigner CKA (Cloud Key Adapter)
- eSigner CKA (Cloud Key Adapter) is a Windows based application that uses the CNG interface (KSP Key Service Provider) to allow tools such as certutil.exe and signtool.exe to use the eSigner CSC for automated code signing operations. eSigner CKA acts like a virtual USB token and loads the code signing certs to the certificate store.
eSigner and CodeSignTool for Automated EV Code Signing
- CodeSignTool is ideal for automated batch processes for high volume signings or integration into existing CI/CD pipeline workflows.
- Read our CodeSignTool guide on how to sign code objects without being prompted for manual OTP entry for each file.
- Head over to eSigner CodeSign Tool Command Guide to know more about supported commands, options, and parameters.
Specific CI/CD Service Integration Guides
Below are specific guides on how to automate code signing using eSigner for the most popular CI/CD platforms.- Cloud Code Signing Integration with CircleCI
- Cloud Code Signing Integration with GitHub Actions
- Cloud Code Signing Integration with GitLab CI
- Cloud Code Signing Integration with Travis CI
- Cloud Code Signing Integration with Jenkins CI
- Cloud Code Signing Integration with Azure DevOps
- Cloud Code Signing Integration with BitBucket
Testing EV Code Signing in the Sandbox
SSL.com maintains a separate “sandbox” environment for our eSigner cloud signing service so that users can experiment with the different apps, utilities, and APIs before working with live EV Code Signing certificates. < ul>Specific Environment Guides
SSL.com’s EV Code Signing certificates can be used in various code-signing environments. Refer to the articles below for specific guides:- Signing your Java code with an OV/IV or EV code signing certificate
- Signing Kernel-Mode Drivers for Windows using EV or OV Code Signing Certificates
- FAQ: Kernel-Mode Code Signing Certificates
- Using Jsign from the Linux command line for OV/IV code signing and EV code signing
- Code signing with Azure DevOps, using a certificate stored in Azure Key Vault