A Detailed Guide on How to Get a Code Signing Certificate
If you are here, you might already know the significance of using a reliable and trustworthy Code Signing Certificate.
Moreover, given the prevalent security risks, it has become mandatory to get this certificate as it helps foster a sense of authenticity and trust among your end-users.
So they stay assured that the software has come from a trusted source and has not been modified since its development.
Having said all of that, to get an issued code-signed certificate, you must follow a particular series of steps. If you’re unaware of the steps to take or facing any difficulty while completing the process, don’t worry; you’re at the right place.
According to the industry, standard code signing certificates will be required to store their private keys on hardware that meets specific certifications. The hardware must be licensed as either FIPS 140 Level 2, Common Criteria EAL 4+, or an equivalent standard.
Specifically, this requirement applies to OV (Organization Verification) Code Signing Certificates. From June 1st, 2023, OV Code Signing must comply with the mandate of storing their private keys in a Hardware Security Module (HSM). And it must meet the abovementioned criteria.
This change aims to enhance the security and integrity of code signing certificates. Also, to ensure that the private keys are stored in hardware that meets rigorous industry standards.
Implementing this requirement makes it more difficult for unauthorized individuals or malicious actors. Because gaining access to private keys becomes challenging, they must compromise the trustworthiness of code-signing operations.
Order Process of your Code Signing Certificate:
The process for ordering an IV/OV/EV Code Signing Certificate involves the following steps:
Step 1: Choose the appropriate certificate type based on your requirements, such as IV, OV, or EV.
Step 2: When purchasing a code signing certificate from SignMyCode, you can select the number of years such as 1 year, 2 year or 3 year and the delivery method according to your convenience.
Note: You will save more than 50% if you buy 3 years code signing cert from us compare to other reseller or vendor’s website.
Choose Flexible Delivery Modes:
- Use Existing Token: This option has no additional cost.
- Token & US Shipping: It includes a fee of $89.99 for shipping within the United States.
- Token & International Shipping: This option includes a fee of $129.99 for international shipping.
- Token & Expedited US Shipping: This option includes a fee of $139.99 for expedited shipping within the United States.
Recommended: Simplifying Code Signing Certificate Delivery Methods (Private Key Storage Options)
Step 3: Add the selected certificate to your cart and proceed to checkout.
Step 4: Fill in the requested details on the checkout page, providing accurate information.
Step 5: Select the payment method, either PayPal or Card, to complete the payment process.
Step 6: Review and confirm the details on the confirmation page, including the certificate type, delivery mode, and payment information.
Step 7: Once the order is successfully placed, you will receive an email for enrollment, or you can directly proceed from your dashboard.
Quick Enrollment Process using Multiple Options:
Enrollment Using an Existing Token Method:
Step 1: Generate a Certificate Signing Request (CSR) and add it to the enrollment form.
Step 2: Fill in valid organization details as required with information like: Organization Name, DUNS Number, Address, Address2, Country, State, City, and ZIP/ Postal Code.
Step 3: Provide your organization’s details, such as: Title, First Name, Last Name, Email, and Phone.
Step 4: Select the Hardware Security Module (HSM) type, such as Luma or YubiKey, and provide the Key Attestation.
Then, input the key attestation in the following boxes. You can always follow the guide for Key Generation and Attestation here.
Step 5: If there are any specific notes for the Certificate Authority (CA), you can mention them or leave the ‘Note’ field blank and submit the form.
QUICK MEMO: This process is applicable to the Existing Token Delivery Method.
After successful enrollment, the CA verification process begins. Once the validation is complete and successful, a digital token will be generated for you to sign your code.
Enrollment Using an Token + Shipping Method:
If you have placed an order with the Token + Shipping option, you won’t need to generate a CSR. The CA will handle this step for you.
Step 1: First, you need to enter your Organization’s details which will include the following:
- Organization Name
- DUNS Number
- Address
- Address 2
- Country
- State
- City
- ZIP/ Postal Code
Step 2: The second field requires you to mention your Organization’s Contact information. This incorporates the below-mentioned prompts:
- Title
- First Name
- Last Name
- Phone
Step 3: Click on the check-box for “I Agree to the Certificate Services Agreement”
Overall, you only need to provide accurate organization details as requested and submit them to the CA for verification.
let us talk quick about the two different types of code signing certificates:
What Are The Two Types of Code Signing Certificates?
For public trust usage, primarily, there are two types of Code Signing Certificates. They are:
1. EV Code Signing Certificate
An EV Code Signing Certificate is a smart security certificate that is used to protect users against phishing software or malicious downloads. Therefore, they are considered ideal for software packages, device drivers, applications, and executable files.
Due to a series of rigorous vetting procedures conducted by the Certificate Authorities, they need the publisher to comply with all the hardware security needs. Thus, these certificates are suited for a higher level of security.
In addition, the strict vetting process ensures that the code publisher seeking the certificate is a legit and operational entity. Of course, to receive the certificate, a particular entity must have its registered information.
If one has to highlight one aspect of the certificate, it would be the physical delivery (via email) of the private key to the entity that had requested the certificate. This eliminates unnecessary access by third parties or hackers. Upon receiving, the publisher can store the key in a safe location and eliminate any kind of unauthorized access.
Extended Validation Code signing features two distinct characteristics that makes it reputable with the Microsoft Smartscreen filter and it approves the software without any warning.
They are:
- Rigorous vetting process
- Private key storage in a hardware token
2. Standard or Organization Validation Code Signing Certificate
When we talk about a standard or Organization Validation Code Signing Certificate, the vetting process is not as stringent as the EV code signing certificate. Instead, it uses the traditional vetting process to verify a code publisher, individual, or entity.
Though there are some security flaws, constant changes are being added to this certificate’s vetting process to make it secure when compared to its previous version. For private key storage, from 1st June, 2023, OV Code signing certs are also need hardware token for private key storage.
They can be:
- Hardware security modules (HSMs), either cloud or physical appliances
- Physical security tokens such as USB hardware devices
- Key storage and signing services
There you have it- the two types of Code Signing Certificate. Now that you know about both types of certificates, you can choose the one that best suits your requirements and budget.
To give you better clarity about the two types, we have made a table for you. Refer to it below:
Parameters | EV Code Signing Certificate | OV Code Signing Certificate |
Vetting Process | The entities have to go through an elaborate and rigorous authentication process to validate themselves before the CAs. Here, they have to adhere to the guidelines laid down by the CAs. | The vetting process is quite simple, and the entities need not undergo an elaborate process to authenticate their credentials. |
Ideal For | Enterprises and Organizations | Individual developers or Organization |
Microsoft SmartScreen filter | Microsoft SmartScreen Recognition is a trust indicator for software. When the developers sign the code, it will automatically get Microsoft SmartScreen Recognition. | The SmartScreen recognition comes organically in these certificates. The recognition is built as more and more users download the software. |
Pricing | A bit on the expensive side as it offers better security features. | Cheaper than the EV Code Signing Certificate. |
Buy Now | Buy Now | |
With Code Signing Certificates you too can bolster your user trust and improve your software’s adoption and security while consistently tracking it.
Buy Code Signing Certificate
Increase your Software Downloads and Verify its Integrity by Digitally Sign Software and Executables using Trusted Code Signing Certs.
Price Starts at $210.99 Per Year