Where can I purchase a code signing certificate? Recommended providers

Digital Certificates and Certificate Authorities

A digital certificate used specifically for code signing is essential for developers and organizations that want to ensure the integrity and provenance of their software applications. This type of digital certificate allows you to digitally sign executables and scripts, helping to protect users from downloading manipulated or malicious software.

There are different ways to manage your code signing certificate:

Code signing on the object (self-generated certificate)

• Signature is managed entirely within the organization’s infrastructure.
• Requires internal hardware, software and security protocols.
• Full control over the underwriting process also means full responsibility for maintenance.

Certificate Authorities (CA) with Code Signing Services

• CAs are trusted third parties that issue code signing certificates.
• Some CAs offer additional services, such as guidance on best practices, certificate revocation, and certificate lifecycle management.

Cloud-based code signing (trusted signature).

1. Code signing takes place in the cloud, providing flexibility and scalability.

2. Developers can sign code from anywhere, and the service provider manages the underlying infrastructure and security. Here you have two options:

• Managed Services: comprehensive cloud-based services where the provider (CA mentioned above) handles certificate management, hardware security and compliance.
• Self-Service Platforms: developers are responsible for signing code using cloud-based tools, but responsibility for certificate management and security may remain with the user.

Secure hardware-based services

• Uses hardware security modules (HSMs) or USB tokens to securely store private keys.
• They ensure that code signing occurs within a secure environment, reducing the risk of key theft or tampering.
• This service can also be provided by the Certified Authority.

You can use a self-generated certificate and deploy it to devices in an enterprise environment. However, if someone outside installs your application, it will be detected as insecure and not digitally signed because it is not signed with a certificate from a certificate authority that the operating system recognizes.

A Certificate Authority (CA) issues code signing certificates. CA will verify the identity of the individual or organization requesting the certificate. This process may include checking corporate documentation, confirming identity through databases established by third parties, or other verification processes depending on the level of certificate assurance required.

From our point of view, these are the top three CAs where you can buy your digital signature certificate. Note that with technology advancing and moving towards more and more cloud solutions, CAs have adapted and also offer cloud-based trusted signing solutions, among others mentioned above).

DigiCert

DigiCert is the leading global provider of digital certificates and a trusted name in the internet security industry. The company was founded in 2003 and is headquartered in Lehi, Utah, USA.

DigiCert has gained notoriety, especially after the acquisition of Symantec’s Website Security and related PKI solutions in 2017, which strengthened its position as a top certification authority worldwide.

As of May 2024, DigiCert offers both standards (OV) and Extended Validation (EV) certificates with the following three service options and prices:

Annual subscription options are also available

For more details, visit DigiCert’s code token certificate section.

Sectigo (Comodo)

Sectigo, formerly known as Comodo CA, is a leading provider of digital identity solutions, including SSL/TLS certificates, digital signatures and managed PKI solutions. It is one of the largest certificate authorities in the world, helping to secure online transactions and online communications for millions of consumers and businesses.

As of May 2024, Sectigo offers Standard (OV) and Extended Validation (EV) certificates each in the following option:

There are no monthly options available.

For more details, you can check this direct link to Sectigo code token certificate purchase section. At the time this article was written, the Comodo website is still open and you can purchase certificates there. Sectigo chose to keep the old website as a sales platform to make the transition easier for buyers.

GLOBAL

GlobalSign is a highly respected and established provider of digital identity services, known for its wide range of digital certificate solutions and identity verification services. Founded in 1996, GlobalSign is one of the world’s oldest Certificate Authorities (CAs) and has developed a strong reputation for providing secure and reliable digital certificates.

As of May 2024, GlobalSign offers both standards (OV) and Extended Validation (EV) certificates with the following 2 options and prices:

For more details, you can check this direct link to GlobalSign code signing certificate purchase section.

CONCLUSION

Choosing the right code signing certificate is essential to ensuring the security and trust of your software, whether you choose a cloud-based solution or secure hardware-based services.

Certificate authorities such as DigiCert, Sectigo and GlobalSign offer a variety of code signing options to suit different needs and budgets. While cloud-based services offer flexibility and scalability, on-premises solutions give you complete control. Hardware-based secure services provide robust security for critical applications.

Before deciding, consider your specific requirements, such as the level of trust needed, budget constraints, and ease of implementation. By choosing a reputable CA and the right code signing service, you can ensure that your software is secure and trusted by users and operating systems.