Where can I purchase a code signing certificate? Recommended providers

Written by Radu Popescu · May 10th, 2024

Are you a developer or IT professional looking to digitally sign your code or software application, but unsure of how to acquire a digital certificate? In this blog post, we will introduce you to some of the top providers where you can buy these certificates at an affordable cost.

Please be aware that we are not affiliated with any of these vendors and aim to provide an unbiased overview of your available options.

Digital Certificates and Certificate Authorities

A digital certificate used specifically for code signing is crucial for developers and organizations who want to ensure the integrity and origin of their software applications. This type of digital certificate allows you to digitally sign executables and scripts, helping protect users from downloading tampered or malicious software.

There are various approaches to managing your code signing certificate:

On-Premises Code Signing (self-generated certificate)

  • Signing is managed entirely within the organization's infrastructure.
  • It requires internal hardware, software, and security protocols.
  • Complete control over the signing process also means full responsibility for maintenance.

Certificate Authorities (CAs) with Code Signing Services

  • CAs are trusted third parties that issue code-signing certificates.
  • Some CAs offer additional services, like guidance on best practices, certificate revocation, and certificate lifecycle management.

Cloud-Based (Trusted Signing) Code Signing

1. Code signing is done over the cloud, offering flexibility and scalability.

2. Developers can sign code from any location, and the service provider manages the underlying infrastructure and security. Here you have two options:

  • Managed Services: comprehensive cloud-based services where the provider (CA mentioned above) handles certificate management, hardware security, and compliance.
  • Self-Service Platforms: developers are in charge of signing code using cloud-based tools, but the responsibility for certificate management and security may remain with the user.

Secure Hardware-Based Services

  • Uses hardware security modules (HSMs) or USB tokens to store private keys securely.
  • They ensure that code signing occurs within a secure environment, reducing the risk of key theft or tampering.
  • This service can also be provided by the Certified Authority.

NoteYou can use a self-generated certificate and deploy it to devices in an enterprise environment. However, if someone outside installs your app, it will be detected as unsafe and not digitally signed because it wasn’t signed with a certificate from a Certified Authority that the operating system recognizes.

A Certificate Authority (CA) issues the code signing certificates. The CA will verify the identity of the individual or organization requesting the certificate. This process might involve checking corporate documentation, confirming identity through established third-party databases, or other vetting processes depending on the level of certificate assurance required.

From our perspective, these are the top three CAs where you can purchase your certificate for digital signing. Note that with the advanced technology and lean towards more and more cloud solutions, CAs have adapted and also offer cloud-based Trusted Signing solutions, among the others mentioned above).

DigiCert

DigiCert is a leading global provider of digital certificates and a trusted name in the Internet security industry. The company was founded in 2003 and is headquartered in Lehi, Utah, USA.

DigiCert has gained notoriety, particularly after acquiring Symantec's Website Security and related PKI solutions in 2017, which solidified its position as a top certificate authority worldwide.

As of May 2024, DigiCert offers both Standard (OV) and Extended Validation (EV) certificates with the following three servicing options and pricing:

Code Signing - USB Token

Code Signing - HSM

Code Signing + KeyLocker

Use your hardware token or they will ship you one with your subscription.

Use your hardware security module (HSM).

Cloud-based key storage and code signing service.

$54 / OV certificate/month | $72 / EV certificate/month

$44 / OV certificate/month | $62 / EV certificate/month

$65 / OV certificate/month | $83 / EV certificate/month

Yearly option subscriptions are also available

For more details, visit DigiCert's code-sign certificate section.

Sectigo (Comodo)

Sectigo, formerly known as Comodo CA, is a leading provider of digital identity solutions, including SSL/TLS certificates, digital signatures, and managed PKI solutions. It is one of the world’s largest certificate authorities, helping to secure web transactions and online communications for millions of consumers and businesses.

As of May 2024, Sectigo offers both Standard(OV) and Extended Validation(EV) certificates each in the following option:

OV Code Signing Certificate

EV Code Signing Certificate



Price starts from $429/year.

Price starts from $498/year.

Up to 37% off with a multi-year subscription.

Up to 37% off with a multi-year subscription.

No monthly options are available.

For more details, you can check this direct link to Sectigo’s code sign certificate buy section. t the time this article was written, the Comodo website is still up and running, and you can purchase certificates there. Sectigo chose to keep the old website as a sales platform to make the transition easier for buyers.

GlobalSign

GlobalSign is a highly respected and well-established provider of digital identity services, known for its wide range of digital certificate solutions and identity verification services. Founded in 1996, GlobalSign is one of the longest-standing Certificate Authorities (CAs) in the world and has developed a strong reputation for providing secure and reliable digital certificates.

As of May 2024, GlobalSign offers both Standard (OV) and Extended Validation(EV) certificates with the following 2 options and pricing:

Standard Code Signing OV



EV Code Signing Certificate


Token Implementation


HSM Implementation


Token Implementation

HSM Implementation


- Key storage on USB token or other hardware storage token.


- Token NOT included.


- Key storage on HSM or Azure Key Vault, provided by the customer.


- Key storage on USB token, provided by GlobalSign.



- Key storage on HSM or Azure Key Vault, provided by the customer.


For more details, you can check this direct link to GlobalSign’s code-signing certificate buy section.

Conclusion

Choosing the right code-signing certificate is crucial for ensuring the security and trust of your software, whether you choose a cloud-based solution or secure hardware-based services.

Certificate Authorities like DigiCert, Sectigo, and GlobalSign offer a variety of code-signing options, catering to different needs and budgets. While cloud-based services provide flexibility and scalability, on-premises solutions give you full control. Secure hardware-based services offer robust security for critical applications.

Before deciding, consider your specific requirements, such as the level of trust needed, budget constraints, and ease of implementation. By selecting a reputable CA and the right code-signing service, you can ensure your software is secure and trusted by users and operating systems alike.

Written by
See author's page
Radu Popescu

Technical Writer at Advanced Installer, Technical Engineer on various enterprise client projects. Experienced in Software Packaging, SCCM infrastructure and System Administrating. Tech enthusiast and music producer in his spare time.

Comments: