FAQs: Frequently Asked Questions – Code Signing Certificate

Get answers to some of the most common questions we receive about code signing certificates…

What Is a Code Signing Certificate?

A code signing certificate is an X.509 digital certificate that you can use to create digital trust in your brand and software products. It allows you to apply a cryptographic digital signature to software apps, manifest files, scripts, and other types of code.

Digitally signing your software allows you to assert your verified digital identity up front to users and their devices’ operating systems. It also helps your apps avoid displaying scary “unknown publisher” type warnings whenever someone tries to install them.

How Does a Code Signing Certificate Differ From an SSL/TLS Certificate?

Although code signing certificates and SSL/TLS certificates are both types of X.509 certificates, they have different security uses and applications.

Knowing what we now know about code signing certificates, let’s explore how they differ from SSL/TLS certificates.

An SSL/TLS certificate is something website owners use to enable HTTPS on their websites. This allows site owners to ensure that data is transmitted between their web servers and users’ browsers using secure, encrypted connections. This enables in-transit data protection, which keeps bad guys from reading data that would otherwise be transmitted in plaintext.

So, SSL/TLS certificates secure your websites, whereas code signing certificates secure your software apps and code.

What Are the Different Types of Code Signing Certificates?

There are three different types of Code Signing Certificates are offered:

  1. Individual Validation Code Signing Certificates. These certificates are for independent developers who aren’t associated with larger organizations that develop and publish software, scripts, and other code. (NOTE: When purchasing one of these certificates, you’ll select the standard code signing certificate option, which has fewer validation requirements.)
  2. Standard Code Signing Certificate. Also called an organization validated (OV) code signing certificate, this requires proof of both your identity and the organization you work for.
  3. Extended Validated (EV) Code Signing Certificate (NOTE: This type of certificate is no longer recognized by Microsoft as of February 2024. According to Microsoft: “Starting in August 2024, all EV code signing organization identities (OIDs) will be removed from existing roots in the Microsoft Trusted Root Program, and all code signing certificates will be treated equally.”

Self Signed vs Publicly Signed Certificates

If you want your software program to earn trust over time, you must digitally sign your files using a publicly trusted code signing certificate. These certificates are issued by publicly trusted certification authorities (CAs) that carefully vet your identity before issuance.

Software signed by self-signed certificates won’t be trusted beyond your device without significant manual intervention (e.g., manually installing the signing certificate on each device’s trust store). This isn’t practical for public releases and distributions. 

Learn more about the differences between self-signed and publicly trusted code signing certificates.

What Is the Order Process for Getting a Code Signing Certificate?

If you’re new to our website, first create an account at CodeSigningStore.com.

If you have an account, log in to your CodeSigningStore.com account. (Click here to log in.)

  • In the top navigation bar, select Shop Certificates, pick your validation type (OV or EV), and choose from the brand you want to purchase (DigiCert, Sectigo, Comodo CA, or GoGetSSL).
  • Select your desired code signing certificate.
  • Depending on your requirements, select the number of years you wish to purchase a code signing certificate (e.g., 1 year, or 2- or 3-year bundles).
  • Click Add to cart. Follow the prompts and make your payment.

That’s it!

But what if you’re an existing customer who needs to reissue your code signing certificate instead?

How Do I Re-Issue My Code Signing Certificate?

The process for re-issuing your code signing certificate varies depending on which certification authority (CA) issued it. To re-issue your code signing certificate, contact the CodeSigningStore.com Support Team for assistance.

Where Do I Find My Code Signing Certificate Private Key?

By default, your code signing certificate is generated on a secure hardware USB token. This is an industry baseline security requirement as of June 2023. This ensures that users can use private keys for cryptographic purposes without having direct access to these sensitive secrets.

  • Sectigo customers: You’ll receive a USB token that already has the certificate and key installed on it.
  • DigiCert customers: You’ll receive a blank token and will need to generate the key and install the certificate manually. Check out our article that will walk you through how to set up your new hardware token.

When purchasing a code signing certificate from CodeSigningStore.com, you have the option of generating and storing your private key on a hardware security module (HSM). This could mean using an existing FIPS 140-2 Level 2 or Common Criteria Evaluation Assurance Level (EAL) 4+ (or higher) compliant HSM or using our integrated GoGetSSL Cloud Code Signing option, which stores your private key on DigiCert KeyLocker.

Do I Need to Sign the DLL Files Within My Application?

Although it’s not necessarily a requirement in all use cases, signing your .dll files is a good idea as part of your build process. Taking this approach helps you protect your DLL files against tampering and provides assurance that they haven’t been modified.

Do the Requirements for Signing Code Differ From One Platform to Another?

Yes. The requirements for signing code differ from one platform to another. The requirements for signing a JAR file will not be the same as those for signing a Windows kernel-mode driver. Moreover, the requirements for signing applications on iOS & OS X also, and how and where you will distribute the application also matter when it comes to signing requirements.

For example, Apple requires all third-party apps to be signed by an Apple-issued certificate through the Apple Development Program. 

Visual Studio Code Signing

Visual Studio does not support code signing certificates that use ECC key pairs at this time. So, if you’re planning to use Visual Studio to sign your ClickOnce manifests or executable files, you’ll need to purchase a certificate with an RSA key pair instead.

What Other Factors or Requirements Apply When Signing on Different Platforms?

Code signing utilities differ based on the platforms used for signing files or codes.

Windows:

In Windows, Microsoft SignTool is used for signing drivers and executable files. It is included in the Windows SDK bundle and can be used in Windows CMD and Visual Studio.

Related: How to Download and Install Windows SignTool.exe

There are some additional requirements for kernel-mode drivers, as they must be signed by the Windows Hardware Developer Center Dashboard Portal. This requires having an EV Code Signing Certificate to access.

Java:

When it comes to signing codes in Java, Jarsigner is used, which comes bundled with the Java JDK as it provides support for .pfx files, provided you are aware of the alias. It’s a little more advanced than using SignTool and requires specifying the slot of the USB token.

Related: Where Is JarSigner.exe Located on My Device? A Guide for Windows, Linux, and MacOS

Apple:

Here, both Standard and EV Code Signing certificates can sign files such as .dmg and .app. However, the local default Gatekeeper policy on OS X and the Apple App Store policy ask to use the certificates only issued by Apple tied to an Apple Developer ID.

Moreover, code signing certificates from other CAs can be used to sign things such as profiles and policies on OS X. Lastly, the default utility on OS X for signing code is known as codesign.

How Do I Use My Code Signing Certificate?

Looking for tutorials that will walk you through how to use your code signing certificate with different signing tools? You’ve come to the right place. We have guides for:

Is It Possible to Sign Files Remotely Using RDP?

No. Standard and extended validation code signing certificates with keys stored on a secure USB token can’t be used for virtual machine or remote signing. This is an intentional Windows security restriction that prevents secure USB tokens from being accessed during RDP sessions.

Code signing certificates that have keys stored on a secure USB token require the token to be plugged into the local computer to sign files on the local machine. Otherwise, you must use an HSM that’s FIPS 140-2 Level 2 or Common Criteria EAL 4+ compliant.

Do CodeSigningStore.com Certificates Use SHA 256?

Yes! All of the code signing certificates we offer create digital signatures that are hashed using the secure hashing algorithm with a 256-bit key (SHA256). Moreover,

Can I Use a Kernel-Mode Driver Signing Certificate to Sign Driver Files (*.sys)?

For kernel-mode driver signing in Windows 10, an EV code signing certificate is required.

For kernel-mode code signing (Windows Vista till Windows 8.1), OV code signing certificates can be used.

Check out our article to learn more about driver signing for Windows, which talks about signing standard and kernel-mode drivers. Read Microsoft’s Kernel-Mode Code Signing Walkthrough for instructions and information regarding kernel-mode signing certificates.

Who Can Get a Code Signing Certificate?

A code signing certificate can be issued to verified “legal entities,” like registered companies or to individuals (the name is used as the “Publisher”). This requires providing official identifying documentation and records as part of a larger validation process.

Can DBAs Get Code Signing Certificates?

Yes, you can get a code signing certificate if your business is registered with a “Doing Business As” name that’s registered with your local or state government.

The code signing certificate cannot be issued to your website as the publisher unless the website is a registered business name, e.g. Amazon.com.

To know more about the list of documents required, read “Validation Requirements” the CAs might ask.

How Much Does a Code Signing Certificate Cost?

The cost of a certificate depends on what you’re buying. For example, purchasing a 3-year certificate bundle will cost less per year than buying a certificate one year at a time.

To know current pricing, check out our product pages.

What If I Find a Better Price Elsewhere?

CodeSigningStore.com offers a price-match guarantee. Contact us via email if you see a lower published price offered by a competitor and we’ll match it.

Is a Free Trial Available for a Code Signing Certificate?

No, code signing certificates are not offered with free trial periods. This is because every certificate request involves the issuing CA carrying out a validation process where the certificate subject’s identity is verified.

However, there is some positive news: we offer a 100% money-back guarantee within 30-days of purchase. If you are not satisfied with the purchased certificate or due to any other reason you decide you don’t want it, you will get back your money.

How Long Does It Take to Get a Code Signing Certificate?

Once you submit all the required documents and validation process completes, your certificate will be issued which usually takes anywhere between 1 and 8 days. The issuance speeds vary depending on which CA issues the certificate. DigiCert offers the fastest issuance speeds (1-4 days).

What Is a Timestamp?

Timestamping is an optional signing tool that allows you to preserve the integrity of your digital signature on your software. It allows the user’s operating system to recognize the authenticity of your software app even after the code signing certificate that signed it is expired.

Basically, using a timestamp allows the validity of the signature to be checked against the time it was signed rather than the current time of the execution of software.

What Are the Supported Browsers for Requesting a Certificate?

The choice of your web browser no longer matters when submitting a certificate signing request (CSR). This is because your certificate private keys are no longer generated and stored temporarily in your browser. As of June 2023, all code signing certificate keys are generated on secure hardware (e.g., FIPS 140-2 Level 2-compliant hardware such as secure USB tokens and HSMs).

I’ve Downloaded My Certificate — Now What Do I Do?

You must export the certificate into a file in your device’s Trust Store before you can start using it. You can do this by downloading the file and selecting the “Install Certificate” option, then following the installation wizard prompts.

Will Code Signing Certificates Support MacOS/iOS, Mozilla, Java, Android, Flash, Adobe AIR, Silverlight & MS Office?

Yes, one certificate is more than enough to sign all the supported platforms. Whether it’s Mozilla, MacOS/iOS, Android, Java, Adobe AIR, Flash, Silverlight, or Microsoft Office macro files, you can use a single code signing certificate to sign all of them.

Just be aware that signing MacOS and iOS files requires an additional signature from Apple.

What Is a .p12 File or PKCS12 File?

.p12 is one of the alternate extensions of a “PFX file,” which consists of the private key & certificate in combination. It’s one of the formats that’s historically been used by all the major signing utilities. In case your signing tool refers to a PKCS12 file, that’s also the same.

What Is CodeSigningStore.com’s Refund Policy?

Not satisfied with your purchase? Any certificate obtained from our website comes with a 30-day money-back guarantee. At CodeSigningStore.com, you can cancel your order and ask for a refund. You will get back your paid amount without charging any fees so long as it’s within 30 days of the certificate’s issuance date.

Want to learn more? Read our full Refund Policy.

Why Are CodeSigningStore.com’s Prices So Low?

We’re glad you noticed! At CodeSigningStore.com, we take pride in offering best-of-class certificates at the cheapest prices. We’re able to offer the same code signing certificates, with all the latest features as you get directly from the authorized Certificate Authorities, but at a much lower price range because we purchase certificates in bulk.

This gives us a major discounted price that makes it affordable for us to pass a massive discount on to our customers.

How Do I Generate a Code Signing Certificate Request (CSR)?

If you purchase your certificate through CodeSigningStore.com, simply log in to your user portal and open the generation page. Follow the prompts to complete the CSR using CertificateGeneration.com.

If you opt to purchase your certificates through DigiCert’s CertCentral, DigiCert will handle the CSR process on the back end. This way, you won’t have to worry about it because it’ll be taken care of for you. It’s that easy.

How Do I Complete Validation For My Code Signing Certificate?

Please select the relevant guide for your selected product:

How Do I Collect / Download My Code Signing Certificate?

This process varies depending on which certification authority issues your certificate.

Sectigo

Sectigo code signing certificates are issued by default on a secure USB token and shipped directly to you. However, the process is different if you choose to store your certificate and its keys on an existing FIPS 140-2 Level 2-compliant hardware security module (HSM). Then, the certificate will be provided so you can install it on your HSM. 

DigiCert

By default, DigiCert code signing certificates are issued with a blank secure USB token. You must set up your secure hardware token prior to using the certificate. 

You’ll receive an email from your certificate’s issuing CA containing a copy of your code signing certificate file (listed as a *.p7b container file). Simply download the certificate from the email and install it to your device’s Root Store using the “Install Certificate” option.

DigiCert CertCentral Users

If you purchased a certificate through CertCentral, log in and search for your order. You have the option of downloading the certificate from there, too, in the event that you can’t find your email.

What Happens When My Code Signing Certificate Expires?

Code signing certificates come with a validity period of 1 to 3 years. When your certificate expires, it can no longer be used to create a new signature. But what happens to the software you signed using that certificate? Past signatures remain valid if you timestamped your software at the time of signing.

Will a Code Signing Certificate Eliminate the “Do you want to allow this app from an unknown publisher to make changes to your device?” UAC Warning My Users Are Seeing?

This “unknown publisher” warning message is generated by Windows operating systems. This security elevation prompt appears whenever a user tries to install unsigned software that attempts to run with admin access (as shown on the left in the image below).

Adding a publicly trusted digital signature to your software allows Windows to recognize the publisher of the software and start building a reputation for that publisher. However, digitally signing your software doesn’t mean that the UAC window will go away. Instead, it’ll display your verified publisher information (as shown on the right in the image below).

Screenshot examples of the User Account Control (UAC) screens that display when a user installs unsigned (left) and digitally signed (right) software apps

Still need help? Send us a note!

For any other questions, please write us at [email protected]