​

In accordance with the latest baseline requirements set by the CA/Browser Forum, as of June 1, 2023, the private keys of newly issued OV (Organization Validation) code signing certificates must be generated and stored on secure hardware devices that meet or exceed FIPS 140-2 level or Common Criteria EAL4+ standards. This change has led major vendors to adjust their issuance rules accordingly. This article will compare the updated processes of Sectigo, Digicert, and GlobalSign in the realm of code signing certificates, providing readers with a better understanding of these changes and addressing issues related to new, renewal, or reissuance requests of code signing certificate.

Understanding Code Signing Certificates:

A code signing certificate is a digital certificate used as cryptographic proof of the authenticity and integrity of software. Software developers utilize code signing certificates to digitally authenticate their programs, applications, and drivers, thereby preventing unauthorized individuals from manipulating or harming the applications. These certificates allow developers to sign their code and allow users to verify its integrity, ensuring that the code remains unaltered or uncompromised during distribution. 

Based on the validation type, code signing certificates can be categorized into two types: OV code signing certificates and EV code signing certificates. Both OV and EV certificates support digital signing of 32-bit or 64-bit .exe, .dll, .cab, .ocx (ActiveX), .msi, .xpi, and other file types. Successful signing guarantees code integrity, reduces security warnings during software downloads, and prevents malicious tampering and dissemination.

Issuing Code Signing Certificates Under the New Regulation:

To comply with the new requirements, Sectigo, Digicert, and GlobalSign have made changes to the issuance of their OV code signing certificates, shifting from the previous PFX format to using USB token for delivery. The issuance process for EV code signing certificates remains unchanged, utilizing the existing USB token method.

Furthermore, these vendors have made corresponding adjustments to certificate pricing. 

Sectigo has slightly adjusted the prices for OV and EV code signing certificates, and details can be found on their official website. 
GlobalSign and Digicert require an additional payment for the USB token and shipping. 
Digicert charges the same USB token fee for both OV and EV code signing certificates. 
GlobalSign has modified the price for OV code signing certificates, adding an extra fee for the USB token, while the price of EV code signing certificates remains unchanged.

Regarding tokens: 

Sectigo installs the code signing certificates on tokens and securely delivers them to you or installs them on your existing Hardware Security Modules (HSMs). 
Digicert sends you blank hardware tokens along with instructions for certificate installation, without directly installing your code signing certificate on the hardware token. 
GlobalSign allows the installation of OV and EV code signing certificates on customer-owned HSMs or Azure Key Vaults.

Apart from the aforementioned changes, the general process for issuing code signing certificates remains largely unchanged across the major vendors. They continue to provide support for digital signatures on various file types, ensuring code integrity and security.

​

Code signing certificates are essential tools for software developers seeking to establish trust, maintain integrity, and protect users from potential threats. By digitally signing code, developers can prove its authenticity, enhance user confidence, and reduce risks associated with unauthorized tampering. Given the increasing reliance on software, code signing certificates play a crucial role in building a secure and reliable digital ecosystem.

As a leading digital certificate service provider, NicSRS offers code signing certificates from renowned brands such as Sectigo, Digicert, and GlobalSign, as well as our private label sslTrus, ensuring comprehensive security for your applications. If you have any further questions, please feel free to contact us. We are committed to providing prompt and professional assistance.

Please note that the specific regulations and prices mentioned in this article may change over time. We recommend referring to the official information and pricing policies of each vendor when purchasing and using code signing certificates.