Site icon SSL.com

Code Signing Certificates, Cloud Signing Options and Signing Operations Integration

What is a Code Signing Certificate?

A code signing certificate is a digital certificate that provides a globally accepted proof of identity of a software publisher and is obtainable from a reputable Certificate Authority (CA) like SSL.com. Software companies use code signing certificates to provide proof that they are the developers of an application. 

Code signing certificates also prevent tampering of code and ensure that a file is free from unauthorized modifications, malware and is safe to install. Code signing certificates are an essential security feature when software is being distributed, sold, and downloaded online. 

Digitally signing your code with trusted SSL.com certificates lets users and operating systems know that your software is authentic and safe to install.

You can always contact our sales team to explain these options and provide a quote.

Need a code signing certificate? SSL.com has options to meet whatever your needs may be, learn more about our certificates.

Choosing the Right Code Signing Certificate

Organization Validation (OV) and Individual Validation (IV) certificates are referred to as High Assurance certificates because they  require more validation and thus provide more trust, . For OV and IV certs, the CA will verify the actual organization or individual person that is attempting to get the certificate. The organization’s or individual’s name is also listed in the certificate, giving added trust that the certificate holder is reputable.

OV certificates are often used by corporations, governments and other entities that want to provide an extra layer of confidence for their visitors. Aside from SSL/TLS certificates, OV and IV are also commonly used for code signing, document signing, client authentication, and S/MIME email certificates. For more information as to requirements, please refer to SSL.com’s OV and IV requirements.

The Individual Validation (IV) Code Signing Certificate applies digital signatures with a personal name, perfect for independent software developers and individual project contributors who wish to increase confidence and trust from their users. 

EV certificates, also known as enterprise code signing certificates, provide the maximum amount of trust to visitors, and also require the most effort by the CA to validate. EV certificates may only be issued to businesses and other registered organizations, not to individuals.

SSL.com Sole Proprietorship EV Code Signing Certificates add an individual’s identity to the standard EV code signing certificate. This validation option enables a sole proprietorship or individual contributor to include their name in the digital signature. The Sole Proprietorship validation option is also for enterprises that require an extra layer of security by including an individual’s validated identity in the digital signature.

To know more about the features of these certificates, you can read our article,  Which Code Signing Certificate do I Need? EV or OV?

At a quick glance, the defining features of OV and EV code signing certificates are listed below.

IV Code Signing Certificate:

OV Code Signing Certificate:

EV Code Signing Certificate:

Setting up and Using Your SSL.com Account

If you haven’t already, start by creating an account on SSL.com. Your account has the capability of creating multiple teams as well as inviting multiple users with specific role and rights assignments.

The Validation Process

In order to validate and issue an OV or IV certificate, SSL.com must verify your identity, physical address, and telephone number via verifiable online resources and/or valid verification documents. For further details on the requirements, you can read What Are The Requirements for SSL.com OV and IV Certificates? 

Additionally for IV Code Signing Certificate orders, applicants will have to submit a front and back image of an ID plus an image of them holding the ID next to their face.

Per guidelines set by the CA/Browser Forum, extra documentation must be provided to issue an EV certificate. Head over to FAQ: Extended Validation (EV) Process to know all the requirements for EV certs.

For entities requesting EV Code Signing Certificates, SSL.com will conduct validation both through trusted online resources and/or valid documents as well as extra documentation per guidelines set by the CA/Browser Forum.  

New key storage requirements for OV and IV Code Signing Certificates

Starting June 1, 2023, SSL.com ’s Organization Validation (OV) and Individual Validation (IV) Code Signing Certificates will only be issued either on Federal Information Processing Standard 140-2 (FIPS 140-2) USB tokens or through our eSigner cloud code signing service. This change is in compliance with the Certificate Authority/Browser (CA/B) Forum’s new key storage requirements to increase security for code signing keys. The previous rule allowed OV and IV code signing certificates to be issued as downloadable files from the internet. Since the new requirements only allow the use of encrypted USB tokens or cloud-based FIPS compliant hardware appliances to store the certificate and private key, it is expected that instances of code signing keys being stolen and misused by malicious actors will be greatly reduced. Click this link to learn more about the SSL.com eSigner cloud code signing solution.

Key Storage and Signing Methods for Extended Validation Code Signing Certificates 

USB Token

SSL.com ships code signing certificates that are pre-installed on Yubikey FIPS tokens and Thales SafeNet (Gemalto) USB tokens., enhancing their utility in secure digital authentication and certification processes. 

Thales SafeNet tokens are equipped to handle RSA keys up to 3072 bits, crucial for kernel mode signing, a prerequisite in certain software development environments, such as driver signing for Microsoft systems.

Through a procedure known as remote attestation, customers of SSL.com, regardless of their location, can create a key pair directly on their YubiKey, along with an attestation certificate that verifies the private key’s generation on the device. The attestation certificate can subsequently be used to renew an expired certificate that is in the Yubikey. Support for remote attestation is one feature that is currently not available for Thales token customers. For a more detailed comparison between the features of Yubikeys and Thales SafeNet tokens, please refer to this SSL.com article: Yubikey FIPS tokens vs Thales/Gemalto USB tokens  

Both Yubikey and Thales SafeNet tokens are designed to boost security without substantially compromising user experience. The choice between them should be guided by the organization’s security approach and operational needs. However, as physical devices, they can be lost or stolen, posing significant security risks and potentially incurring high replacement costs. In a modern remote work setting, the logistics of distributing and maintaining these hardware tokens can pose significant challenges for IT teams, requiring notable expenses and manpower. Additionally, these tokens do not offer the same level of convenience as cloud-based solutions, especially for developers working within a CI/CD pipeline.

Cloud HSM

A second option for EV code signing is to use a networked HSM in the cloud to host code signing certificates and keys. This method offers a comparable level of security as a USB token since the private keys are also not exportable. Because code signing is conducted through the cloud, a scalable collaboration among developers is achieved. It should be noted though that this method may require expertise with the particular cloud service provider.

For the issuance of EV code signing certificates, SSL.com supports three Cloud HSMs: Microsoft Azure Dedicated HSM, Amazon Web Services (AWS) CloudHSM, and Google Cloud HSM. To get more details on each one, you can read our guide article: Supported Cloud HSMs for Document Signing and Code Signing.

eSigner: Code Signing as a Service

Thirdly, a modern and very convenient approach to Code Signing is dealing with code signing as a service. SSL.com’s eSigner cloud code signing service is an example of this method. 

With eSigner, SSL.com handles both the public key infrastructure (PKI) and HSMs for code signing. The non-exportable signing keys are stored in eSigner’s HSMs, where neither the customer nor SSL.com can view them. This way, the security standard is as high as with tokens and cloud HSMs, but there is no need for the client to deal with them directly.

The eSigner environment includes a number of signing options to accommodate the needs of a variety of customers, from individual developers to complex organizations.

eSigner Signing Options

eSigner Supported File Types

Getting Started with Your Code Signing Certificate:

Upon receiving your new code signing certificate, you may have questions on how to use it and which applications it can be integrated with. The linked guides below answer common questions you may have about how to get started with your new certificate.

Getting Started with eSigner Cloud Code Signing

Below are resources that can provide you with more information on how to use eSigner’s interface and set it up for team-oriented tasks.

Using Your Yubikeys

Certificates like Code Signing ordered from SSL.com come with the option of coming pre-installed in a Hardware Security Module (HSM) like a FIPS 140-2 validated security key USB token. If your certificate has not yet been validated, you can include the number of tokens you require when ordering and before completing the validation process. In case your certificate has already been issued, you still have the option of ordering additional tokens.

To know how to add Yubikeys to your Code Signing cert, click this guide: How to Add YubiKeys to your Certificate Order

If you already have a Yubikey, you can refer to the following guides on how to operate it:

Automation and Integration

eSigner CKA (Cloud Key Adapter)

eSigner and CodeSignTool for Automated EV Code Signing

Specific CI/CD Service Integration Guides

Below are specific guides on how to automate code signing using eSigner for the most popular CI/CD platforms.

Learn more about the value of cloud-based code signing by reading our article: Cloud Code Signing Automation with CI/CD Services.

Testing Code Signing in the Sandbox

SSL.com maintains a separate “sandbox” environment for our eSigner cloud signing service so that users can experiment with the different apps, utilities, and APIs before working with live  Code Signing certificates.

Specific Environment Guides

SSL.com’s Code Signing certificates can be used in various code-signing environments. Refer to the articles below for specific guides: 

Aside from those indicated above, there are more environments that SSL.com code signing certificates are compatible with. Contact support@ssl.com or use the website chat for questions on other environments.

Contact Sales or Contact Support

If you need someone to walk you through all our code signing options, discuss custom integrations, high-volume deals, quotes or other custom solutions, you can always contact our sales or support teams at sales@ssl.com and support@ssl.com.

Exit mobile version