How long can digital certificates be valid? Go to How long can digital certificates be valid?
Learn about how the validity periods for digital certificates are determined and the benefits of digital certificates.
Code Signing Certificates
Sectigo code signing certificates allow software publishers to digitally sign their code, including applications, executables, scripts, and programs, to confirm that the software has not been altered after release.
Without a digital signature verified by a trusted Certificate Authority (CA), major operating systems like Microsoft Windows will show end users a warning message before installation. This reduces downloads and adoption and leaves unsigned or weakly signed code vulnerable to tampering and supply-chain attacks.
Sectigo Code Signing Certificates build user trust, protect against unauthorized modification, and support faster releases with streamlined issuance and reduced operational friction.
OV Code Signing Certificate
FIPS-Compliant Device Delivery
Starting from
- Organization Validation (OV) offers baseline trust and fast issuance
- Free token with 3-year certificate
- Meet CA/Browser Forum authentication standards and Microsoft specifications
- Establishes reputation in Windows, Microsoft Edge, and Microsoft SmartScreen® Application Reputation filter
- Increase user confidence by showing the identity of the signing party before applications are run
- Supports all major 32-bit/64-bit formats, including Microsoft Authenticode (kernel and user mode files, like .exe, .cab, .dll, .ocx, .msi, .xpi, and .xap), Adobe Air, Apple applications and plug-ins, Java, MS Office Macro and VBA, Mozilla object files, and Microsoft Silverlight applications
- Includes timestamp functionality for continued operation even after the code signing certificate has expired
EV Code Signing Certificate
Highest level of Security
Starting from
- Extended validation (EV) offers highest level of security
- Free USB token with 3-year certificate
- Meet CA/Browser Forum authentication standards and Microsoft specifications
- Establishes reputation in Windows 8.0 and later, Internet Explorer 9 and later, Microsoft Edge, and Microsoft SmartScreen® Application Reputation filter
- Increase user confidence by showing the identity of the signing party before applications are run
- Protects private key from theft via hardware token and PIN
- Supports all major 32-bit/64-bit formats, including Microsoft Authenticode (kernel and user mode files, like .exe, .cab, .dll, .ocx, .msi, .xpi, and .xap), Adobe Air, Apple applications and plug-ins, Java, MS Office Macro and VBA, Mozilla object files, and Microsoft Silverlight applications
- Includes timestamp functionality for continued operation even after the code signing certificate has expired
Secure Code Signing Without Slowing Down Your Releases
Code signing shouldn't block releases or scare away users. Sectigo's verified certificates boost install rates, eliminate signing delays, and protect every build from unauthorized tampering.
OS Security Warnings + Lost Installs
- The Problem: Users abandon downloads when Windows or browsers warn them that your software is unknown or untrusted.
- How We Help: Sectigo verifies your publisher identity and signs your software so operating systems recognize you as trusted.
- What You Get: Fewer security warnings lead to higher install rates, stronger user confidence, and smoother adoption of your application.
Slow Releases and DevOps Friction
- The Problem: Developers waste time navigating validation steps, hardware requirements, and manual signing workflows that slow releases and disrupt pipelines.
- How We Help: Sectigo streamlines validation and supports modern DevOps workflows so code signing integrates directly into your release process.
- What You Get: You ship faster, reduce manual overhead, and keep development moving without security becoming a bottleneck.
Risk of Tampered Code and Supply Chain Attacks
- The Problem: Security teams worry about malware injection and compromised builds that can damage customer trust and brand reputation.
- How We Help: Sectigo protects private keys with FIPS-compliant hardware and verified identity checks to prevent unauthorized signing.
- What You Get: Your software stays protected from tampering, giving customers confidence in every release while safeguarding your brand.
Updated code signing regulations
Starting June 1, 2023, the CA/B Forum changed the OV Code Signing regulations to require all Certificate Authorities to ensure that the subscriber’s private key is generated, stored, and used in suitable FIPS-compliant hardware.
Requirements for private keys used with EV code signing certificates have been stronger than OV code signing certificates which are more relaxed.
The new rules are intended to reduce the potential misuse of code signing certificates and to further protect those certificates from getting into the wrong hands by making key protection requirements for OV code signing certificates the same as EV code signing certificates.
As of June 1, 2023, you will no longer be able to issue your standard OV code signing certificates. All code signing certificates issued after June 1, 2023 will be:
- Installed on a token and shipped securely to the requester
- Available as a download to be installed on the customer’s own HSM. The hardware devices (e.g. USB tokens, HSMs, etc.) must be FIPS-compliant and support externally verifiable key attestation.
How do code signing certificates work?
The code signing process works by using public key cryptography and cryptographic hashing to create a digital signature that binds a software package to a verified publisher identity. When code is signed, a unique fingerprint of the software is created, encrypted with the publisher’s private key, and attached to the code along with the code signing certificate so it can be verified before distribution.
When an end user downloads or installs the software, the operating system verifies the signature using the corresponding public key. If the signature is missing, invalid, or untrusted, the end user will receive an error or warning message.
Intuitive Dashboard
In our customer dashboard, you'll be able to view all products you have with Sectigo, view their lifecycle status, issue or reissue, and renew expiring certificates, saving you time and fear that an expired certificate may down your site at an unexpected time.
Trusted by Leading Brands Globally
Securing some of the world’s largest and best-known brands.
Item 1 of 13
FAQs
Have another question?
Reach us by chat in the lower-right corner.
A code signing certificate is a type of digital certificate that allows software developers to add digital signatures to code and to include information about themselves and the integrity of their code within their software. The end users that download digitally signed 32-bit or 64-bit executable files (.exe, .ocx, .dll, .cab, and more) can be confident that the code came from the verified developer and was not tampered with by a third party.
Sectigo offers two types of code signing certificates, Organization Validation and Extended Validation, to match different security and distribution requirements.
OV code signing is best suited for internal applications and B2B software where faster issuance and baseline trust are sufficient. This option also offers a lower cost entry point.
EV code signing certificates provide the strongest identity verification and high end user confidence. This option is recommended when software is distributed to large audiences, for public-facing software, and in environments where security is critical.
A code signing service is an online cloud-based solution which provides signatures for code binaries. The developer’s certificate is maintained securely in the cloud. The developer or signee does not have to send the entire file to be signed, a hash code will suffice. The service provides security, convenience, and scalability.
There are certain requirements that need to be fulfilled during the code signing certificate validation process. The three main things that must be verified before issuance include:
1. The legal existence of the organization or individual named in the Organization field of the certificate must be verified.
2. The email to which the code signing certificate is to be sent must be [email protected], where domain.com is owned by the organization named in the certificate.
3. A callback must be made to a verified telephone number for the organization or individual named in the certificate in order to verify that the person placing the order is an authorized representative of the organization.
As of June 1, 2023 Code Signing certificates will be:
- Installed on a Sectigo token and shipped securely to the customer.
- Available as a download to be installed on the customer’s own HSM. The hardware devices (e.g. tokens, HSMs, etc.) must be FIPS-compliant and support externally verifiable key attestation.
Code Signing certificates are installed on a physical token and shipped to your location. We can only provide full refunds for products that have not been shipped. Once a product has shipped and within 30-days from order, we will refund the product cost, less shipping and token cost.
A Sectigo® code signing certificate starts at $340.33 per year when customers choose the three-year option. The cost goes up for shorter time periods and for EV code signing certificates.
Need help?
Need help making a purchase? Contact us today to get your certificate issued right away.
Live chat
Click the button below or click "Chat with an Expert" to start chatting with us now!
Call us today
Related Resources
What Is Code Signing? Go to What Is Code Signing?
Code signing is used to authenticate the originator and authenticity of a file. The identity is inserted directly into a program via code or with an executable file (.exe) by creating a digital signature through hashing a private key. The…
Code Signing Best Practices Go to Code Signing Best Practices
Code signing and the use of digital certificates underpin the concept of trust in the modern technological landscape.