Which Code Signing Certificate Do I Need? EV or OV?

 

You probably already know that a code signing certificate from SSL.com will assure users that your software is from a known and trusted developer, free from unauthorized modifications and malware, and safe to install, but which code signing certificate should you buy?

SSL.com offers code signing certificates at both the Organization Validation (OV), and Extended Validation (EV) levels. Which level of validation do you need? The short answer is that EV code signing certificates are more expensive, but offer a higher initial Microsoft SmartScreen reputation level, and are required for signing Windows 10 drivers.

If you’d like to learn more, read on to find out about:

Summary Table
EVOV
Sign Windows 10 Drivers  
Sign pre-Windows-10 Drivers  
Instant Microsoft SmartScreen Reputation  
Two-factor Authentication with USB Token  
Available to Individuals Without a Registered Business  
Trusted on Major Software Platforms  

Windows 10 Drivers

 
  • If you are developing Windows 10 drivers, you need an EV code signing certificate.
    • Windows 10 kernel-mode drivers must be signed by Microsoft’s Dev Portal, and an EV code signing certificate is required to establish a Windows Hardware Dev Center dashboard account.
    • According to Microsoft’s documentation, both kernel- and user-mode driver submissions must have a valid EV code signing certificate.
  • An OV certificate may be used to sign drivers for versions of Windows before Windows 10. Please see Microsoft’s Driver Signing Policy for details on signing requirements for all versions of Windows.
Unsigned driver installation warning
Don’t let this happen to your users!

Microsoft SmartScreen Reputation

 

According to Microsoft’s FAQ, its reputation-based SmartScreen filter “checks the files that you download against a list of files that are well known and downloaded by many people who use Internet Explorer. If the file that you’re downloading isn’t on that list, SmartScreen will warn you.”

Signing your code is not required to earn a SmartScreen reputation, but EV-signed code’s extra level of trust lets developers skip this hurdle altogether:

  • An EV code signing certificate offers an immediate reputation with Microsoft SmartScreen, so your users will never have to click through a SmartScreen warning in Windows.
  • With an OV certificate, SmartScreen reputation must be built organically, as users download and install your files. SmartScreen warnings may occur until enough software proves sufficiently popular with Windows users for SmartScreen to view it as “well known.”
Unfortunately, Microsoft does not publish guidelines on what constitutes enough downloads to eliminate SmartScreen warnings. Microsoft has also indicated in the past that signing code is a “best practice” that you “can follow to help establish and maintain reputation for your applications.”

Authentication and Key Storage

 
  • EV code signing certificates require two-factor authentication. They are shipped on an encrypted USB hardware token, which must be attached to your computer before signing.
  • OV code signing certificates are stored as a file on your computer, much like a web server’s SSL/TLS certificate.

Validation Requirements

 
  • EV certificates must be issued to a registered and verifiable organization such as a business, nonprofit, or government. They cannot be issued directly to individuals, but may be issued to a business registered as a sole proprietorship. Validation requirements for EV certificates are detailed in this FAQ.
  • OV certificates may be issued directly to an individual or organization. When issued to an individual, this type of certificate is technically referred to as Individual Validation (IV). Please read this FAQ for full details of validation requirements for OV/IV certificates.

Supported Platforms

 
  • SSL.com’s EV and OV code signing certificates are both trusted on the same major platforms:
    • Microsoft Authenticode (32- and 64-bit Windows files and applications)
    • Microsoft VBA (Visible Basic for Applications)
    • Java
    • Adobe AIR
    • macOS*
* Apple Developer ID certificates, issued by Apple, are required to distribute software through the macOS app store and satisfy macOS’s default Gatekeeper settings for software installation (which can be overridden by users in necessary). However, SSL.com code signing certificates may be used to sign files like profiles and policies on macOS. Furthermore, all apps on non-jailbroken iOS devices must be signed by an Apple-issued certificate.

Ordering and Installing Code Signing Certificates

 
Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page.