You probably already know that a code signing certificate from SSL.com will assure users that your software is from a known and trusted developer, free from unauthorized modifications and malware, and safe to install.
Organization Validated (OV) and Individual Validated (IV) certificates require more validation than DV certificates, but provide more trust. For these types, the CA will verify the actual organization or individual person that is attempting to get the certificate. The organization’s or individual’s name is also listed in the certificate, giving added trust that both the website and its owner are reputable.
An IV code signing certificate is also known as a Personal Identity Certificate and is usually used by independent software developers and individual project contributors who wish to increase confidence and trust from their users.
An OV code signing certificate can be used for signing with Windows Authenticode. For an EV code signing certificate to be used, it must be currently valid and associated with the Microsoft Developer program account.
OV certificates are often used by corporations, governments and other entities that want to provide an extra layer of confidence to their visitors. Aside from SSL/TLS certificates, OV and IV are also commonly used for code signing, document signing, client authentication, and S/MIME email certificates. For more information, please refer to SSL.com’s OV and IV requirements.
Extended validation or EV certificates provide the maximum amount of trust to visitors, and also require the most effort by the CA to validate. Per guidelines set by the CA/Browser Forum, extra documentation must be provided to issue an EV certificate (as described in SSL.com’s EV requirements). As with OV, EV lists the company name in the certificate itself. EV certificates may only be issued to businesses and other registered organizations, not to individuals.
An EV code signing certificate is required to sign Windows 10 drivers and provides an instant SmartScreen reputation boost. If you’re not sure which code signing certificate you need, please read this FAQ.
So, which code signing certificate should you buy? The short answer is that EV code signing certificates are more expensive, but offer a higher initial Microsoft SmartScreen reputation level, and are required for signing Windows 10 drivers.
If you’d like to learn more, read on to find out about:
- Windows 10 Drivers
- Microsoft SmartScreen Reputation
- Authentication and Key Storage
- Supported Platforms
- Ordering and Installing Code Signing Certificates
|Sign Windows 10 Drivers|
|Sign pre-Windows-10 Drivers|
|Instant Microsoft SmartScreen Reputation|
|Two-factor Authentication with USB Token or Cloud Signing Service|
|Available to Individuals Without a Registered Business|
|Trusted on Major Software Platforms|
- If you are developing Windows 10 drivers, you need an EV code signing certificate.
- Windows 10 kernel-mode drivers must be signed by Microsoft’s Dev Portal, and an EV code signing certificate is required to establish a Windows Hardware Dev Center dashboard account. Please read this how-to for information on signing up.
- According to Microsoft’s documentation, both kernel- and user-mode driver submissions must have a valid EV code signing certificate.
- An OV certificate may be used to sign drivers for versions of Windows before Windows 10. Please see Microsoft’s Driver Signing Policy for details on signing requirements for all versions of Windows.
According to Microsoft’s FAQ, its reputation-based SmartScreen filter “checks the files that you download against a list of files that are well known and downloaded by many people who use Internet Explorer. If the file that you’re downloading isn’t on that list, SmartScreen will warn you.”
Signing your code is not required to earn a SmartScreen reputation, but EV-signed code’s extra level of trust lets developers skip this hurdle altogether:
- An EV code signing certificate offers an immediate reputation with Microsoft SmartScreen, so your users will never have to click through a SmartScreen warning in Windows.
- With an OV certificate, SmartScreen reputation must be built organically, as users download and install your files. SmartScreen warnings may occur until enough software proves sufficiently popular with Windows users for SmartScreen to view it as “well known.”
- EV code signing certificates require two-factor authentication. They may be shipped on an encrypted USB hardware token, which must be attached to your computer before signing, or enrolled in a cloud signing service like SSL.com’s eSigner.
- OV code signing certificates are stored as a file on your computer, much like a web server’s SSL/TLS certificate.
- EV certificates must be issued to a registered and verifiable organization such as a business, nonprofit, or government. They cannot be issued directly to individuals, but may be issued to a business registered as a sole proprietorship. Validation requirements for EV certificates are detailed in this FAQ.
- OV certificates may be issued directly to an individual or organization. When issued to an individual, this type of certificate is technically referred to as Individual Validation (IV). Please read this FAQ for full details of validation requirements for OV/IV certificates.
- SSL.com’s EV and OV code signing certificates are both trusted on the same major platforms:
- Microsoft Authenticode (32- and 64-bit Windows files and applications)
- Microsoft VBA (Visual Basic for Applications)
- Adobe AIR
- Ready to get started? To purchase EV or OV code signing certificates, please visit the following links:
- Need help with ordering and installation? Please read these how-tos:
- When you’re ready to start signing code, check out our how-to on Using Your Code Signing Certificate.