Code Signing Certificates, Cloud Signing Options and Signing Operations Integration

What is a Code Signing Certificate?

A code signing certificate is a digital certificate that provides a globally accepted proof of identity of a software publisher and is obtainable from a reputable Certificate Authority (CA) like Software companies use code signing certificates to provide proof that they are the developers of an application. 

Code signing certificates also prevent tampering of code and ensure that a file is free from unauthorized modifications, malware and is safe to install. Code signing certificates are an essential security feature when software is being distributed, sold, and downloaded online.  Digitally signing your code with trusted certificates lets users and operating systems know that your software is authentic and safe to install. You can always contact our sales team to explain these options and provide a quote.
Need a code signing certificate? has options to meet whatever your needs may be, learn more about our certificates.

Choosing the Right Code Signing Certificate

Organization Validation (OV) and Individual Validation (IV) certificates are referred to as High Assurance certificates because they  require more validation and thus provide more trust, . For OV and IV certs, the CA will verify the actual organization or individual person that is attempting to get the certificate. The organization’s or individual’s name is also listed in the certificate, giving added trust that the certificate holder is reputable. OV certificates are often used by corporations, governments and other entities that want to provide an extra layer of confidence for their visitors. Aside from SSL/TLS certificates, OV and IV are also commonly used for code signing, document signing, client authentication, and S/MIME email certificates. For more information as to requirements, please refer to’s OV and IV requirements. The Individual Validation (IV) Code Signing Certificate applies digital signatures with a personal name, perfect for independent software developers and individual project contributors who wish to increase confidence and trust from their users.  EV certificates, also known as enterprise code signing certificates, provide the maximum amount of trust to visitors, and also require the most effort by the CA to validate. EV certificates may only be issued to businesses and other registered organizations, not to individuals. Sole Proprietorship EV Code Signing Certificates add an individual’s identity to the standard EV code signing certificate. This validation option enables a sole proprietorship or individual contributor to include their name in the digital signature. The Sole Proprietorship validation option is also for enterprises that require an extra layer of security by including an individual’s validated identity in the digital signature. To know more about the features of these certificates, you can read our article,  Which Code Signing Certificate do I Need? EV or OV? At a quick glance, the defining features of OV and EV code signing certificates are listed below.

IV Code Signing Certificate:

  • Applies digital signatures with a personal name
  • Perfect for independent software developers and individual project contributors

OV Code Signing Certificate:

  • Verifies your identity as the software publisher
  • Shields your software from tampering and malware infection

EV Code Signing Certificate:

  • Ability to sign both pre-Windows 10 and Windows 10 Drivers
  • Instant Microsoft SmartScreen Reputation
  • Non-expiration of signature and time stamping
  •  Ability to Sign on the Cloud using eSigner
  • Sole Proprietorship EV Code Signing Certificates add an individual’s identity to the standard EV Code Signing Certificate

Setting up and Using Your Account

If you haven’t already, start by creating an account on Your account has the capability of creating multiple teams as well as inviting multiple users with specific role and rights assignments.

The Validation Process

In order to validate and issue an OV or IV certificate, must verify your identity, physical address, and telephone number via verifiable online resources and/or valid verification documents. For further details on the requirements, you can read What Are The Requirements for OV and IV Certificates?  Additionally for IV Code Signing Certificate orders, applicants will have to submit a front and back image of an ID plus an image of them holding the ID next to their face. Per guidelines set by the CA/Browser Forum, extra documentation must be provided to issue an EV certificate. Head over to FAQ: Extended Validation (EV) Process to know all the requirements for EV certs. For entities requesting EV Code Signing Certificates, will conduct validation both through trusted online resources and/or valid documents as well as extra documentation per guidelines set by the CA/Browser Forum.  

New key storage requirements for OV and IV Code Signing Certificates

Starting June 1, 2023, ’s Organization Validation (OV) and Individual Validation (IV) Code Signing Certificates will only be issued either on Federal Information Processing Standard 140-2 (FIPS 140-2) USB tokens or through our eSigner cloud code signing service. This change is in compliance with the Certificate Authority/Browser (CA/B) Forum’s new key storage requirements to increase security for code signing keys. The previous rule allowed OV and IV code signing certificates to be issued as downloadable files from the internet. Since the new requirements only allow the use of encrypted USB tokens or cloud-based FIPS compliant hardware appliances to store the certificate and private key, it is expected that instances of code signing keys being stolen and misused by malicious actors will be greatly reduced. Click this link to learn more about the eSigner cloud code signing solution.

Key Storage and Signing Methods for Extended Validation Code Signing Certificates 

USB Token

The most common approach to EV code signing is to use a Hardware Security Module (HSM) like a USB token which stores the EV Code Signing certificate and acts like a key in signing software code. Compared to storing the certificate on a local machine, a USB token scores well on handheld security and portability. One limitation to it though is that it can be quite expensive to buy and manage multiple tokens and they are not that flexible when compared to cloud-based options. provides secure private key storage and physical 2FA security with a Yubikey FIPS USB Token. This USB device adds anti-tampering protection to your software because only those individuals who have actual possession of it will be allowed to digitally sign a code to your applications or programs.

Cloud HSM

A second option for EV code signing is to use a networked HSM in the cloud to host code signing certificates and keys. This method offers a comparable level of security as a USB token since the private keys are also not exportable. Because code signing is conducted through the cloud, a scalable collaboration among developers is achieved. It should be noted though that this method may require expertise with the particular cloud service provider. For the issuance of EV code signing certificates, supports three Cloud HSMs: Microsoft Azure Dedicated HSM, Amazon Web Services (AWS) CloudHSM, and Google Cloud HSM. To get more details on each one, you can read our guide article: Supported Cloud HSMs for Document Signing and EV Code Signing.
  • To know how you can use your HSM account and hire a professional for Cloud HSM Attestation, you can read our article Bring Your Own Auditor Cloud HSM Attestation.
  • is currently developing and testing attestation procedures for a wide range of HSM platforms. You can fill out this inquiry form to find out if we are testing an HSM platform that was not listed above.

eSigner: Code Signing as a Service

Thirdly, a modern and very convenient approach to EV Code Signing is dealing with code signing as a service.’s eSigner cloud code signing service is an example of this method.  With eSigner, handles both the public key infrastructure (PKI) and HSMs for code signing. The non-exportable signing keys are stored in eSigner’s HSMs, where neither the customer nor can view them. This way, the security standard is as high as with tokens and cloud HSMs, but there is no need for the client to deal with them directly. The eSigner environment includes a number of signing options to accommodate the needs of a variety of customers, from individual developers to complex organizations.

eSigner Signing Options

  • With’s eSigner service, you can use your Extended Validation Code Signing Certificate to sign code from any internet-connected device without any additional hardware. After enrolling your EV Code Signing certificate order in eSigner, you can sign code with either the eSigner Express web app, eSigner CodeSignTool or through’s CSC-compliant code signing API

eSigner Supported File Types

Getting Started with Your Code Signing Certificate:

Upon receiving your new code signing certificate, you may have questions on how to use it and which applications it can be integrated with. The linked guides below answer common questions you may have about how to get started with your new certificate.

Getting Started with eSigner Cloud Code Signing

Below are resources that can provide you with more information on how to use eSigner’s interface and set it up for team-oriented tasks.

Using Your Yubikeys

Certificates like EV Code Signing ordered from come with the option of coming pre-installed in a Hardware Security Module (HSM) like a FIPS 140-2 validated security key USB token. If your certificate has not yet been validated, you can include the number of tokens you require when ordering and before completing the validation process. In case your certificate has already been issued, you still have the option of ordering additional tokens. To know how to add Yubikeys to your EV Code Signing cert, click this guide: How to Add YubiKeys to your Certificate Order If you already have a Yubikey, you can refer to the following guides on how to operate it:

Automation and Integration

eSigner CKA (Cloud Key Adapter)

  •  eSigner CKA (Cloud Key Adapter) is a Windows based application that uses the CNG interface (KSP Key Service Provider) to allow tools such as certutil.exe and signtool.exe to use the eSigner CSC for automated code signing operations. eSigner CKA acts like a virtual USB token and loads the code signing certs to the certificate store. 

eSigner and CodeSignTool for Automated EV Code Signing

  • CodeSignTool is ideal for automated batch processes for high volume signings or integration into existing CI/CD pipeline workflows.
  • Read our CodeSignTool guide on how to sign code objects without being prompted for manual OTP entry for each file.
  • Head over to eSigner CodeSign Tool Command Guide to know more about supported commands, options, and parameters.

Specific CI/CD Service Integration Guides

Below are specific guides on how to automate code signing using eSigner for the most popular CI/CD platforms. Learn more about the value of cloud-based code signing by reading our article: Cloud Code Signing Automation with CI/CD Services.

Testing EV Code Signing in the Sandbox maintains a separate “sandbox” environment for our eSigner cloud signing service so that users can experiment with the different apps, utilities, and APIs before working with live EV Code Signing certificates.

Specific Environment Guides’s EV Code Signing certificates can be used in various code-signing environments. Refer to the articles below for specific guides:  Aside from those indicated above, there are more environments that code signing certificates are compatible with. Contact or use the website chat for questions on other environments.

Contact Sales or Contact Support

If you need someone to walk you through all our code signing options, discuss custom integrations, high-volume deals, quotes or other custom solutions, you can always contact our sales or support teams.

Contact Form


Stay Informed and Secure is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.