en English
X

Select Language

Powered by Google TranslateTranslate

We hope you will find the Google translation service helpful, but we don’t promise that Google’s translation will be accurate or complete. You should not rely on Google’s translation. English is the official language of our site.

en English
X

Select Language

Powered by Google TranslateTranslate

We hope you will find the Google translation service helpful, but we don’t promise that Google’s translation will be accurate or complete. You should not rely on Google’s translation. English is the official language of our site.

Code Signing Certificates, Cloud Signing Options and Signing Operations Integration

What is a Code Signing Certificate?

A code signing certificate is a digital certificate that provides a globally accepted proof of identity of a software publisher and is obtainable from a reputable Certificate Authority (CA) like SSL.com. Software companies use code signing certificates to provide proof that they are the developers of an application. 

Code signing certificates also prevent tampering of code and ensure that a file is free from unauthorized modifications, malware and is safe to install. Code signing certificates are an essential security feature when software is being distributed, sold, and downloaded online.  Digitally signing your code with trusted SSL.com certificates lets users and operating systems know that your software is authentic and safe to install. You can always contact our sales team to explain these options and provide a quote.

Choosing the Right Code Signing Certificate

Organization Validated (OV) and Individual Validated (IV) certificates are referred to as High Assurance certificates because they  require more validation and thus provide more trust, . For OV and IV certs, the CA will verify the actual organization or individual person that is attempting to get the certificate. The organization’s or individual’s name is also listed in the certificate, giving added trust that the certificate holder is reputable. OV certificates are often used by corporations, governments and other entities that want to provide an extra layer of confidence for their visitors. Aside from SSL/TLS certificates, OV and IV are also commonly used for code signing, document signing, client authentication, and S/MIME email certificates. For more information as to requirements, please refer to SSL.com’s OV and IV requirements. The Individual Validation (IV) Code Signing Certificate applies digital signatures with a personal name, perfect for independent software developers and individual project contributors who wish to increase confidence and trust from their users.  EV certificates provide the maximum amount of trust to visitors, and also require the most effort by the CA to validate. EV certificates may only be issued to businesses and other registered organizations, not to individuals. SSL.com IV + EV code signing certs adds an individual’s identity to the standard EV code signing certificate. This validation option enables a sole proprietorship or individual contributor to include their name in the digital signature. The IV+EV validation option is also for enterprises that require an extra layer of security by including an individual’s validated identity in the digital signature. To know more about the features of these certificates, you can read our article,  Which Code Signing Certificate do I Need? EV or OV? At a quick glance, the defining features of OV and EV code signing certificates are listed below.

OV code signing certificates:

  • Verifies your identity as the software publisher
  • Shields your software from tampering and malware infection
 

EV code signing certificates:

  • Ability to sign both pre-Windows 10 and Windows 10 Drivers
  • Instant Microsoft SmartScreen Reputation
  • Non-expiration of signature and time stamping
  •  Ability to Sign on the Cloud using eSigner

Setting up and Using Your SSL.com Account

If you haven’t already, start by creating an account on SSL.com. Your account has the capability of creating multiple teams as well as inviting multiple users with specific role and rights assignments.

The Validation Process

In order to validate and issue an OV or IV certificate, SSL.com must verify your identity, physical address, and telephone number via verifiable online resources and/or valid verification documents. For further details on the requirements, you can read What Are The Requirements for SSL.com OV and IV Certificates? 
Per guidelines set by the CA/Browser Forum, extra documentation must be provided to issue an EV certificate. Head over to FAQ: Extended Validation (EV) Process to know all the requirements for EV certs. For entities requesting EV+IV and OV+IV code signing certificates, SSL.com will conduct validation both through trusted online resources and/or valid documents as well as extra documentation per guidelines set by the CA/Browser Forum.  

Key Storage and Signing Methods for Extended Validation Code Signing Certificates 

USB Token

The most common approach to EV code signing is to use a Hardware Security Module (HSM) like a USB token which stores the EVCS certificate and acts like a key in signing software code. Compared to storing the certificate on a local machine, a USB token scores well on handheld security and portability. One limitation to it though is that it can be quite expensive to buy and manage multiple tokens and they are not that flexible when compared to cloud-based options.    SSL.com provides secure private key storage and physical 2FA security with a Yubikey FIPS USB Token. This USB device adds anti-tampering protection to your software because only those individuals who have actual possession of it will be allowed to digitally sign a code to your applications or programs.

Cloud HSM

A second option for EV code signing is to use a networked HSM in the cloud to host code signing certificates and keys. This method offers a comparable level of security as a USB token since the private keys are also not exportable. Because code signing is conducted through the cloud, a scalable collaboration among developers is achieved. It should be noted though that this method may require expertise with the particular cloud service provider.   For the issuance of EV code signing certificates, SSL.com supports three Cloud HSMs: Microsoft Azure Dedicated HSM, Amazon Web Services (AWS) CloudHSM, and Google Cloud HSM. To get more details on each one, you can read our guide article: Supported Cloud HSMs for Document Signing and EV Code Signing.
  • To know how you can use your HSM account and hire a professional for Cloud HSM Attestation, you can read our article Bring Your Own Auditor Cloud HSM Attestation.
  • SSL.com is currently developing and testing attestation procedures for a wide range of HSM platforms. You can fill out this inquiry form to find out if we are testing an HSM platform that was not listed above.

eSigner: Code Signing as a Service

Thirdly, a modern and very convenient approach to EVCS is dealing with code signing as a service. SSL.com’s eSigner cloud code signing service is an example of this method.  With eSigner, SSL.com handles both the public key infrastructure (PKI) and HSMs for code signing. The non-exportable signing keys are stored in eSigner’s HSMs, where neither the customer nor SSL.com can view them. This way, the security standard is as high as with tokens and cloud HSMs, but there is no need for the client to deal with them directly. The eSigner environment includes a number of signing options to accommodate the needs of a variety of customers, from individual developers to complex organizations.

eSigner Signing Options

  • With SSL.com’s eSigner service, you can use your SSL.com Extended Validation Code Signing Certificate to sign code from any internet-connected device without any additional hardware. After enrolling your EV Code Signing certificate order in eSigner, you can sign code with either the eSigner Express web app, eSigner CodeSignTool or through SSL.com’s CSC-compliant code signing API
 

eSigner Supported File Types

Getting Started with Your Code Signing Certificate:

Upon receiving your new code signing certificate, you may have questions on how to use it and which applications it can be integrated with. The linked guides below answer common questions you may have about how to get started with your new certificate. How to use your OV or EV code signing certificate with Microsoft’s SignTool and SSL.com’s SSL Manager

Getting Started with eSigner Cloud Code Signing

  Below are resources that can provide you with more information on how to use eSigner’s interface and set it up for team-oriented tasks.

Using Your Yubikeys

Certificates like EV Code Signing ordered from SSL.com come with the option of coming pre-installed in a Hardware Security Module (HSM) like a FIPS 140-2 validated security key USB token. If your certificate has not yet been validated, you can include the number of tokens you require when ordering and before completing the validation process. In case your certificate has already been issued, you still have the option of ordering additional tokens.   To know how to add Yubikeys to your EVCS cert, click this guide: How to Add YubiKeys to your Certificate Order   If you already have a Yubikey, you can refer to the following guides on how to operate it:

Automation and Integration

eSigner CKA (Cloud Key Adapter)

  •  eSigner CKA (Cloud Key Adapter) is a Windows based application that uses the CNG interface (KSP Key Service Provider) to allow tools such as certutil.exe and signtool.exe to use the eSigner CSC for automated code signing operations. eSigner CKA acts like a virtual USB token and loads the code signing certs to the certificate store. 

eSigner and CodeSignTool for Automated EV Code Signing

  • CodeSignTool is ideal for automated batch processes for high volume signings or integration into existing CI/CD pipeline workflows.
  • Read our CodeSignTool guide on how to sign code objects without being prompted for manual OTP entry for each file.
Head over to eSigner CodeSign Tool Command Guide to know more about supported commands, options, and parameters.

Testing EV Code Signing in the Sandbox

SSL.com maintains a separate “sandbox” environment for our eSigner cloud signing service so that users can experiment with the different apps, utilities, and APIs before working with live EV Code Signing certificates.

Specific Environment Guides

SSL.com’s EVCS certificates can be used in various code-signing environments. Refer to the articles below for specific guides:    Aside from those indicated above, there are more environments that SSL.com code signing certificates are compatible with. Contact support@ssl.com or use the website chat for questions on other environments.

Contact Sales or Contact Support 

If you need someone to walk you through all our code signing options, discuss custom integrations, high-volume deals, quotes or other custom solutions, you can always contact our sales or support teams.

Contact Form

 

Share on twitter
Twitter
Share on facebook
Facebook
Share on linkedin
LinkedIn
Share on reddit
Reddit
Share on email
Email