Abstract: Choosing between SSL’s eSigner cloud signing service and a hardware token affects more than key storage. It shapes how your entire signing workflow operates. This guide compares both methods across capabilities, pricing, and CI/CD compatibility to help you find the right fit. Whether you sign occasionally or run automated pipelines at scale, the answer is here.
When you order a code signing certificate from SSL, you have a fundamental decision to make before your private key is ever generated: where will that key live, and how will you use it to sign? The two primary paths are a physical hardware token shipped to your door or SSL’s eSigner cloud signing service. Both satisfy the CA/Browser Forum’s key storage requirements that took effect in June 2023, but they serve very different workflows, team sizes, and automation needs.
This guide puts the two options side by side so you can make an informed choice without piecing together information from multiple sources.
How Each Method Works
Hardware tokens (YubiKey FIPS and Thales SafeNet) are physical USB devices that store your private key in tamper-resistant hardware. SSL ships these pre-loaded with your certificate. Signing requires the token to be physically present, connected to a machine, and unlocked with a PIN. The private key never leaves the device.
eSigner is SSL’s cloud signing service. Your private key is generated on and stored in FIPS 140-2 compliant HSMs that SSL manages. Because the key resides in the cloud, you can sign from any internet-connected machine without carrying hardware. Signing is performed via the eSigner Express web app, the CodeSignTool command-line utility, the CSC-compliant API, or the eSigner CKA (Cloud Key Adapter) for Windows-based toolchains.
Both methods store private keys on validated FIPS 140-2 hardware. The core difference is who holds the hardware and where it sits in your workflow.
Capabilities Comparison
|
Capability |
Hardware Token |
eSigner |
|
OV/IV Code Signing |
Yes |
Yes |
|
EV Code Signing |
Yes |
Yes |
|
Document Signing |
Yes |
Yes |
|
Signing without physical hardware present |
No |
Yes |
|
Team/credential sharing |
No |
Yes |
|
Signing through a Web app (no local tooling) |
No |
Yes (eSigner Express) |
|
CLI/scriptable signing |
Yes (via SignTool + driver) |
Yes (CodeSignTool) |
|
CSC API access |
No |
Yes |
|
Windows CNG/KSP integration |
Yes (native) |
Yes (via eSigner CKA) |
|
Remote attestation support |
YubiKey only |
Not applicable |
|
Kernel-mode driver signing |
Yes (Thales SafeNet, RSA up to 3072-bit) |
Yes (EV) |
|
Sandbox/test environment |
No |
Yes |
Feature Comparison
|
Feature |
Hardware Token |
eSigner |
|
Key storage location |
On-device (physical) |
Cloud HSM (SSL-managed) |
|
FIPS 140-2 compliance |
Yes |
Yes |
|
Physical device required |
Yes |
No |
|
Lost/stolen risk |
Yes |
No |
|
Replacement process |
New token order + re-enrollment ($150 fee) |
Not applicable |
|
Number of simultaneous users |
One per token |
Multiple credentials per subscription |
|
Signing from CI/CD pipelines |
Requires physical USB access |
Native |
|
Multi-OS support |
Windows primary; limited elsewhere |
Any OS with internet access |
|
Audit/usage tracking |
None built in |
Signings tracked per month in the account portal |
|
Microsoft SmartScreen reputation (EV) |
Yes |
Yes |
|
30-day free trial |
No |
Yes (unlimited signings) |
|
Certificate sharing between credentials |
No |
Yes |
Pricing Comparison
Hardware tokens are included with your certificate order and represent a one-time hardware cost per device. There are no per-signing fees, but each physical token is tied to a single user and location. Additional tokens for team members must be ordered separately.
eSigner operates on a subscription model layered on top of your certificate. Subscriptions are available monthly or annually; annual plans carry a 25% discount. Unused signings roll over to the next billing cycle as long as the subscription remains active.
eSigner: IV, OV, and IV+OV Code Signing and Document Signing
|
Tier |
Signing Credentials |
Monthly Signings |
Monthly Cost |
Annual Signings |
Annual Cost |
Overage (each) |
|
1 |
1 |
20 |
$20.00 |
240 |
$180.00 |
$1.00 |
|
2 |
5 |
100 |
$85.00 |
1,200 |
$765.00 |
$0.85 |
|
3 |
9 |
300 |
$175.00 |
3,600 |
$1,575.00 |
$0.58 |
|
4 |
13 |
1,000 |
$250.00 |
12,000 |
$2,250.00 |
$0.25 |
Additional IV/OV signing credentials are available at $20.00 per credential per month in all tiers.
eSigner: EV Code Signing
|
Tier |
Signing Credentials |
Monthly Signings |
Monthly Cost |
Annual Signings |
Annual Cost |
Overage (each) |
|
1 |
1 |
10 |
$100.00 |
120 |
$900.00 |
$10.00 |
|
2 |
3 |
100 |
$300.00 |
1,200 |
$2,700.00 |
$3.00 |
|
3 |
7 |
1,000 |
$700.00 |
12,000 |
$6,300.00 |
$0.70 |
|
4 |
15 |
10,000 |
$1,500.00 |
120,000 |
$13,500.00 |
$0.15 |
Additional EV signing credentials are available at $29.00/month per credential in all tiers. For volumes above tier maximums, contact SSL’s enterprise sales team at sales@ssl.com.
Note: All eSigner signing credits are forfeited if a subscription becomes inactive. Re-enrollment after cancellation is available for a $150 fee.
CI/CD Compatibility Matrix
Hardware tokens require a physical USB connection, which makes them incompatible with most cloud-hosted CI/CD runners. eSigner is purpose-built for pipeline integration.
|
CI/CD Platform |
Hardware Token |
eSigner (CodeSignTool) |
eSigner (CKA) |
eSigner (CSC API) |
|
GitHub Actions |
Not supported |
Yes |
Yes (self-hosted runner) |
Yes |
|
GitLab CI |
Not supported |
Yes |
Yes (self-hosted runner) |
Yes |
|
CircleCI |
Not supported |
Yes |
Yes (self-hosted runner) |
Yes |
|
Jenkins |
Not supported |
Yes |
Yes |
Yes |
|
Azure DevOps |
Not supported |
Yes |
Yes |
Yes |
|
Travis CI |
Not supported |
Yes |
No |
Yes |
|
Bitbucket Pipelines |
Not supported |
Yes |
No |
Yes |
|
Self-hosted runner (any platform) |
Possible with direct USB access |
Yes |
Yes |
Yes |
eSigner CKA integrates with Windows-native toolchains like SignTool and certutil. For Linux and macOS CI environments, CodeSignTool and the CSC API are the recommended approaches.
Which Method Should You Choose?
Neither option is universally superior. The right answer depends on your team structure, release cadence, and infrastructure.
Choose a Hardware Token If:
- You sign infrequently. If your release schedule is occasional (a few times per month or less), the per-signing subscription cost of eSigner may exceed the value for your volume.
- You work in an air-gapped or internet-restricted environment. Hardware tokens can function entirely offline after initial setup.
- Your signing workflow is already built around Windows-native tools such as SignTool, and you do not require automation.
- Compliance requirements specify physical key custody. Some regulated industries mandate that private keys reside on physical hardware under direct organizational control.
Choose eSigner if:
- You use a CI/CD pipeline. eSigner is the only option that integrates natively with cloud-hosted runners on GitHub Actions, GitLab CI, CircleCI, Azure DevOps, and others. Hardware tokens cannot participate in automated cloud builds.
- You have a distributed or remote team. eSigner signing credentials can be shared across team members without shipping hardware or managing physical assets across locations.
- You sign at high volume. At Tier 4, EV signing drops to $0.15 per signing, and IV/OV signing drops to $0.25. For organizations with hundreds or thousands of monthly signings, the economics favor eSigner’s volume tiers.
- You need document signing in addition to code signing. eSigner is the only method here that supports document signing certificates. Hardware tokens issued by SSL are code signing-specific.
- You want to eliminate hardware logistics. Lost tokens, PIN lockouts, and physical shipping delays are operational risks that eSigner removes entirely.
- You are just getting started. The free 30-day trial with unlimited signings gives teams time to evaluate eSigner fully before committing to a subscription tier.
A Note on Mixed Environments
These two methods are not mutually exclusive at the organization level. Some teams issue hardware tokens to developers who sign builds locally while adopting eSigner for release pipelines and automated batch jobs. The same SSL code signing certificate can be enrolled in eSigner independently of any hardware token associated with the order.
Getting Started
- Order a code signing certificate: ssl.com/code-signing-certificates
- Enroll in eSigner: ssl.com/esigner
- Review CI/CD integration guides: Available for GitHub Actions, GitLab CI, CircleCI, Jenkins, Azure DevOps, Travis CI, and Bitbucket at ssl.com
- Contact SSL enterprise sales for volume pricing: sales@ssl.com
For questions about which option fits your specific environment, SSL’s support team is available via live chat or the ticket portal at ssl.com.