Five questions determine which code signing certificate is right for your situation. Answer them in order and you will have a clear recommendation by the end of this guide, along with the immediate action to take.

 

Question 1: Are You Signing Kernel-Mode Windows Drivers?

This is the most important question because it is the only one where your answer forces a specific, non-negotiable certificate type.

  • Yes, I am building kernel-mode drivers (.sys files): you need an EV code signing certificate. Kernel-mode drivers on modern Windows require submission to Microsoft’s Hardware Dev Center (HDC), which requires an EV certificate for the submission. No other certificate type is accepted for this path. Skip to the EV buying section at the end of this guide.
  • No, I am building desktop applications, installers, utilities, scripts, services, or DLLs: OV is the correct choice. EV provides no advantage over OV for standard Windows software distribution since August 2024, when Microsoft removed the EV SmartScreen reputation bypass. Buying EV for a standard desktop application costs 2-3x more than OV for identical functional results.

 

The EV upsell is the most common expensive mistake in code signing purchasing. Before August 2024, EV provided instant SmartScreen reputation clearance, which was a genuine benefit. Microsoft removed that bypass specifically because threat actors were exploiting it. Today, an OV and an EV certificate build Windows SmartScreen reputation through identical download telemetry mechanisms. EV’s only remaining justification is kernel drivers and WHQL certification.

 

Question 2: Are You Based in the US or Canada With 3+ Years of Operating History?

  • Yes: try Microsoft Trusted Signing first. It costs approximately $10/month ($120/year), requires no hardware, works in CI/CD pipelines, and produces fully trusted Windows signatures. The eligibility requirements are US/Canada geography and at least 3 years of verifiable organizational operating history. If your organization meets both, this is the cheapest option that genuinely works for standard Windows software distribution.
  • No (outside US/Canada, or organization is less than 3 years old): proceed to Question 3. Microsoft Trusted Signing is not available to you yet, but SSL.com eSigner covers this case.

 

Even if you qualify for Microsoft Trusted Signing, check one limitation before committing: some enterprise IT environments with strict WDAC (Windows Defender Application Control) policies specify publisher-based rules using traditional CA-issued certificates. Trusted Signing certificates are relatively new and not yet in every enterprise policy template. For software distributed to general consumers and most commercial businesses, this is not a concern. For software specifically targeting locked-down enterprise environments, verify with a sample endpoint first.

 

Question 3: Do You Sign in a CI/CD Pipeline or on a Single Workstation?

  • CI/CD pipeline (GitHub Actions, Azure DevOps, GitLab CI, Jenkins): you need a cloud HSM signing service. A physical USB token cannot plug into a cloud build runner. Microsoft Trusted Signing, SSL.com eSigner, and DigiCert KeyLocker all support pipeline signing via their respective CLI tools and GitHub Actions integrations. Choose from these options based on your answer to Question 2.
  • Single workstation, manual signing at release time: both cloud HSM services and physical tokens work. A physical token (USB device shipped by the CA) is the simpler initial setup if you are comfortable with manual release processes : plug in, sign, unplug. Cloud HSM is more flexible if you expect to change machines or add automation later.

 

Question 4: When Is Your Launch Date?

  • Within the next 30 days: do not order a physical token. Token delivery takes 5-15 business days after validation completes. OV validation takes 1-3 business days. Total token timeline: 10-20 business days minimum for domestic, longer internationally. That cuts it close or misses a 30-day window entirely. Order cloud HSM delivery and start today. SSL.com’s 30-day free trial is specifically useful here: start the trial, complete OV validation in 1-3 business days, and you have working cloud signing with time to spare.
  • More than 30 days out: any delivery option works. If a physical token appeals to you (no ongoing subscription, simple hardware to manage), 30+ days is enough runway to receive it comfortably for most domestic addresses. Allow 6 weeks for international delivery.

 

Start the SSL.com eSigner trial at ssl.com before you finish reading this guide if your launch is within a month. The trial is free for 30 days with no payment required to start. OV validation runs concurrently with your other launch preparations. You can cancel if you decide on a different option.

 

Question 5: Are You an Individual or a Registered Organization?

  • I have a registered business (company, LLC, sole trader with registered trading name): you qualify for OV. The Organization field in your certificate will show your registered business name. This is the standard path and the one all the options above assume.
  • I am an individual developer with no registered business: you do not qualify for OV, which requires a verifiable legal organizational entity. Your options are Individual Validation (IV) certificates from SSL.com (certificate shows your personal verified name), or register a DBA/sole trader name in your jurisdiction (typically $20-100, takes a few days to weeks) and then apply for OV.
  • I have just incorporated or registered and my organization is less than 3 months old: OV is possible but validation may take longer because your organization has limited public database presence. Have your incorporation documents ready before ordering. Contact the CA’s validation team to ask what they need for newly incorporated entities in your jurisdiction.

 

The Recommendations: One Action Per Path

 

Your situation What to buy Where to buy Action now
Building kernel-mode drivers EV code signing certificate Sectigo, SSL.com, or DigiCert via authorized reseller Order EV now; allow 1-2 weeks for validation; EV requires incorporated entity
US/Canada org, 3+ years, pipeline signing Microsoft Trusted Signing Basic Azure portal (portal.azure.com → Trusted Signing) Create Azure account, provision Trusted Signing resource, configure GitHub Actions integration
Non-US/Canada or new org, pipeline signing SSL.com eSigner OV ssl.com Start 30-day free trial; complete OV validation; configure CodeSignTool for pipeline
US/Canada org, 3+ years, manual/workstation signing Microsoft Trusted Signing Basic or SSL.com eSigner Azure portal or ssl.com Either works; cloud services are more flexible than a token for future pipeline use
Launch in under 30 days, any org SSL.com eSigner OV (cloud) ssl.com Start free trial today; don’t order a token
Individual developer, no registered business IV certificate from SSL.com ssl.com Order IV; shows your personal name as publisher
Individual who wants a business name on the certificate Register a DBA/sole trader, then OV Local business registry, then any CA Register first (a few days to weeks depending on jurisdiction), then order OV

 

What Not to Buy and Why

Two purchase decisions are consistently made by mistake that this guide is designed to prevent:

 

Do not buy EV for standard desktop software

EV certificates cost approximately $279-617/year depending on CA, compared to $120-240/year for OV. The only remaining reason to choose EV over OV is kernel-mode driver signing. Microsoft removed EV’s SmartScreen bypass in August 2024. If you are not building kernel drivers and you buy EV, you pay 2-3x more for exactly the same user experience as OV. The UAC dialog shows the same publisher name. SmartScreen builds reputation at the same rate. The certificate functions identically for signing executables, DLLs, installers, and scripts.

 

Do not buy a physical token if your launch is in less than 4 weeks

Physical token delivery adds 5-15 business days after validation completes, and validation takes 1-3 days. Best case total: 6-8 business days. Realistic case: 10-15 business days. International: 3-6 weeks. A launch date that requires signing in under 4 weeks and a physical token order are likely to conflict. Cloud signing services are available within hours of validation completing. There is no technical benefit to a physical token that justifies missing a launch date.

 

Immediately After Purchasing: The Four Steps

Regardless of which option you chose, take these four actions before your launch:

  • Sign a test file before signing any release: signtool sign, then signtool verify /pa. If verify fails, resolve it before your launch day.
  • Confirm the UAC dialog shows your organization name: right-click the signed test file, Properties, Digital Signatures, Details. The signer name must be your organization, not ‘Unknown Publisher.’
  • Include a timestamp server in every signing command: the /tr flag in signtool is not optional. Without it, your signatures expire when the certificate expires. Always use /tr http://timestamp.digicert.com (or any trusted TSA) with /td sha256.
  • Submit to Microsoft Security Intelligence immediately after launch: the ‘Windows protected your PC’ SmartScreen warning appears for new software with low download history. Submit your signed installer at microsoft.com/en-us/wdsi/filesubmission on launch day. Microsoft’s manual review can clear the warning faster than waiting for organic download volume to build.

 

Frequently Asked Questions

 

Can I switch from one option to another later?

Yes, but switching certificates resets SmartScreen reputation for new releases. The new certificate has a different publisher thumbprint, and SmartScreen’s per-publisher reputation does not transfer. Existing signed binaries retain their existing reputation, but new binaries signed with the new certificate start from zero. For this reason, choose your initial certificate setup thoughtfully and plan to stay with the same certificate (or at least the same CA and publisher identity) as long as possible.

 

I’ve been told I need EV for faster SmartScreen clearance. Is that still true?

No. This advice was accurate before August 2024. Microsoft removed EV’s SmartScreen reputation bypass on that date, citing abuse by malware distributors who obtained EV certificates specifically for the instant trust bypass. Since August 2024, OV and EV certificates build SmartScreen reputation through identical download telemetry. If you received this advice from a guide, forum post, or CA sales representative citing EV as a SmartScreen advantage, that information is outdated.

 

My software is both a Windows desktop app and includes a kernel driver. What do I buy?

Buy an EV certificate. The EV certificate satisfies the HDC driver signing requirement and also works for all your user-mode executables, DLLs, and installers. You don’t need a separate OV certificate for the desktop components. One EV certificate signs everything. The additional cost over OV is justified specifically because of the driver signing requirement.

 

Previous Post
Next Post