SSL certificate maximum validity is being reduced to 200 days from March 2026. Read more →

SSL Certificates

Cheap SSL DV SSL Wildcard SSL Multi-Domain (SAN) OV & EV SSL

Specialty Certificates

Code Signing Document Signing Email / S/MIME VMC / BIMI
In effect now Certificate Lifetime

Automation

Overview Auto DNS FairSSL vs Let's Encrypt

Platforms

Windows Setup Linux & Kubernetes Appliances ACME Clients

Tools

SSL Scanner Certificate Decoder CAA Generator

Guides

Windows Server Linux & Open Source All guides

Company

About Us Contact Installation Service
News

Language

Dansk Svenska English

Currency

Login Create Account

Code Signing certificate for AWS KMS

Sign EXE, DLL, JAR and other artifacts directly from AWS Key Management Service. No USB token needed. Jsign connects to your AWS KMS key via the AWS SDK and signs locally, while the private key remains on a FIPS 140-2 Level 3 HSM. The key never leaves the HSM.

AWS KMS costs approximately $1/month per asymmetric key. It is the cheapest cloud HSM solution for code signing, cheaper than both Azure Key Vault Premium (~$5/month) and Google Cloud KMS (~$2.50/month).

Buy Code Signing for AWS KMS ↓ Compare all key storage options →

What is AWS KMS Code Signing?

AWS KMS (Key Management Service) is Amazon's managed key management service. Since May 2023, all AWS KMS HSMs are backed by FIPS 140-2 Level 3 certified hardware (previously Level 2). This upgrade makes AWS KMS a valid option for code signing without needing dedicated AWS CloudHSM.

Jsign ↗ is the primary signing tool for AWS KMS. It is open source, Java-based, and supports Authenticode, JAR signing, and several other formats. Jsign authenticates via the AWS SDK (IAM credentials or EC2 instance role).

Since June 2023, all Code Signing certificates (OV and EV) require HSM-backed key storage. AWS KMS meets this requirement. Software-only .pfx files are no longer permitted by any Certificate Authority.

OV vs EV Code Signing with AWS KMS

OV Code Signing EV Code Signing
Validation Organisation Extended (stricter)
SmartScreen reputation Builds over time with downloads Starts with higher reputation
Kernel-mode driver signing No Yes (required by Microsoft)
AWS KMS Asymmetric key (RSA 4096) Asymmetric key (RSA 4096)
Issuance time 1-3 business days 1-5 business days
Maximum validity 459 days 459 days

FIPS 140-2 Level 3 since May 2023

Before May 2023, AWS KMS only met FIPS 140-2 Level 2, which was insufficient for code signing per CA/Browser Forum rules. AWS upgraded all KMS HSMs to Level 3 in May 2023.

Important: This upgrade means AWS KMS is now a valid and the cheapest cloud-based option for code signing key storage. You do not need AWS CloudHSM.

The CA/Browser Forum requires that code signing private keys be stored on hardware certified to at least FIPS 140-2 Level 2 (in practice, most CAs require Level 3). With the May 2023 upgrade, standard AWS KMS meets this requirement without extra configuration.

AWS KMS vs Azure Key Vault vs Google Cloud KMS

AWS KMS

  • ~$1/month
  • FIPS 140-2 Level 3 (since May 2023)
  • Cheapest cloud HSM option
  • Jsign (only signing tool)
  • AWS IAM authentication

Azure Key Vault

  • ~$5/month
  • FIPS 140-2 Level 3
  • Broadest tool support
  • AzureSignTool + Jsign + signtool
  • Azure AD authentication

Google Cloud KMS

  • ~$2.50/month
  • FIPS 140-2 Level 3
  • Mid-range pricing
  • Jsign (only signing tool)
  • Google Cloud SDK authentication

All three cloud KMS services meet CA/Browser Forum requirements for code signing key storage. Your choice depends primarily on which cloud platform you already use. AWS KMS is the cheapest option, while Azure Key Vault has the broadest tool support. See the full comparison →

AWS CloudHSM vs AWS KMS

AWS KMS (~$1/month)

  • Shared HSM infrastructure, managed by AWS
  • Sufficient for code signing
  • Pay-per-key pricing
  • FIPS 140-2 Level 3 (since May 2023)

AWS CloudHSM (~$1,400/month)

  • Dedicated HSM cluster
  • Full PKCS#11 access
  • Required for certain compliance regimes
  • Overkill for most code signing use cases

For most code signing scenarios, standard AWS KMS is sufficient. CloudHSM is only relevant if you have specific compliance requirements that demand PKCS#11 access or full control over HSM hardware.

Signing tools for AWS KMS

Jsign ↗ is the only signing tool that supports AWS KMS directly. signtool.exe and AzureSignTool do not support AWS KMS.

Jsign is open source, Java-based, and supports Authenticode (.exe, .dll, .msi), JAR signing, Windows Installer (.msi), MSIX, and several other formats. It authenticates via the AWS SDK (IAM credentials, environment variables, or EC2 instance role).

Learn more about Jsign and supported formats →

Complete setup guide

Step-by-step guide to creating an asymmetric key in AWS KMS, generating a CSR, submitting it to the CA, and signing with Jsign from your CI/CD pipeline.

Read the AWS KMS setup guide →

Related pages: USB Token | Azure Key Vault | Google Cloud KMS | AWS KMS | Office Macros | Compare all →

Code Signing certificates for AWS KMS

OV Code Signing

DigiCert

DigiCert CodeSign OV

OV

DigiCert OV Code Signing. Works with AWS KMS.

from €475 /year See details →
GlobalSign

GlobalSign CodeSign

OV

GlobalSign OV Code Signing. Works with AWS KMS.

from €375 /year See details →

EV Code Signing

DigiCert

DigiCert CodeSign EV

EV

DigiCert EV Code Signing. AWS KMS + kernel drivers.

from €740 /year See details →
GlobalSign

GlobalSign CodeSign EV

EV

GlobalSign EV Code Signing. AWS KMS + instant SmartScreen trust.

from €428 /year See details →
See all products with prices →

Frequently asked questions about AWS KMS Code Signing

Find answers to the most common questions about SSL certificates and FairSSL.

No. signtool only supports Windows CNG providers (PKCS#11 via third-party driver is possible but impractical). Use Jsign, which supports AWS KMS directly via the AWS SDK.
Yes, since May 2023. All AWS KMS HSMs have been upgraded to FIPS 140-2 Level 3. Before May 2023, AWS KMS only met Level 2, which was insufficient for code signing per CA/Browser Forum rules.
Approximately $1/month for one asymmetric key + ~$0.003 per signing operation. This is the cheapest cloud HSM solution for code signing. For comparison, Azure Key Vault Premium costs ~$5/month and Google Cloud KMS costs ~$2.50/month.
No. Only DigiCert and GlobalSign support AWS KMS key attestation. Sectigo/Comodo certificates are not compatible with AWS KMS HSM-backed keys. FairSSL sells both DigiCert and GlobalSign.
No. Standard AWS KMS with asymmetric keys is sufficient and far cheaper. CloudHSM costs approximately $1,400/month for a dedicated HSM cluster and is only necessary for specific compliance requirements (e.g. PKCS#11 access or full control over HSM hardware).

Ready to sign from AWS KMS?

Create a free account and issue your first certificate in under 10 minutes.

Create free account Compare certificates