SSL certificate maximum validity is being reduced to 200 days from March 2026. Read more →

SSL Certificates

Cheap SSL DV SSL Wildcard SSL Multi-Domain (SAN) OV & EV SSL

Specialty Certificates

Code Signing Document Signing Email / S/MIME VMC / BIMI
In effect now Certificate Lifetime

Automation

Overview Auto DNS FairSSL vs Let's Encrypt

Platforms

Windows Setup Linux & Kubernetes Appliances ACME Clients

Tools

SSL Scanner Certificate Decoder CAA Generator

Guides

Windows Server Linux & Open Source All guides

Company

About Us Contact Installation Service
News

Language

Dansk Svenska English

Currency

Login Create Account

Code Signing Certificates

Protect your users against counterfeit software. A Code Signing certificate confirms that your software, scripts and applications are genuine and unmodified. It removes the warnings Windows and macOS display when users attempt to install unsigned code.

What is Code Signing?

A digital certificate that signs your code. The signature confirms the publisher and guarantees the code has not been modified.

Used to sign

.exe, .msi, .dll
PowerShell scripts
Office macros
Java/Android apps
Drivers and firmware
macOS apps and .pkg

Benefits

No "Unknown Publisher" warning

Users install with confidence, no security warnings

Verified publisher name

Your company name is displayed in the signature

Tamper protection

Guarantees code has not been modified since signing

Windows SmartScreen

Required for .exe distribution without blocking

OV and EV types

Choose the level that matches your organisation

Code Signing certificate types

OV Code Signing

Organisation Validated

  • Issued to verified organisations
  • Shows company name in the signature
  • Issuance time: 1–3 business days
  • Delivery: USB token, Azure Key Vault or Google Cloud KMS
  • Ideal for: standard software distribution

EV Code Signing

Extended Validation

  • Strictest possible identity verification
  • Higher initial SmartScreen reputation
  • Delivery: USB token, Azure Key Vault or Google Cloud KMS
  • Ideal for: drivers, enterprise software, instant trust

Code Signing certificates

OV Code Signing

DigiCert

DigiCert CodeSign OV

OV

DigiCert OV Code Signing. Broad platform support.

from €475 /year See details →
GlobalSign

GlobalSign CodeSign

OV

GlobalSign OV Code Signing. Strong brand.

from €375 /year See details →

EV Code Signing

DigiCert

DigiCert CodeSign EV

EV

DigiCert EV Code Signing. Required for kernel-mode drivers.

from €740 /year See details →
GlobalSign

GlobalSign CodeSign EV

EV

GlobalSign EV Code Signing. Hardware key included.

from €428 /year See details →
See all products with prices →

SmartScreen, download warnings and reputation

Windows SmartScreen shows warnings based on the publisher's reputation and certificate type. Without a certificate or with low reputation, this warning is shown with the "Run" button hidden:

Windows protected your PC

Microsoft Defender SmartScreen prevented an unrecognised app from starting. Running this app might put your PC at risk.

More info

Don't run

User must click "More info" to see "Run anyway"

SmartScreen uses four levels of warnings:

Unsigned or unknown publisher

"Windows protected your PC" with only "Don't run". The user must click "More info" to see "Run anyway". This warning also appears for new OV-signed apps with low reputation.

OV Code Signing (new application)

"[Publisher Name] is not commonly downloaded." The publisher's name is shown, but reputation must be built gradually through more downloads.

EV Code Signing

Starts with higher reputation. The warning disappears faster or may not appear at all. Required for Windows kernel-mode driver signing. Since March 2024, Microsoft treats EV more like OV, but reputation still builds faster.

Established reputation

No warning. Once enough users have downloaded and run the software without issues, the warning disappears entirely, regardless of whether the certificate is OV or EV.

Trusted Publishers: To eliminate warnings completely on specific machines, the certificate can be added to the Windows Trusted Publishers certificate store. This is typically done by local IT departments via Group Policy for their own organisation's software or their main suppliers' certificates.

Validity and key requirements

Maximum 459 days validity

The CA/Browser Forum limits Code Signing certificates to a maximum validity of 459 days (approximately 15 months). Multi-year orders are issued with yearly renewals. Timestamped signatures remain valid beyond the certificate's expiry date, so always use timestamping when signing.

Hardware-secured private keys required

Since June 1, 2023, all Code Signing certificates require the private key to be stored on FIPS 140-2 Level 2 (or Common Criteria EAL 4+) certified hardware. Software-only .pfx files are no longer permitted by any CA. This is an industry-wide requirement, not a policy of any specific CA or reseller. See our complete guide to key storage options.

How is the signing key stored?

Since June 2023, all Code Signing certificates require the private key on certified hardware. Three options are available:

USB token

Physical SafeNet token, included with the certificate. Shipped next business day, typically received within 2 business days.

Azure Key Vault

Cloud HSM from Microsoft. Ideal for CI/CD pipelines and remote signing. ~$5/month.

Google Cloud KMS

Cloud HSM from Google. Good for organisations already on Google Cloud. ~$2.50/month.

USB token or cloud HSM?

Compare USB token, Azure Key Vault, Google Cloud KMS and AWS KMS. See pricing, advantages and limitations for each option.

Compare all options →

Key storage and signing tools

Learn more about each key storage method and the signing tools used to sign your code.

Key storage

USB token

SafeNet crypto device included. FIPS 140-2 Level 2.

Azure Key Vault

Cloud HSM from Microsoft. ~$5/month.

Google Cloud KMS

Cloud HSM from Google. ~$2.50/month.

AWS KMS

Cloud HSM from Amazon. ~$1/month.

Office macros

Sign VBA macros and deploy via Group Policy.

HSM comparison

Compare all key storage options side by side.

Signing tools

SignTool / AzureSignTool

Microsoft's official signing. Windows + Azure Key Vault.

Jsign

Cross-platform. All key stores. Java-based, open source.

Guides

→ Azure Key Vault setup → Google Cloud KMS setup → AWS KMS setup → Office macro signing → GlobalSign USB token setup

Frequently asked questions about Code Signing

Find answers to the most common questions about SSL certificates and FairSSL.

OV Code Signing shows the company name and requires standard organisation verification. EV Code Signing has stricter requirements but starts with higher SmartScreen reputation, which means download warnings are removed faster. Both types build reputation over time as more users download the signed software.
Yes. Since June 2023, both OV and EV Code Signing require the private key to be stored on certified hardware (FIPS 140-2 Level 2+). You can choose between a physical USB token (included), Azure Key Vault Premium or Google Cloud KMS.
OV: 1–3 business days (organisation verification required). EV: 1–5 business days including identity verification.
Yes. You can use an OV or EV Code Signing certificate to sign PowerShell scripts and remove execution policy warnings.
From March 2026 the lifetime of publicly trusted SSL certificates is reduced to 47 days. Code Signing certificates are not affected by this change. Code Signing certificates have their own maximum validity of 459 days (approximately 15 months), set by the CA/Browser Forum.
Initially, yes. SmartScreen evaluates publisher reputation, not just whether the signature is valid. EV Code Signing starts with higher reputation and the warning typically disappears quickly. OV Code Signing builds reputation gradually with each clean download. To remove warnings entirely on specific machines, IT departments can add the certificate to the Windows Trusted Publishers store via Group Policy.
Since June 1, 2023, the CA/Browser Forum requires all Code Signing private keys to be stored on hardware that meets FIPS 140-2 Level 2 or Common Criteria EAL 4+. Software-only .pfx files no longer meet this requirement. You can use a USB token (included), Azure Key Vault or Google Cloud KMS instead.
Yes. Azure Key Vault Premium with HSM-backed keys meets the FIPS 140-2 Level 3 requirement and is ideal for CI/CD pipelines and remote signing. See our complete guide to Code Signing key storage options.

Ready to sign your software?

Create a free account and issue your first certificate in under 10 minutes.

Create free account Compare certificates