Code Signing: key storage and HSM options

Compare USB token, Azure Key Vault and Google Cloud KMS. Choose the right solution for your code signing workflow.

Required since June 1, 2023

All Code Signing certificates (OV and EV) require the private key to be stored on hardware (FIPS 140-2 Level 2+). Software-only .pfx files are no longer permitted.

USB token

Included in the price

Azure Key Vault

~$5/month

Google Cloud KMS

~$2.50/month

Why hardware key storage is required

Industry mandate

CA/Browser Forum, Microsoft and Apple require certified hardware for all Code Signing private keys.

FIPS 140-2 Level 2+

Hardware must be FIPS 140-2 Level 2 or Common Criteria EAL 4+ certified.

Non-exportable

The private key cannot be copied out. All signing happens directly on the device or HSM.

OV and EV

Both OV and EV Code Signing follow the same requirements. Applies to all certificates issued after June 1, 2023.

SmartScreen, download warnings and Trusted Publishers

Windows SmartScreen is a download reputation filter built into Windows. When a user downloads and runs a signed executable, SmartScreen evaluates the publisher's reputation. All signed software will initially show a reduced warning ("Windows protected your PC" with a "Run anyway" option) rather than a full block.

EV Code Signing certificates start with higher SmartScreen reputation, which means the warning may be removed faster or not appear at all. OV Code Signing certificates build reputation over time as more users download and run the signed software. Both types build up reputation with each successful download.

To remove the final warning entirely, the certificate must be added to the Trusted Publishers store on the end user's machine. This is typically done by local IT departments via Group Policy for their own software or their main suppliers' certificates. It is not something the software publisher can control on end-user machines.

The key storage method (USB token, Azure Key Vault, Google Cloud KMS) has no effect on SmartScreen reputation. What matters is the certificate type (OV vs EV) and the number of clean downloads over time.

See the detailed SmartScreen overview with warning examples and the four reputation levels.

Azure Key Vault setup overview

This overview covers the key decisions when setting up Azure Key Vault for code signing. FairSSL provides complete step-by-step installation guides for DigiCert and GlobalSign after purchase.

Key Vault configuration

SKU: Premium (required for HSM-backed keys. Standard SKU cannot create RSA-HSM keys)
Key type: RSA-HSM, 4096-bit, non-exportable
Permissions: Key Vault Administrator role required (may need explicit RBAC assignment even with existing admin rights)

Certificate request (CSR)

Type: "Certificate issued by a non-integrated CA"
Content type: PEM
Subject: CN=Your Company Name (as registered with the CA)
Extended Key Usage: 1.3.6.1.5.5.7.3.3 (Code Signing)
Exportable Private Key: No
Certificate Transparency: No (not required for Code Signing certificates)

After ordering your Code Signing certificate from FairSSL, you will receive a detailed installation guide specific to your CA (DigiCert or GlobalSign) with screenshots and exact steps.

Full Azure Key Vault setup guide →

Signing tools

signtool.exe

Windows. Microsoft's official signing tool (part of Windows SDK).

✓ Signs .exe, .dll, .msi, .cab, .sys, .appx and Office files
✓ Works with USB token (SafeNet), Google Cloud KMS (via CNG provider)
✓ Included with Visual Studio and Windows SDK

AzureSignTool

Windows. Drop-in replacement for signtool.exe for Azure Key Vault.

✓ Signs directly from Azure Key Vault
✓ Free and open source
✓ Azure RBAC: requires Key Vault Crypto User, Certificate User and Secrets User roles

github.com/vcsjones/AzureSignTool ↗

Jsign

Cross-platform (Windows, macOS, Linux). Java-based.

✓ Supports Azure Key Vault, Google Cloud KMS, AWS KMS, YubiKey, SafeNet and more
✓ Works as a bridge for jarsigner (Java/Android signing)
✓ Free and open source

ebourg.github.io/jsign ↗

codesign / productsign

macOS. Apple's built-in tools for signing apps and installer packages.

✓ codesign signs macOS apps, frameworks and dylibs
✓ productsign signs .pkg installer packages
✓ Works with USB token via Keychain Access

Always use timestamping

Include an RFC 3161 timestamp when signing so your signatures remain valid after the certificate expires.

http://timestamp.digicert.com (recommended, most stable)
http://timestamp.globalsign.com/tsa/r6advanced1

What FairSSL helps with

Included with every Code Signing certificate

✓ Complete installation guides for DigiCert and GlobalSign with Azure Key Vault
✓ HSM attestation form and confirmation handling
✓ Organisation validation in English, Danish and Swedish (often completed same day)
✓ Free email and phone support throughout the process

Optional add-ons

✓ Express USB token delivery: 1-2 business days (shipped next business day, order before 10 AM)
✓ Remote installation via TeamViewer (€65)

Not included

— Azure subscription setup
— API key configuration or service principal setup
— Build pipeline integration
— Signing tool configuration

Related signing tools: SignTool / AzureSignTool | Jsign | Compare all →

Code Signing certificates

OV Code Signing

DigiCert CodeSign OV

DigiCert OV Code Signing. Broad platform support.

from €475 /year See details →

GlobalSign CodeSign

GlobalSign OV Code Signing. Strong brand.

from €375 /year See details →

EV Code Signing

DigiCert CodeSign EV

DigiCert EV Code Signing. Required for kernel-mode drivers.

from €740 /year See details →

GlobalSign CodeSign EV

GlobalSign EV Code Signing. Hardware key included.

from €428 /year See details →

See all products with prices →

Frequently asked questions about Code Signing key storage

Find answers to the most common questions about SSL certificates and FairSSL.

Can I switch from USB token to Azure Key Vault later?

With DigiCert, yes. DigiCert supports free re-issuance to a new key pair in Azure Key Vault, and you can even keep both the USB token and Key Vault active at the same time. With GlobalSign, switching requires a new order as they do not support re-issuance to a different key storage type.

Does Azure Key Vault work for EV Code Signing?

Yes. The process is identical for both OV and EV Code Signing. The key is generated in Azure Key Vault, and you submit the CSR to the CA. The only difference is the validation requirements.

What about Azure Trusted Signing?

Azure Trusted Signing is a different service from Microsoft (approximately $10/month) that handles the certificate itself. Our certificates stored in Azure Key Vault give you more control and flexibility: you choose your own CA, keep your own identity, and are not tied to a single signing platform.

Can I sign from a CI/CD pipeline?

Yes, that is the primary use case for Azure Key Vault. AzureSignTool supports Azure DevOps, GitHub Actions, GitLab CI and any other pipeline that can run a Windows or .NET process. You authenticate with an Azure service principal or managed identity.

Do I need a new Azure subscription?

No. Any existing Azure subscription works. You just need to create a Key Vault resource with the Premium SKU (required for HSM-backed keys). If you do not have an Azure subscription, you can create a free account and only pay for the Key Vault resource.

What happens if I lose my USB token?

Contact us and we will issue a free replacement certificate on a new token. The original certificate is revoked. This is another advantage of Azure Key Vault: there is no physical device to lose.

Ready to secure your signing keys?

Create a free account and issue your first certificate in under 10 minutes.

Create free account Compare certificates