Code Signing certificate with USB token
Every Code Signing certificate from FairSSL includes a SafeNet eToken 5110 CC USB crypto device at no extra cost. FIPS 140-2 Level 2 certified hardware. The private key is generated on the token and can never be exported or copied. Sign with signtool.exe, Jsign or macOS codesign/productsign.
DigiCert: express shipping included in price (1-2 business days). GlobalSign: standard delivery (~7 business days) or express +€65.
What is a SafeNet USB token?
SafeNet eToken 5110 CC is a certified USB crypto device from Thales (formerly Gemalto). It stores your Code Signing private key in tamper-resistant hardware. The key is generated inside the token and cannot be exported. All signing operations happen on the token itself.
This meets the CA/Browser Forum requirement for FIPS 140-2 Level 2+ key storage that has been mandatory since June 2023.
How it works
Buy a Code Signing certificate from FairSSL
USB token delivery is the default.
Complete organisation validation
1-3 business days for OV, 1-5 for EV.
Receive USB token
DigiCert: express shipping included, arrives 1-2 business days after confirming postal address. GlobalSign: standard delivery ~7 business days after validation, express (1-2 business days) available for €65.
Install SafeNet drivers on your signing machine
SafeNet Authentication Client must be installed before retrieving the certificate.
Retrieve and install your certificate on the token
Using Fortify for GlobalSign, or direct download for DigiCert.
Sign your code
Using signtool.exe, Jsign or codesign.
Important security warnings
The USB token locks permanently if the wrong Administrator Password or PUK is entered 5 times. Contact us to purchase a new device if this happens.
SafeNet drivers must be installed before retrieving the certificate. On renewal: update to the latest driver version.
The certificate and private key cannot be copied or exported from the USB token.
Signing with USB token
Windows: signtool.exe
Included in the Windows SDK. Can also be used via AzureSignTool. Insert the token and enter your PIN when prompted.
Java: Jsign
Jsign is cross-platform and open source. Works with USB tokens via PKCS#11.
macOS: codesign and productsign
Apple's built-in signing tools. The SafeNet token registers automatically in macOS Keychain.
Timestamping
Always use RFC 3161 timestamping when signing. It ensures your signature remains valid after the certificate expires.
Common timestamp servers:
- DigiCert:
http://timestamp.digicert.com - GlobalSign:
http://timestamp.globalsign.com/tsa/r6advanced1 - Sectigo:
http://timestamp.sectigo.com
signtool sign /fd sha256 /tr http://timestamp.digicert.com /td sha256 /a "MyApp.exe"
Extra USB tokens
Extra SafeNet tokens can be purchased from FairSSL for €100. Useful if you need multiple signing stations. The certificate can only exist on one token (non-exportable), but having spare tokens is practical for replacement scenarios.
RDP limitation
USB tokens cannot be forwarded over standard Windows Remote Desktop (RDP). TeamViewer, AnyDesk and similar remote desktop tools do support USB token passthrough.
For automated or remote signing, consider Azure Key Vault or Google Cloud KMS instead. See our HSM key storage comparison.
GlobalSign USB token setup guide
Step-by-step guide for installing SafeNet drivers, retrieving your certificate via Fortify and your first signing.
Read the guide →Related pages: USB Token | Azure Key Vault | Google Cloud KMS | AWS KMS | Office Macros | Compare all →
Code Signing certificates with USB token
OV Code Signing
DigiCert CodeSign OV
DigiCert OV Code Signing. SafeNet USB token + express shipping included.
GlobalSign CodeSign
GlobalSign OV Code Signing. SafeNet USB token included. Express +€65.
EV Code Signing
Frequently asked questions about Code Signing with USB token
Find answers to the most common questions about SSL certificates and FairSSL.
Ready to sign with USB token?
Create a free account and issue your first certificate in under 10 minutes.