Code Signing Center - Application Signing Support
Code Signing Certificates Customer Support Center (certificates for signing code and applications). Here you will find all relevant information regarding code signing and using Code Signing certificates.
Code signing certificates
Certificates for code signing (Code signing) are used for signing applications created on various development platforms. The goal of code signing is not only to authenticate the publisher but mainly to protect the application's integrity and immutability. If someone alters the application (for example, adding malware), the signature becomes invalid. Therefore, most current systems either require app signatures (MacOS) or strongly warn before running unsigned applications (Windows).
Code signing EV certificate
Even for code signing certificates, we offer a certificate with Extended Validation. Its benefits and instructions for activation are described in the following sections.
Significance of Code signing EV certificate
Its significance lies in increasing the security of the certificate and the private key. The certificate along with the private key is stored on a token and cannot be exported. The use of the certificate is protected by a password and after several wrong attempts, the token is erased. This is an excellent protection of your code signing certificate from misuse. Another important advantage of the Code Signing EV certificate is absolute trustworthiness in the Smartscreen filter, which is part of Windows. Thanks to the EV signature, you can be assured that the Windows system will not block your application for users.
More information about the Code Signing certificate in our offer can be found on the product page DigiCert Code Signing EV.How to obtain and activate the Code Signing EV certificate
The entire process of obtaining and activating a Code Signing EV certificate is described in the article Activating the Code Signing EV certificate.
How to sign software with a digital certificate
To sign applications with Code Signing, you need two things:
- Code Signing Certificate
- Application for signing
You get the Code Signing certificate from SSLmarket, and it is easy. You will choose the signing application based on the platform you are developing on. The popular and most widespread are these signing tools, which we have described in our guide and can advise you on:
- Signtool from Windows SDK (guide)
- Jarsigner (see blog article).
- Utilita smctl from DigiCert - recommended for KeyLocker (guide). It can use, for example, signtool and simplify signing.
Most of our customers develop in the MS Windows environment and use Windows SDK. Signing is then done using the signtool.exe tool. The documentation for signtool can be found on the SignTool.exe (Sign Tool) page on the Microsoft website.
Signing with cloud HSM
Cloud HSM is used for secure storage of the Code Signing certificate and remote access to it. Unlike a certificate on a token, they allow automation and signing is very fast because only the file hash (hash signing) is sent to the cloud.
We strongly recommend signing using hash-signing and the cloud, as opposed to a token. It is safe, fast, and inexpensive.
Recommended cloud HSM
- DigiCert KeyLocker
- DigiCert Software Trust Manager
- Azure Key Vault
- GCP Cloud KMS (Google)
- AWS CloudHSM
In the following sections, you will find the advantages and disadvantages of each solution.
DigiCert KeyLocker
The cheapest alternative to a token is KeyLocker. It is a simple service for a single user that allows easy code signing. DigiCert provides its KSP and PKCS#11 libraries, which you install in the system and sign code in the same way as you are used to. With their utility SMCTL, signing is even more straightforward than with signtool. SMCTL is compatible with the most-used tools for Code Signing and can call them. KeyLocker has a limit of 1000 signatures, so it is suitable for less frequent signing. However, the number of signatures can be increased for a fee.
DigiCert Software Trust Manager
This is the flagship cloud solution from the DigiCert ONE platform, designed for enterprise use. It offers the management of an unlimited number of certificates, users, and is endlessly scalable. Connection with your CI/CD platform ensures prepared scripts and libraries. Access to STM and the number of signatures are licensed. For more information on pricing and licensing, please do not hesitate to contact us. Documentation can be found on the DigiCert website.
Cloud HSM Azure and Google
Both major cloud players provide an HSM service with secure remote access via their libraries, which work as KSP in Windows. Their use is not complicated and the price of both is very favorable (payment is only for cryptographic operations). Azure and GCP are recommended for a large number of signatures per year because the costs are low.
The guide for signing code using Azure Key Vault can be found in the article Signing code using Azure Key Vault. For GCP Cloud KMS, see the article Signing code using Google Cloud KMS.
AWS CloudHSM
Amazon also offers cloud signing using Signtool from the Windows SDK, but the established HSM is charged by the hour of operation. Besides fixed costs, payment is also for operations (signatures). If you do not yet use AWS, we recommend Azure or GCP HSM instead. More information on using Signtool can be found in the article Use Microsoft SignTool with Client SDK 3 to sign files.
Comparison of Azure Key Vault vs Google Cloud KMS vs AWS CloudHSM/KMS+HSM
Comparison of all three cloud HSMs is provided in the table below. It focuses on the costs of signing operations (hash signing), fixed costs, scaling, low usage, operational complexity, and latency/throughput.
| Factor | Azure Key Vault | Google Cloud KMS | AWS CloudHSM / KMS + HSM |
|---|---|---|---|
| Operation fees (sign/verify) | Very low (≈ $/10,000 operations). | Very low (≈ $/10,000 operations). | Not a key cost; major are fixed fees for HSM. |
| Fixed costs | Possible monthly fee for HSM key; otherwise low. | No significant fixed costs in basic mode. | High – hourly rental of HSM (24/7) or Custom Key Store. |
| Scaling and Capacity | Linear by transactions; limited by throttling. | Linear; beware of quotas (QPS/QPM). | Scaling by adding HSMs; fixed cost increases. |
| Cost at low use | Advantageous — mainly pay per operations. | Advantageous — mainly pay per operations. | Disadvantageous — HSMs paid even without load. |
| Operational complexity | Low — managed service. | Low — managed service. | Higher — HSM cluster and HA/DR management. |
Contact Us
If you need help with any step of ordering a certificate, issuing a certificate, installing a certificate, or any other question, do not hesitate to contact our customer support, who will advise and assist you. Our experts with DigiCert Security Sales Expert Plus certification are available every business day during regular working hours.
You can also contact us directly from your customer account by sending a request from the Authorized Request menu.
FAQ - Frequently Asked Questions
Is the Code Signing certificate tied to my domain name?
No. Code Signing is not issued for a domain, but for a specific organization. The name of this organization is in the Common name.
What can I sign?
With the DigiCert Code Signing certificate, you can sign various types of software and scripts to ensure they come from a trusted source and have not been altered after issuance.
✅ What can be signed:
- Executable files: .exe, .dll, .ocx, .msi, .cab
- Windows drivers (WHLK/HLK)
- Java applications: .jar
- Macros and VBA scripts in Microsoft Office
- PowerShell scripts: .ps1
- macOS applications and packages (via Apple Developer ID)
- Adobe AIR applications
- .NET applications and libraries
- Scripts and installers in various environments
⚠️ What cannot be signed:
- Code requiring qualified electronic signature according to eIDAS
- Files not intended for distribution
- Formats and platforms not supporting digital signature
Is a timestamped code valid after the Code Signing certificate expires?
Yes, timestamped code remains valid even after the certificate expires. Using a timestamp during signing allows the system to verify that the code was signed while the certificate was valid. Thus, the signature remains trustworthy. Without a timestamp, the code must be resigned with a new certificate.
How can I timestamp VBA projects?
See the article Instructions for timestamping VBA code on the DigiCert.com website
Is there a limitation on the number of applications I can sign with the Code Signing certificate?
No, you can sign an unlimited number of applications with the certificate. When you have a Code Signing certificate on a token, you can sign indefinitely. The number of signatures is only considered in cloud services:
- DigiCert KeyLocker - you have 1000 signatures for the duration of the certificate, more can be purchased.
- Software Trust Manager - signatures are licensed for the duration of the contract.
How is signing done using a certificate in the cloud?
Signing with a Code Signing certificate is simple and fast. It uses hash-based signing, where a hash is calculated from the file and is then sent to the cloud to be signed. The file itself is not transferred anywhere – only the signed hash is returned for the signature. This makes the entire process safe and efficient.
Hash signing with the cloud can be used with these products:
We are sorry that you did not find the required information here.
Please help us to improve this article. Write us what you have expected and not found out.