(4 votes, average: 5.00 out of 5)In June 2023, the CA/B Forum ramped up the industry’s security baseline requirements for code signing certificates. A new layer of protection was added to standard code signing certificates to prevent their private keys from falling prey to cybercriminals.
The new regulation mandates that all publicly trusted code signing certificates and keys must be stored on secure hardware, usually a USB token by default. Fantastic, right? This means no more private keys lying around or stored on insecure servers. No more security incidents similar to what happened to AnyDesk at the end of 2023, when their private key and certificates stored on an insecure server were stolen.
Hold on. One size doesn’t fit all, though. So, what if the USB hardware token isn’t a good solution for your organization because you have multiple users who would have to share it? What if you can’t afford to buy or don’t have the capacity to manage yet another piece of hardware on top of those you already have? Or if code signing with a token doesn’t fit into your secure software development life cycle (SDCL)?
You’re in luck. We’ve got the solution. To be precise, we’ve a couple of great alternatives to the traditional USB tokens. Yup. Being able to use standard (OV) and extended validation (EV) code signing certificates without a hardware token doesn’t have to be a chimera. And in this article, you’re going to learn how to get one.
Before June 2023, software publishers and developers who didn’t want to use a token to sign their code could purchase a standard or individual validation code signing certificate, and the problem was fixed. The keys were usually stored on an endpoint device or server and accessed when needed. This approach was risky from a security standpoint, as we’ve learned from AnyDesks’s example, but easy to use.
Then, the new regulations came into force, and the USB token became the established choice for all kinds of certificates.
However, this isn’t the only option on the table. In fact, if you want to purchase a standard or an EV code signing certificate without having to use a token, you can choose among certificates that work just fine with:
Let’s take a closer look at both solutions and learn how you can obtain those certificates.
Tip: Want to save money? Buy your code signing certificate from an authorized vendor like CodeSigniningStore.com. You’ll get additional benefits such as:
Does time = money for you? In the table, we’ve summarized the key features of the most popular alternatives — on-prem and cloud HSMs — so you can get on your way:
| DigiCert Code Signing Certificates | GoGetSSL Code Signing Certificates | GoGetSSL Cloud Code Signing Certificates | Sectigo/Comodo Code Signing Certificates | |
| Code Signing Certificates For Use With Existing On-Prem Physical HSMs | Chosen by top software publishers and banks. Compatible with any FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent HSM. | Low-cost solution. Works with any FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent HSM. | Low-cost solution. Works with any FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent HSM. | Affordable alternative for small businesses and individuals. It works only with a Luna Network Attached HSM version 7.x. |
| Code Signing Certificates For Use With Cloud-Based HSMs | DigiCert code signing certificate for key storage/vault solutions backed by a cloud-based HSM. Compatible with Azure Key Vault. Can be integrated with DigiCert’s Software Trust Manager, an HSM-backed solution for enterprises. | Ideal for small/medium businesses. Sign up to 1,000 files of your choice. | Ideal for small/medium businesses. Sign up to 1,000 files of your choice. Your certificate key will be generated and stored via DigiCert’s KeyLocker HSM-backed secure cloud storage solution (included). Also compatible with Azure Key Vault. | N/A |
An HSM is a piece of hardware used to secure and manage cryptographic keys throughout their life cycles. From provisioning and backup to usage, deployment, and decommissioning, the market for this tamper-intrusion-resistant solution is predicted to reach a stunning value of $2.3 billion by 2028.
An on-prem physical HSM is the “Ferrari” alternative to a USB token. It’ll guarantee you optimal security. On top of complying with the standard industry requirements, it brings:
But all of these benefits and features come at a price, just like a Ferrari car. As the HSM is installed directly in the client’s dedicated data center, upfront, operating and maintenance costs can be incredibly high and not conducive for small or medium-size businesses.
Are you lucky enough to have your own FIPS 140-2 Level 2 compliant HSM? Great! This means you can then buy a code signing certificate among those listed below at slashed prices without having to pay for a USB token.
The purchasing process is very straightforward. For example, on CodeSigningStore.com you’ll just have to:
For example, here is what these options look like when making selections for a DigiCert code signing certificate:
The CA will then validate your digital identity and have you sign a confirmation (which you’ll receive via email) to attest that the existing HSM complies with the industry security standards we’ve mentioned. Once you’ve done this, you’ll be able to download the certificate to install in your local trust store.
Before you do that, you’ll have to choose a certificate. Here, we’ve listed three examples of the best-of-class CAs selling code signing certificates for physical HSMs.
DigiCert is one of the most trusted certificate authorities on the market:
As part of DigiCert, GoGetSSL offers globally trusted, low-cost code signing certificates for both individual developers and organizations. Delivered via download within a matter of days, a GoGetSSL certificate guarantees you the same level of security and trust offered by its parent company, at a fraction of the price.
Like all DigiCert code signing certificates, GoGetSSL certificates will also work with all FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent compliant HSMs.
Sectigo and Comodo code signing certificates, when ordered without a hardware token, are affordable alternatives for small businesses and individuals on a budget. However, it’s important to be aware that these certificates only work with a Luna Network Attached HSM V7.x.
Hint: Comodo CA is part of Sectigo. Therefore, you’ll enjoy the same perks and prices regardless of which brand of certificate you choose.
HSM appliances can be expensive compared to classic USB tokens. This is where using a cloud-based HSM comes into play. It’s a digital, more affordable version of the physical HSM but without the physical management and security requirements. It’s a great solution for smaller companies and startups with tight budgets.
When you purchase a code signing certificate without a hardware token, you’ll have the option of storing it in the cloud (using a FIPS 140-2 Level 2 compliant solution). Doing this means you’ll get:
The downside? You don’t own the HSM, so you’ll have less visibility and control of it. However, all FIPS 140-2 Level 2 compliant HSMs, including cloud solutions, have to meet certain security requirements and standards.
Sound good? Now, it’s time to pick your certificate…
Research and Markets forecasts the global cloud HSM trade to grow up to $2.68 billion by 2030. GoGetSSL code signing certificates (without a hardware token) for cloud signing can be a good compromise for small/medium businesses looking for the advantages offered by an HSM at a reasonable price.
CodeSigningStore.com’s GoGetSSL cloud signing solution is such a solution. The deal on CodeSigningStore.com entails:
To start signing with this tokenless code signing certificate,
You’ll be up and running in a flash.
If your enterprise isn’t interested in buying a physical HSM appliance, that’s okay. Enterprises can purchase and securely store their DigiCert code signing certificates using DigiCert’s Software Trust Manager. In addition to secure and FIPS 140-2 Level 2 (or Common Criteria EAL 4+ equivalent) compliant key storage, this solution also offers other features to enhance the security of your products and customers’ software supply chains.
DigiCert Software Trust Manager features include:
DigiCert code signing certificates also work with third-party key storage or vault solutions using compliant HSMs, such as:
Not bad if you think that between 2020 and 2023, Reversing Labs identified an increase of over 1,300% in malicious open-source packages.
Physical and cloud-based HSM code signing certificates can be valid alternatives to traditional USB tokens. When used for code signing, they’ll offer you the same benefits guaranteed by the token, with some added value. So, what makes physical and cloud-based HSMs so appealing to organizations?
Ultimately, it’s your choice whether you want to use a code signing certificate without a hardware token. Imagine an ideal world where nobody loses or forgets a token: there are no cybercriminals and audits don’t exist, you wouldn’t even need to add a digital signature to your code. But here in the real world, things are very different, and HSMs can be an effective solution to protect and manage your code signing keys.
Code signing fosters trust and proves to your customers that your products are safe and authentic. But it doesn’t have to be complicated or cost you a fortune. If token-based code signing isn’t the right solution for you, there are other viable options available out there.
Make your choice and start code signing now. Remember: Any code signing certificate without a hardware token (i.e., that’s stored on an HSM) works with code signing tools, such as Microsoft SignTool.exe and Java JarSigner. It can be used to sign (and secure from tampering) a plethora of software, including Excel macros.
Email Us
+1 (727) 291-0611
Chat Now
