What Are the 3 Code Signing Certificate Delivery Methods?

Home » What Are the 3 Code Signing Certificate Delivery Methods?

We’ll quickly explore three ways you can get a code signing certificate to secure your software and supply chain right away

Since 2023, code signing certificates must be installed on secure hardware. For all code signing certificates, this means you can choose from one of three options:

1. purchase a code signing certificate with secure hardware token (DigiCert code signing certificate secure tokens arrive blank and must be configured; Sectigo secure hardware tokens arrive pre-configured)  
2. order a certificate that can be installed on one of your existing hardware devices, or
3. utilize a cloud storage provider (such as GoGetSSL Cloud Signing or DigiCert Software Trust Manager).

When buying a code signing certificate, you can choose between several certificate delivery methods to find one that suits your needs. Just ensure you select the right delivery method, as it can’t be changed once you place your order. (You’ll have to cancel your order and place a new one.)

Code Signing Delivery Method #1: Using a Secure Physical Hardware Token

Ready to order a certificate with a secure hardware token from your chosen certificate authority (CA)? Simply select the Token + Shipping option in the Certificate Delivery method dropdown menu on CodeSigningStore.com. Hardware and shipping costs will be pre-calculated in the price of the certificate.

If the token needs to be shipped outside the US, please ensure to select the Token + International Shipping option (only applicable for Sectigo code signing products).

Curious as to how easy it is to set up and use a code signing certificate? Here’s a quick overview video that walks you through the process for a pre-configured hardware token for a Sectigo code signing certificate:

With DigiCert code signing certificates, you have the option of generating your certificate and key on a SafeNet USB secure hardware token you already own. DigiCert certificates support the following types of security tokens:

• SafeNet eToken 5110 FIPS (ECC ONLY)
• SafeNet eToken 5110+ FIPS
• SafeNet eToken 5110 CC (RSA 4096 & ECC)

Related Resource: How to Set Up Your New Code Signing Hardware Token (A Step-By-Step Guide)

What if you don’t want to deal with the hassle of managing and securely storing a physical token? It’s small, after all, and could get lost in a moment of absentmindedness. The good news is that there are a couple of other options that don’t require you to manage any tangible tokens…

Code Signing Delivery Method #2: Store Your Certificate Securely in the Cloud (Basic)

If you don’t want to keep track of a secure hardware token and can’t afford a pricey hardware security module (HSM), then you’re in luck, as there are a couple of other options.

GoGetSSL Cloud Signing with DigiCert KeyLocker

The DigiCert KeyLocker is a secure, cloud-based key protection platform that enables you to enjoy the convenience of connecting to and using your certificate and key locally. However, you don’t have to worry about any physical hardware because the key remains securely stored in a cloud HSM.

Related resource: How to Set Up and Use GoGetSSL Cloud Signing

DigiCert Software Trust Manager

Another option is DigiCert’s Software Trust Manager platform. This method is a great option for organizations with multiple developers who need to sign software, scripts, and other products. It enables you to set up granular access permissions to ensure that only authorized users can manage or use your keys, which are securely stored in an HSM.

DigiCert Software Trust Manager is a versatile solution that enables you to integrate code signing automation into your CI/CD and DevOps flows via integrations and/or APIs.

Code Signing Delivery Method #3: Install Your Certificate & Key on an Existing HSM (Advanced)

Do you already have a compatible hardware security module (HSM)? If you want to install the code signing certificate on a device you already own, you can do so by selecting the option Install on Existing HSM method from the Certificate Delivery method dropdown menu when purchasing your certificate on CodeSigningStore.com.

For this code signing certificate delivery method, you must already own the HSM device and should be familiar with its associated software. This is largely, in part, because you must provide your HSM’s attestation bundle when you generate the certificate.

Supported HSMs must be FIPS 140-2 Level or Common Criteria Evaluation Assurance Level (EAL) 4+ compliant and include:

• Yubikey 5 FIPS
• SafeNet LUNA Network Attached HSM, version 7+

We recommend this method for advanced users only, as we can’t provide support for third-party hardware.

What If Your Organization Already Uses Azure Key Vault?

If you’re already using Azure Key Vault within your organization, the aforementioned code signing certificate delivery methods won’t work for you. This is because Azure Key Vault requires any code signing certificates’ keys to be generated inside the vault.

This means you can’t generate the keys and then import them retroactively due to the industry’s more stringent code signing security baseline requirements.

To learn more about using AKV to sign your software, please check out our Azure Key Vault Code Signing resource page.

Related resource: Azure Key Vault Set Up and Code Signing Tutorial (with FAQs)

Troubleshooting: What Can I Do If I Selected the Wrong Delivery Method?

You can’t change your chosen certificate delivery method after completing your purchase. If you need to swap to a different delivery option, you must cancel your order through your CodeSigningStore.com account dashboard and purchase another certificate with the right delivery method. (NOTE: Orders that have been shipped and are outside of the 30-day refund period aren’t refundable.*)

*Orders canceled within the 30-day refund period but have already been shipped are eligible for cancelation. However, your certificate will be revoked and shipping fees will not be refunded.

Of course, if you have additional questions or need further assistance, please feel free to reach out to our Support team.