Is It Possible to Get a Free Code Signing Certificate?
Free Code Signing Certificate – Where to Find One?
From the earliest days until now, everyone loves one thing for sure. It’s free stuff, whether it’s buying food or any other product, including security certificates. If something is offered for free, there’s going to be people who would like to make use of it.
If you’re aware of SSL/TLS certificates, then you might know that they can be offered for free – Let’s Encrypt is a prime example. So, if you’re a software developer and you’ve seen free SSL certificates, then it’s quite obvious that you might have questioned whether free code signing certificates are offered. After all, code signing certificates are another type of X.509 certificates.
If you had this question before 2016, the answer could’ve been yes, code signing certificates are free for open-source projects. That’s because Certum, a certificate authority, used to offer a free code signing certificate for open source projects as a trial version for a validity period of 1 year, but in 2016 they discontinued and started charging for it. So, as of today, the answer is NO. No one offers a free code signing certificate, not even for open-source projects.
If you’re uncertain why Certum discontinued this offering or why other CA’s don’t offer a free code signing certificate, then the main reason is the compliance constraints and how costly it is to follow those constraints. So, a certificate authority (CA) that offers free code signing certificates isn’t going to happen. And, if you find any CA that offers a free code signing certificate, you should avoid them because offering for free is not possible due to the issuance process.
However, there’s a solution: choose a cost-effective code signing certificate offered by a respected certificate authority. Some CAs like Sectigo or Comodo offer code signing certificates with the best bang for your buck. Additionally, if you purchase from resellers like codesigningstore.com, you may even get an additional discount on the already lower price.
Why Free SSL/TLS Certificates Are Offered, but Not Free Code Signing Certificates?
Now, let’s understand why free SSL/TLS certificates are provided, but there aren’t any code signing certificates for free despite both being X.509 certificates.
Put simply, only DV SSL certificates are offered for free, and sadly there is no Domain Validated (DV) code signing certificates. They’re used for signing software packages and applications, where the identity of the publisher is assessed, and browsers like Google Chrome are making a trust-based decision to warn users regarding safety at the time of download.
The code signing vetting process requires verification of certain things (documents), for example, government-issued ID proof, driving license, passport, and the financial and non-financial document containing your full name. And, this vetting process takes one to five days for completing and requires a large staff and operational costs as well. Due to these reasons, it’s not possible to offer a free code signing certificate –just like there are no free EV & OV SSL Certificates.
Only Trusted Certificate Authorities Can Issue Code Signing Certificates
One major reason why free code signing certificates are not offered is that only trusted certificate authorities like DigiCert and Sectigo can issue code signing certificates. And these CAs have to follow the baseline requirement stated by the CA/Browser Forum along with other rules of root programs to maintain that trusted status.
Root programs are operated by big giants like Microsoft, Google, Mozilla, and Apple. These root program also called as root store, is a set of root CA certificates which are included by the CAs in these root stores to maintain that trusted status and, these root programs are used by all the connected devices.
Hence, only CAs who follow strict guidelines for validation, logging, audits, and other requirements are trusted by Windows and other devices.
Code signing certificates are issued only by trusted certificate authorities like Sectigo. These CAs take applicants for code signing certificates through a thorough vetting process to verify the legitimacy of the organization, which takes around 1-5 days to complete and issue the certificate.
Truth be told, these vetting processes aren’t free, it costs them money too. For example, CAs hire employees and train them to handle all these tedious tasks, logs and documentation, and much more.
So that’s why code signing certificates won’t be available for free, and not offering for free even helps to keep those malicious actors away. For example, free SSL certificates widely used for malicious sites. Similar to that, if a free code signing certificate was offered, cybercriminals would most likely use it to sign their malicious software.