How to Get a Code Signing Certificate Without a Hardware Token
Home » How to Get a Code Signing Certificate Without a Hardware Token
(5 votes, average: 5.00 out of 5)
Looking for a secure alternative to traditional token-based code signing certificates that’ll affirm your code’s authenticity & integrity? Explore HSM-backed solutions, which are preferred by 69% of organizations
The new regulation mandates that all publicly trusted code signing certificates and keys must be stored on secure hardware, usually a USB token by default. Fantastic, right? This means no more private keys lying around or stored on insecure servers. No more security incidents similar to what happened to AnyDesk at the end of 2023, when their private key and certificates stored on an insecure server were stolen.
Hold on. One size doesn’t fit all, though. So, what if the USB hardware token isn’t a good solution for your organization because you have multiple users who would have to share it? What if you can’t afford to buy or don’t have the capacity to manage yet another piece of hardware on top of those you already have? Or if code signing with a token doesn’t fit into your secure software development life cycle (SDCL)?
You’re in luck. We’ve got the solution. To be precise, we’ve a couple of great alternatives to the traditional USB tokens. Yup. Being able to use standard (OV) and extended validation (EV) code signing certificates without a hardware token doesn’t have to be a chimera. And in this article, you’re going to learn how to get one.
2 Options For Using Code Signing Certificates Without a Hardware Token
Before June 2023, software publishers and developers who didn’t want to use a token to sign their code could purchase a standard or individual validation code signing certificate, and the problem was fixed. The keys were usually stored on an endpoint device or server and accessed when needed. This approach was risky from a security standpoint, as we’ve learned from AnyDesks’s example, but easy to use.
Then, the new regulations came into force, and the USB token became the established choice for all kinds of certificates.
However, this isn’t the only option on the table. In fact, if you want to purchase a standard or an EV code signing certificate without having to use a token, you can choose among certificates that work just fine with:
An existing on-premises physical device (e.g., a hardware security module [HSM]) you manage, or with
An existing cloud-based key storage HSM solution.
Let’s take a closer look at both solutions and learn how you can obtain those certificates.
Tip: Want to save money? Buy your code signing certificate from an authorized vendor like CodeSigniningStore.com. You’ll get additional benefits such as:
Dirt cheap prices,
Guidance on getting through the validation process, and
24/7 code signing support.
Does time = money for you? In the table, we’ve summarized the key features of the most popular alternatives — on-prem and cloud HSMs — so you can get on your way:
DigiCert Code Signing Certificates
GoGetSSL Code Signing Certificates
GoGetSSL Cloud Code Signing Certificates
Sectigo/Comodo Code Signing Certificates
Code Signing Certificates For Use With Existing On-Prem Physical HSMs
Chosen by top software publishers and banks. Compatible with any FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent HSM.
Low-cost solution. Works with any FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent HSM.
Low-cost solution. Works with any FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent HSM.
Affordable alternative for small businesses and individuals. It works only with a Luna Network Attached HSM version 7.x.
Code Signing Certificates For Use With Cloud-Based HSMs
DigiCert code signing certificate for key storage/vault solutions backed by a cloud-based HSM. Compatible with Azure Key Vault. Can be integrated with DigiCert’s Software Trust Manager, an HSM-backed solution for enterprises.
Ideal for small/medium businesses. Sign up to 1,000 files of your choice.
Ideal for small/medium businesses. Sign up to 1,000 files of your choice. Your certificate key will be generated and stored via DigiCert’s KeyLocker HSM-backed secure cloud storage solution (included).
Option #1: Get a Code Signing Certificate on an On-Prem Physical Hardware Security Module (HSM)
An HSM is a piece of hardware used to secure and manage cryptographic keys throughout their life cycles. From provisioning and backup to usage, deployment, and decommissioning, the market for this tamper-intrusion-resistant solution is predicted to reach a stunning value of $2.3 billion by 2028.
An on-prem physical HSM is the “Ferrari” alternative to a USB token. It’ll guarantee you optimal security. On top of complying with the standard industry requirements, it brings:
Simplified and complete audit access.
Full control and visibility of the hardware and keys,
Strict physical and virtual access control thanks to physical sensors, and multilayered security protection, including multifactor authentication.
But all of these benefits and features come at a price, just like a Ferrari car. As the HSM is installed directly in the client’s dedicated data center, upfront, operating and maintenance costs can be incredibly high and not conducive for small or medium-size businesses.
Are you lucky enough to have your own FIPS 140-2 Level 2 compliant HSM? Great! This means you can then buy a code signing certificate among those listed below at slashed prices without having to pay for a USB token.
The purchasing process is very straightforward. For example, on CodeSigningStore.com you’ll just have to:
Select your brand and choice of certificate. Do this by going to Shop Certificates and selecting an issuing certificate authority (CA), such as DigiCert, Sectigo, Comodo SSL, or GoGetSSL).
Indicate how many certificates you want. 1? 2? Choose however many you want to buy.
Choose whether you want to buy it as a 1-year purchase or a bundle. You have the option of choosing 1 year, or 2- or 3-year bundles. Hint: Three years will give you the best value.
Choose your delivery method. Under Certificate Delivery Method, select Install on Existing HSM.
For example, here is what these options look like when making selections for a DigiCert code signing certificate:
The CA will then validate your digital identity and have you sign a confirmation (which you’ll receive via email) to attest that the existing HSM complies with the industry security standards we’ve mentioned. Once you’ve done this, you’ll be able to download the certificate to install in your local trust store.
Before you do that, you’ll have to choose a certificate. Here, we’ve listed three examples of the best-of-class CAs selling code signing certificates for physical HSMs.
1. DigiCert Code Signing Certificate to Install on an Existing Physical HSM
DigiCert is one of the most trusted certificate authorities on the market:
DigiCert’s varieties of digital certificates are used by top software publishers like Google, Adobe, GitHub, other Fortune 500 companies, and 97% of the world’s leading banks.
DigiCert code signing certificates are compatible with any FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent HSM.
2. GoGetSSL Code Signing Certificate to Install on an Existing Physical HSM
As part of DigiCert, GoGetSSL offers globally trusted, low-cost code signing certificates for both individual developers and organizations. Delivered via download within a matter of days, a GoGetSSL certificate guarantees you the same level of security and trust offered by its parent company, at a fraction of the price.
Like all DigiCert code signing certificates, GoGetSSL certificates will also work with all FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent compliant HSMs.
3. Sectigo/Comodo Code Signing Certificate Using an Existing Luna HSM
Sectigo and Comodo code signing certificates, when ordered without a hardware token, are affordable alternatives for small businesses and individuals on a budget. However, it’s important to be aware that these certificates only work with a Luna Network Attached HSM V7.x.
Option #2: Opt For a Code Signing Certificate on an Integrated Cloud Storage Solution
HSM appliances can be expensive compared to classic USB tokens. This is where using a cloud-based HSM comes into play. It’s a digital, more affordable version of the physical HSM but without the physical management and security requirements. It’s a great solution for smaller companies and startups with tight budgets.
When you purchase a code signing certificate without a hardware token, you’ll have the option of storing it in the cloud (using a FIPS 140-2 Level 2 compliant solution). Doing this means you’ll get:
Use of a fully managed HSM without any upfront and managing costs.
Access to an HSM-backed cloud solution via API and/or a management platform.
Built-in backup solutions.
The downside? You don’t own the HSM, so you’ll have less visibility and control of it. However, all FIPS 140-2 Level 2 compliant HSMs, including cloud solutions, have to meet certain security requirements and standards.
Sound good? Now, it’s time to pick your certificate…
1. GoGetSSL Code Signing Certificate With Cloud-Based HSM and KeyLocker Software
Research and Markets forecasts the global cloud HSM trade to grow up to $2.68 billion by 2030. GoGetSSL code signing certificates (without a hardware token) for cloud signing can be a good compromise for small/medium businesses looking for the advantages offered by an HSM at a reasonable price.
CodeSigningStore.com’s GoGetSSL cloud signing solution is such a solution. The deal on CodeSigningStore.com entails:
Getting a standard or EV code signing certificate (without a hardware token) issued by DigiCert and stored in a cloud HSM (DigiCert KeyLocker, a FIPS 140-2 Level 2 [or Common Criteria EAL 4+ equivalent] compliant solution).
Being able to sign up to 1,000 files of your choice.
DigiCert’s KeyLocker software license, which allows you to securely generate and store your private key, and supports signing with DigiCert’s Click-to-Sign tool and other third-party tools (e.g., SignTool, jSign, Sign4j, OpenSSL, etc.) without giving users direct access to the key.
To start signing with this tokenless code signing certificate,
2. DigiCert Code Signing Certificate Key Storage & Third-Party Vault Solutions Backed by a Cloud-Based HSM
If your enterprise isn’t interested in buying a physical HSM appliance, that’s okay. Enterprises can purchase and securely store their DigiCert code signing certificates using DigiCert’s Software Trust Manager. In addition to secure and FIPS 140-2 Level 2 (or Common Criteria EAL 4+ equivalent) compliant key storage, this solution also offers other features to enhance the security of your products and customers’ software supply chains.
DigiCert Software Trust Manager features include:
Automated advanced threat detection tools,
Granular policy enforcement to ensure compliance, and
3 Benefits of a Code Signing Certificate Without a USB Hardware Token
Physical and cloud-based HSM code signing certificates can be valid alternatives to traditional USB tokens. When used for code signing, they’ll offer you the same benefits guaranteed by the token, with some added value. So, what makes physical and cloud-based HSMs so appealing to organizations?
Higher scalability. Is your organization growing? Stop purchasing hundreds of tokens and wasting precious time and resources managing them. HSMs will keep everything under a single roof and easily scale and adapt to your needs. You opted for a cloud-based or a managed HSM? Even better. You won’t even have to worry about adding or removing hardware or tokens being lost or stolen.
Robust security and centralized key management. KeyFactor reports that 84% of the companies surveyed in 2023 had serious trouble managing an increased number of keys and certificates. An HSM resolves many of these issues, serving as a one-stop shop that allows you to centrally oversee, protect, and control your cryptographic keys.
Reduced costs (in the long term). $4.45 million. This is the average cost of a data breach indicated by IBM in 2023. Even the more sophisticated dedicated HSM implementation will never reach such a ridiculous amount. But it will help you reduce the risk of leaks and reach compliance, saving you money down the pike.
Ultimately, it’s your choice whether you want to use a code signing certificate without a hardware token. Imagine an ideal world where nobody loses or forgets a token: there are no cybercriminals and audits don’t exist, you wouldn’t even need to add a digital signature to your code. But here in the real world, things are very different, and HSMs can be an effective solution to protect and manage your code signing keys.
Final Thoughts About How to Get a Code Signing Certificate Without a Hardware Token
Code signing fosters trust and proves to your customers that your products are safe and authentic. But it doesn’t have to be complicated or cost you a fortune. If token-based code signing isn’t the right solution for you, there are other viable options available out there.
Existing physical HSMs you already own and operate. A great option for those organizations looking for a secure, on-premises environment for managing a large number of cryptographic keys and enabling secure code signing operations during testing, development, and production.
Integrated HSM-backed cloud storage solutions. A fantastic alternative for firms on a budget. If you don’t want to miss out on the advantages and scalability offered by HSMs but would rather do without the burden (and costs) of purchasing the hardware and managing it on-site.
Make your choice and start code signing now. Remember: Any code signing certificate without a hardware token (i.e., that’s stored on an HSM) works with code signing tools, such as Microsoft SignTool.exe and Java JarSigner. It can be used to sign (and secure from tampering) a plethora of software, including Excel macros.
Code Signing Best Practices
Want to keep your software and code safe?
Enter your contact information below below to receive your FREE Best Practices PDF:
Contact details collected by CodeSigningStore.com may be used to send you requested information, blog update notices, and for marketing purposes. Learn more…
New users – if this is your first time purchasing a cloud signing product from us, check the email address entered during enrollment for a message from DigiCert. Create your password and follow this guide.
Existing users – if you’ve purchased a cloud signing certificate in this account before, you already have an account. We’ve update your DigiCert CertCentral account to allow another Code Signing Certificate request. Login to your account here.
suspension note
In order to comply with U.S. export control and economic sanctions laws and regulations, as well as our corporate policies, we do not support users accessing our applications from Cuba, Iran, North Korea, Syria, and the regions of Crimea, Donetsk People’s Republic (DNR) and Luhansk People’s Republic (LNR) of Ukraine without prior approval from the U.S. government.
Please be aware that these restrictions apply even when a user is on temporary travel to embargoed regions although the user may not normally reside there. If you believe that you have reached this page in error, please reach out to support.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Token + Shipping
This is the simplest option and what we recommend for most customers. DigiCert will ship a USB eToken to you, then you’ll use DigiCert’s provided software to download and install the certificate onto your USB Token.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Use an Existing Token
If you already own a compatible USB eToken (SafeNet 5110 CC, SafeNet 5110 FIPS, or SafeNet 5110+ FIPS), you can use DigiCert’s provided software to download and install the certificate onto your USB token.
Advanced Option: Install on a Hardware Security Module (HSM)
If you use a cloud or on-prem hardware security module (HSM), you can choose this option to download and install your certificate onto your HSM. DigiCert will send you an email asking you to confirm that your HSM meets the security standards, then they’ll deliver the certificate to you digitally for installation.
Any FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent HSM is compatible for this option. You can use an HSM you manage directly or you may use a key storage/vault solution that uses a compliant HSM (for example, Azure Key Vault or AWS KMS).
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Sectigo on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose this option to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Comodo CA on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose “Install on Existing HSM” to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.