How to Get a Code Signing Certificate Without a Hardware Token

1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 5.00 out of 5)

Looking for a secure alternative to traditional token-based code signing certificates that’ll affirm your code’s authenticity & integrity? Explore HSM-backed solutions, which are preferred by 69% of organizations

In June 2023, the CA/B Forum ramped up the industry’s security baseline requirements for code signing certificates. A new layer of protection was added to standard code signing certificates to prevent their private keys from falling prey to cybercriminals.

The new regulation mandates that all publicly trusted code signing certificates and keys must be stored on secure hardware, usually a USB token by default. Fantastic, right? This means no more private keys lying around or stored on insecure servers. No more security incidents similar to what happened to AnyDesk at the end of 2023, when their private key and certificates stored on an insecure server were stolen.

Hold on. One size doesn’t fit all, though. So, what if the USB hardware token isn’t a good solution for your organization because you have multiple users who would have to share it? What if you can’t afford to buy or don’t have the capacity to manage yet another piece of hardware on top of those you already have? Or if code signing with a token doesn’t fit into your secure software development life cycle (SDCL)?

You’re in luck. We’ve got the solution. To be precise, we’ve a couple of great alternatives to the traditional USB tokens. Yup. Being able to use standard (OV) and extended validation (EV) code signing certificates without a hardware token doesn’t have to be a chimera. And in this article, you’re going to learn how to get one.

2 Options For Using Code Signing Certificates Without a Hardware Token

A picture we shot of a DigiCert secure hardware USB token
Image caption: Since June 2023, the USB token has become the default key storage for trusted code signing certificates.

Before June 2023, software publishers and developers who didn’t want to use a token to sign their code could purchase a standard or individual validation code signing certificate, and the problem was fixed. The keys were usually stored on an endpoint device or server and accessed when needed. This approach was risky from a security standpoint, as we’ve learned from AnyDesks’s example, but easy to use.

Then, the new regulations came into force, and the USB token became the established choice for all kinds of certificates.

However, this isn’t the only option on the table. In fact, if you want to purchase a standard or an EV code signing certificate without having to use a token, you can choose among certificates that work just fine with:

  • An existing on-premises physical device (e.g., a hardware security module [HSM]) you manage, or with
  • An existing cloud-based key storage HSM solution.

Let’s take a closer look at both solutions and learn how you can obtain those certificates.

Tip: Want to save money? Buy your code signing certificate from an authorized vendor like You’ll get additional benefits such as:

  • Dirt cheap prices,
  • Guidance on getting through the validation process, and
  • 24/7 code signing support.

Does time = money for you? In the table, we’ve summarized the key features of the most popular alternatives — on-prem and cloud HSMs — so you can get on your way:

 DigiCert Code Signing CertificatesGoGetSSL Code Signing CertificatesGoGetSSL Cloud Code Signing CertificatesSectigo/Comodo Code Signing Certificates
Code Signing Certificates For Use With Existing On-Prem Physical HSMsChosen by top software publishers and banks.   Compatible with any FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent HSM.Low-cost solution.   Works with any FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent HSM.Low-cost solution.   Works with any FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent HSM.Affordable alternative for small businesses and individuals.   It works only with a Luna Network Attached HSM version 7.x.
Code Signing Certificates For Use With Cloud-Based HSMsDigiCert code signing certificate for key storage/vault solutions backed by a cloud-based HSM.   Compatible with Azure Key Vault.   Can be integrated with DigiCert’s Software Trust Manager, an HSM-backed solution for enterprises.Ideal for small/medium businesses.   Sign up to 1,000 files of your choice.  Ideal for small/medium businesses.   Sign up to 1,000 files of your choice. Your certificate key will be generated and stored via DigiCert’s KeyLocker HSM-backed secure cloud storage solution (included).

Also compatible with Azure Key Vault.  

Option #1: Get a Code Signing Certificate on an On-Prem Physical Hardware Security Module (HSM)

An HSM is a piece of hardware used to secure and manage cryptographic keys throughout their life cycles. From provisioning and backup to usage, deployment, and decommissioning, the market for this tamper-intrusion-resistant solution is predicted to reach a stunning value of $2.3 billion by 2028.

An on-prem physical HSM is the “Ferrari” alternative to a USB token. It’ll guarantee you optimal security. On top of complying with the standard industry requirements, it brings:

  • Simplified and complete audit access.
  • Full control and visibility of the hardware and keys,
  • Strict physical and virtual access control thanks to physical sensors, and multilayered security protection, including multifactor authentication.

But all of these benefits and features come at a price, just like a Ferrari car. As the HSM is installed directly in the client’s dedicated data center, upfront, operating and maintenance costs can be incredibly high and not conducive for small or medium-size businesses.

Are you lucky enough to have your own FIPS 140-2 Level 2 compliant HSM? Great! This means you can then buy a code signing certificate among those listed below at slashed prices without having to pay for a USB token.

The purchasing process is very straightforward. For example, on you’ll just have to:

  1. Select your brand and choice of certificate. Do this by going to Shop Certificates and selecting an issuing certificate authority (CA), such as DigiCert, Sectigo, Comodo SSL, or GoGetSSL).
  2. Indicate how many certificates you want. 1? 2? Choose however many you want to buy.
  3. Choose whether you want to buy it as a 1-year purchase or a bundle. You have the option of choosing 1 year, or 2- or 3-year bundles. Hint: Three years will give you the best value.
  4. Choose your delivery method. Under Certificate Delivery Method, select Install on Existing HSM.

For example, here is what these options look like when making selections for a DigiCert code signing certificate:

A screenshot of the selections you can make when purchasing a code signing certificate without a hardware token.
Image source: This is how to purchase a code signing certificate without a hardware token on

The CA will then validate your digital identity and have you sign a confirmation (which you’ll receive via email) to attest that the existing HSM complies with the industry security standards we’ve mentioned. Once you’ve done this, you’ll be able to download the certificate to install in your local trust store.

Before you do that, you’ll have to choose a certificate. Here, we’ve listed three examples of the best-of-class CAs selling code signing certificates for physical HSMs.

1. DigiCert Code Signing Certificate to Install on an Existing Physical HSM

A screenshot of a DigiCert code signing certificate product page
Image source: The screenshot shows the key features of a DigiCert standard code signing certificate.

DigiCert is one of the most trusted certificate authorities on the market:

2. GoGetSSL Code Signing Certificate to Install on an Existing Physical HSM

A screenshot of a GoGetSSL code signing certificate product page
Image source: The screenshot shows an overview of a standard GoGetSSL code signing certificate.

As part of DigiCert, GoGetSSL offers globally trusted, low-cost code signing certificates for both individual developers and organizations. Delivered via download within a matter of days, a GoGetSSL certificate guarantees you the same level of security and trust offered by its parent company, at a fraction of the price.

Like all DigiCert code signing certificates, GoGetSSL certificates will also work with all FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent compliant HSMs.

3. Sectigo/Comodo Code Signing Certificate Using an Existing Luna HSM

A screenshot of a Sectigo code signing certificate product page
Image source: The screenshot shows an overview of a standard Sectigo code signing certificate.

Sectigo and Comodo code signing certificates, when ordered without a hardware token, are affordable alternatives for small businesses and individuals on a budget. However, it’s important to be aware that these certificates only work with a Luna Network Attached HSM V7.x.

Hint: Comodo CA is part of Sectigo. Therefore, you’ll enjoy the same perks and prices regardless of which brand of certificate you choose.

Option #2: Opt For a Code Signing Certificate on an Integrated Cloud Storage Solution

HSM appliances can be expensive compared to classic USB tokens. This is where using a cloud-based HSM comes into play. It’s a digital, more affordable version of the physical HSM but without the physical management and security requirements. It’s a great solution for smaller companies and startups with tight budgets.

When you purchase a code signing certificate without a hardware token, you’ll have the option of storing it in the cloud (using a FIPS 140-2 Level 2 compliant solution). Doing this means you’ll get:

  • Use of a fully managed HSM without any upfront and managing costs.
  • Access to an HSM-backed cloud solution via API and/or a management platform.
  • Built-in backup solutions.

The downside? You don’t own the HSM, so you’ll have less visibility and control of it. However, all FIPS 140-2 Level 2 compliant HSMs, including cloud solutions, have to meet certain security requirements and standards.

Sound good? Now, it’s time to pick your certificate…

1. GoGetSSL Code Signing Certificate With Cloud-Based HSM and KeyLocker Software

A screenshot of a GoGetSSL cloud code signing certificate product page
Image source: The screenshot shows the perks that come with a standard GoGetSSL cloud code signing certificate.

Research and Markets forecasts the global cloud HSM trade to grow up to $2.68 billion by 2030. GoGetSSL code signing certificates (without a hardware token) for cloud signing can be a good compromise for small/medium businesses looking for the advantages offered by an HSM at a reasonable price.’s GoGetSSL cloud signing solution is such a solution. The deal on entails:

  • Getting a standard or EV code signing certificate (without a hardware token) issued by DigiCert and stored in a cloud HSM (DigiCert KeyLocker, a FIPS 140-2 Level 2 [or Common Criteria EAL 4+ equivalent] compliant solution).
  • Being able to sign up to 1,000 files of your choice.
  • DigiCert’s KeyLocker software license, which allows you to securely generate and store your private key, and supports signing with DigiCert’s Click-to-Sign tool and other third-party tools (e.g., SignTool, jSign, Sign4j, OpenSSL, etc.) without giving users direct access to the key.

To start signing with this tokenless code signing certificate,

  • Click on the button below,
  • Select the standard (OV) or EV certificate, and
  • Follow the simple instructions we put together.

You’ll be up and running in a flash.

2. DigiCert Code Signing Certificate Key Storage & Third-Party Vault Solutions Backed by a Cloud-Based HSM

If your enterprise isn’t interested in buying a physical HSM appliance, that’s okay. Enterprises can purchase and securely store their DigiCert code signing certificates using DigiCert’s Software Trust Manager. In addition to secure and FIPS 140-2 Level 2 (or Common Criteria EAL 4+ equivalent) compliant key storage, this solution also offers other features to enhance the security of your products and customers’ software supply chains.

A screenshot example of DigiCert's Software Trust Manager (formerly Secure Software Manager) enterprise solution

DigiCert Software Trust Manager features include:

  • Automated advanced threat detection tools,
  • Granular policy enforcement to ensure compliance, and
  • The possibility to generate software bills of material (SBOM).

DigiCert code signing certificates also work with third-party key storage or vault solutions using compliant HSMs, such as:

Not bad if you think that between 2020 and 2023, Reversing Labs identified an increase of over 1,300% in malicious open-source packages.

3 Benefits of a Code Signing Certificate Without a USB Hardware Token

Physical and cloud-based HSM code signing certificates can be valid alternatives to traditional USB tokens. When used for code signing, they’ll offer you the same benefits guaranteed by the token, with some added value. So, what makes physical and cloud-based HSMs so appealing to organizations?

  1. Higher scalability. Is your organization growing? Stop purchasing hundreds of tokens and wasting precious time and resources managing them. HSMs will keep everything under a single roof and easily scale and adapt to your needs. You opted for a cloud-based or a managed HSM? Even better. You won’t even have to worry about adding or removing hardware or tokens being lost or stolen.   
  2. Robust security and centralized key management. KeyFactor reports that 84% of the companies surveyed in 2023 had serious trouble managing an increased number of keys and certificates. An HSM resolves many of these issues, serving as a one-stop shop that allows you to centrally oversee, protect, and control your cryptographic keys.  
  3. Reduced costs (in the long term). $4.45 million. This is the average cost of a data breach indicated by IBM in 2023. Even the more sophisticated dedicated HSM implementation will never reach such a ridiculous amount. But it will help you reduce the risk of leaks and reach compliance, saving you money down the pike.

Ultimately, it’s your choice whether you want to use a code signing certificate without a hardware token. Imagine an ideal world where nobody loses or forgets a token: there are no cybercriminals and audits don’t exist, you wouldn’t even need to add a digital signature to your code. But here in the real world, things are very different, and HSMs can be an effective solution to protect and manage your code signing keys.

  • Final Thoughts About How to Get a Code Signing Certificate Without a Hardware Token

Code signing fosters trust and proves to your customers that your products are safe and authentic. But it doesn’t have to be complicated or cost you a fortune. If token-based code signing isn’t the right solution for you, there are other viable options available out there.

  • Existing physical HSMs you already own and operate. A great option for those organizations looking for a secure, on-premises environment for managing a large number of cryptographic keys and enabling secure code signing operations during testing, development, and production.
  • Integrated HSM-backed cloud storage solutions. A fantastic alternative for firms on a budget.  If you don’t want to miss out on the advantages and scalability offered by HSMs but would rather do without the burden (and costs) of purchasing the hardware and managing it on-site.

Make your choice and start code signing now. Remember: Any code signing certificate without a hardware token (i.e., that’s stored on an HSM) works with code signing tools, such as Microsoft SignTool.exe and Java JarSigner. It can be used to sign (and secure from tampering) a plethora of software, including Excel macros.