USD 
USD 
GBP 
EUR 
INR 
ZAR 
AUD 
CAD 
MYR 
SGD 
THB 
HKD 
BRL 
AED 
Users need assurance that the software they are downloading is not tampered with, originates from a legitimate source, and safe to use. That is where the code signing certificate comes into play. The code signing certificate is a digital certificate that validates the software hasn’t been altered since it was signed by its developer.
Building trust and protecting users from malicious software isn’t possible without code-signing certificates. Developers use them to build their credibility and secure their software distribution. Broadly, there are two types of code signing certificates: Organization Validation (OV) and Extended Validation (EV). While they are both for signing software, they have different validation requirements, security features, and use cases.
In this article, we’ll look at everything you need to know about EV and OV Code Signing Certificates, their key differences, use cases, and most importantly, how to find the right one for your needs.
Table of Contents
What is EV Code Signing Certificate?
Extended Validation (EV) Code Signing Certificate is a digital certificate used to authenticate and securely sign software, drivers, applications, and executable files digitally. It is issued by a trusted Certificate Authority (CA) after a thorough validation process to verify the publisher’s identity. The certificate links the publisher’s legal identity to a public key, which is visible to end-users during software installation.
Because of a stringent identity process, EV certificates offer the highest trust and security, providing safety to software developers and users from malicious alterations. The certificate boosts users’ trust by eliminating security warnings and strengthens the software’s integrity across all platforms. EV Code Signing Certificates are crucial for widely distributed software, such as antivirus tools, financial applications, and system-level utilities, where any sign of tampering or insecurity could lose users’ trust in the software.
Working Process of EV Code Signing Certificate
Hashing Process
Once the certificate is issued, the organization receives it along with the Private key, which is stored securely. The first step of signing your software is creating a hash. The hash function generates unique hash values, it assures users that this software comes from a legitimate source. The hashing process also ensures users that the software was not tampered with when it was signed.
Software Signing
After hashing, the next step is signing the software. For signing, you must use the USB token provided by the CA. The token allows you to use the private key to digitally sign and timestamp your software/application. This process encrypts the previously generated hash and lets the browser know whether the publisher of the certificate is trusted or not.
Download
After your software is hashed, signed, and timestamped, you can make it available for download. When a customer tries to download the software, the browser will recognize the publisher and identify if it is trusted or not.
Key features of EV Code Signing Certificates include
- Boosted SmartScreen Reputation: Any EV-signed software immediately gets past the Microsoft SmartScreen warnings, allowing for a much more pleasant user experience.
- Hardware-Based Key Storage: Private keys need to be stored on hardware tokens or HSMs (Hardware Security Modules) that are FIPS 140-2 Level 2 certified and provide you with tamper-resistant security.
- Mandatory for Certain Applications: Signing Windows kernel-mode drivers and other critical software requires EV Code Signing Certificates.
- Enhanced Trust: EV Code Signing Certificates provide the highest level of authentication, it ensures that the software is verified and trusted by users and operating systems.
Due to their stringent validation requirements and superior security features, EV Code Signing Certificates are widely used by large enterprises and developers distributing high-risk or critical software.
What is OV Code Signing certificate?
Organization Validation (OV) code signing is a type of digital certificate based on X.509 certificates, used to digitally sign, secure, and validate software, firmware, applications, scripts and executables files. The certificate is issued by the trusted Certificate Authority (CA) after verifying the legal existence and operational presence of the organization. These certificates cryptographically bind the software to the organization’s identity, preventing tampering and improving the integrity of the software. OV certificates help remove ‘Unknown Publisher’ warnings and build user trust, it is widely recognized across browsers and operating systems. They are well-suited for software publishers, developers, and businesses distributing enterprise software and firmware.
After issuance of the certificate, the process of code signing is same as EV certificates. First, you have to generate a hash to digitally sign your code. A developer then adds a signature to the content or a piece of code. This is done by using the private key provided by the CA.
When a user downloads your signed code, the user’s browser uses a public key for decrypting the signature. The system then checks the root certificate to verify if it is trusted or not, and then the system authenticates the signature.
Key features of OV Code Signing Certificates include
- Standard Validation: OV certificates confirm the legitimacy of the organization and remove ‘Unknown Publisher’ warning.
- Secure Key Storage: OV certificates can be stored in secure Hardware Security Modules (HSMs). HSMs are tamper-resistant physical devices designed to protect cryptographic keys from unauthorized access and tampering.
- Secure Software Distribution: OV code signing certificate assures secure online software distribution and improves confidence in users that they are downloading authentic, untampered, and unaltered software.
- Timestamping for Long-Term Validation: Timestamping option assures that even if the certificate expires, the signature remains valid for users. It allows the software to be recognized as authentic.
OV Code Signing Certificates are widely used for general-purpose software distribution, offering an affordable solution for developers aiming to build user trust.
EV Code Signing vs OV Code Signing: Differences
| Aspect | EV Code Signing | OV Code Signing |
|---|---|---|
| Validation Level | Extended Validation (Highest Level) | Organization Validation (Moderate Level) |
| Supported File Types | .exe, .dll, .cab, .sys, .msi, .drv | .exe, .dll, .cab, .msi, .ocx |
| Kernel Mode Support | Supports kernel-mode drivers (.sys, .drv) | You can sign drivers for Windows 10 and earlier versions. |
| Private Key Storage | Hardware-based (HSM, USB token) or cloud storage | Hardware-based (HSM, USB token) or software |
| Signature Type | Authenticode (SHA-256/512) with strong encryption | Authenticode (SHA-256) |
| Timestamping | Requires secure timestamping (RFC 3161 compliant) | Optional timestamping |
| Microsoft SmartScreen | Immediate reputation with Microsoft SmartScreen; no warnings for users during downloads or installations. | Reputation must be built over time as users download and install the signed software. |
| Security | Tamper-resistant, hardware-based storage. | Secure Hardware based storage or USB tokens |
| Usage | Primarily for software distribution | Suitable for both software & drivers |
Now that you understand how EV and OV code signing certificates work, their features, and key differences, let’s take a closer look at a detailed comparison between the two certificates.
Validation Process and Requirements
EV and OV certificates differ due to their validation process. EV Code Signing Certificate goes under more strict validation process. It requires your government-issued ID, physical address, business registration document, operational report, and contact details. In some cases, a legal opinion letter or a Dun & Bradstreet report is also required. OV certificates don’t enforce very strict checks, they just confirm your business registration details, physical address, and organization’s basic details from public records.
Microsoft SmartScreen Filter
The Windows ecosystem relies heavily on the Microsoft SmartScreen Filter that protects users from possibly dangerous software. With the EV Code Signing Certificates, there’s an immediate boost in reputation with SmartScreen, whereas OV Code Signing Certificates require time to build a reputation with SmartScreen, as the certificate doesn’t provide immediate recognition. The reputation grows gradually based on downloads, user feedback, and trust.
Platform Compatibility
Both EV and OV certificates are compatible with all major platforms, including Windows, macOS, Linux, and mobile operating systems. Yet, EV certificates are required for some platforms, such as signing Windows kernel-mode drivers, making them indispensable for developers targeting specific platforms.
Delivery Methods
The private keys of code signing certificates need to be secure with the highest level of security. For EV Code Signing Certificates, the private keys are typically delivered in Hardware tokens, Cloud based HSMs, or existing USB drives, with FIPS 140-2 level 2 compliance. On the other hand, OV code signing certificates allow private keys to be stored in hardware tokens or HSMs that are FIPS 140 Level 2/EAL 4+ compliant to store your keys safely.
Choose EV Code signing if
- You need an immediate SmartScreen reputation.
- You develop high-risk or enterprise-level software.
- You prioritize the highest level of security.
- You require compliance with hardware-based key storage standards.
Choose OV Code signing if
- You are distributing software on a smaller scale.
- You want a faster and more affordable solution.
- You don’t need immediate SmartScreen recognition.
- Your application does not involve high-security risks.
How to get the Code signing certificate?
Top providers like DigiCert, Comodo, and Sectigo offer both EV and OV Code Signing Certificates. Each provider ensures robust validation and feature-rich options tailored to different requirements. You can also choose the authorized distributors of code signing certificates such as CheapSSLShop for competitive prices.
| Provider | Validation Type | Key Features | Price |
|---|---|---|---|
| Comodo Code Signing Certificate | OV | Cost-effective, Broad compatibility | $226.67/yr. |
| Comodo EV Code Signing Certificate | EV | Improved trust, Secured keys | $298.00/yr. |
| Sectigo Code Signing Certificate | OV | Quick issuance, Developer-focused | $226.67/yr. |
| Sectigo EV Code Signing Certificate | EV | Identity assurance, Tamper-proof | $298.00/yr. |
| DigiCert Code Signing Certificate | OV | Seamless integration, Global trust | $369.67/yr. |
| DigiCert EV Code Signing Certificate | EV | Reputation boost, Long-term validity | $515.00/yr. |
Obtaining a code signing certificate involves the following steps:
- Choose a Trusted Provider: Leading providers like DigiCert, Comodo, and Sectigo offer EV and OV Code Signing Certificates with varying features and pricing.
- Submit Required Documentation: Depending on the certificate type, documentation should be prepared such as legal entity details, proof of identity, and operational status.
- Complete Validation: Follow the instructions of the certificate authority on how to complete the validation.
- Set Up the Certificate: After being issued, set up the certificate for signing software with the given instructions.
Conclusion
EV Code Signing is the most secure and fastest way to establish a reputation for high stakes use cases. OV Code Signing is a practical, cost-effective solution to standard software needs. Choosing the right certificate depends on the scope and size of your software, your audience, and the security needed. Start your code signing journey with a trusted provider to ensure compliance with industry standards, and trust in your users.
