A code signing certificate is a type of digital certificate that helps identify and authenticate a software provider to the end users. This certificate is issued by trusted Certificate Authorities (CAs) and includes information, such as the name and location of the organization distributing the software, the public key associated with the organization’s identity, and a timestamp (recording the time of signing).
There are different types of code signing certificates based on the level of trust and the intended use. The two main types for public trust include:
This is the default type of code signing certificate and involves basic validations of the publisher or developer by the CA. To get a standard code signing certificate, software publishers need to meet some basic requirements such as minimum key length, maximum validity period, and time stamping for digital signatures.
EV code signing certificates involve a high level of validations and vetting of the software publisher by the CA and are usually issued on a hardware token for additional levels of security. To get an EV certificate, apart from the basic requirements of standard certificates, software publishers also need to conform to much more stringent requirements – for example, maintaining private keys in a Hardware Security Module (HSM) that is compliant with FIPS (Federal Information Processing Standards) 140 Level-2 or equivalent.
EV code signing certificates build on the existing benefits of standard code signing certificates to offer stronger levels of assurance that the identity of the publisher is correct and has been verified.
Public Trust Certificates:
Public trust certificates are issued by well-known and established Certificate Authorities (CAs), such as DigiCert, GlobalSign, and Sectigo that are widely recognized by most operating systems and browsers. These certificates provide a higher level of trust and assurance to end-users because they are issued by recognized and trusted CAs after stringent verification processes. This is also the reason why public trust certificates generally come with a higher cost and the pricing can vary based on the type of certificate and the level of authentication.
Software signed with public trust certificates is more likely to be trusted by default on various platforms, reducing the likelihood of security warnings for users when installing or running the software. Public trust certificates are suitable for distributing software on the internet, where the users may not have any direct relationship with the software vendor.
Private Trust Certificates:
Private trust certificates are issued by Certificate Authorities that are managed and controlled internally by the organization itself. These CAs are not publicly recognized.
Since private CAs are not publicly recognized, private trust certificates are not trusted by default on external platforms and browsers. Private trust certificates are more suitable for signing and distributing internal applications and software within a controlled environment, such as within an organization. Further, private trust certificates can be more cost-effective compared to public trust certificates, as they don’t carry the same level of reputation and global recognition.
In summary, the main difference lies in the level of trust and the scope of distribution. Public trust certificates provide a higher level of assurance and are recognized by a broader range of platforms and users. Private trust certificates are more suitable for controlled environments where the organization can manage trust settings and where the added cost of public trust might not be necessary. The choice between public and private trust certificates depends on factors such as the intended audience, the level of trust required, and the distribution context of the signed software.