DigiCert Code Signing: Frequently Asked Questions (FAQs)

When you release software into the world — whether it’s a desktop application, a driver, a mobile app, or even a simple script — one of your biggest challenges is building trust. Users want to know that your software is legitimate, hasn’t been tampered with, and comes from a real, verified publisher.

This is where code signing certificates — and specifically, DigiCert Code Signing Certificates — come in.

DigiCert is one of the most respected names in digital security, trusted by developers, enterprises, and large brands worldwide. But if you’re new to code signing or exploring DigiCert as your provider, you probably have plenty of questions: How does it work? Do you need EV or OV? What if you lose your key? How does SmartScreen reputation come into play?

Below is a comprehensive guide answering the most common questions developers, IT teams, and software publishers ask about DigiCert Code Signing — all explained clearly in one place.

What is a DigiCert Code Signing Certificate?

A DigiCert Code Signing Certificate is a digital certificate that lets you digitally sign your software or code.

When you sign an application, driver, script, or installer, you’re adding a cryptographic signature that:

• Proves your identity as the publisher.

• Shows the code hasn’t been altered since you signed it.

• Helps operating systems and browsers trust your software.

Think of it like sealing an envelope with a wax stamp — it’s proof that what’s inside really came from you and wasn’t opened and changed by someone else.

Why Should I Use DigiCert for Code Signing?

DigiCert is widely trusted because:

• It’s recognized by all major operating systems, browsers, and security software.

• It offers strong identity vetting, which is crucial for Extended Validation (EV) code signing.

• It helps your software get through Microsoft SmartScreen more easily.

• Their certificates work for signing apps for Windows, macOS, drivers, mobile apps, scripts, and more.

• DigiCert’s support and validation process are among the most reliable in the industry.

If your software needs maximum trust and you want to avoid OS warnings that scare away users, DigiCert is a top-tier choice.

What’s the Difference Between OV and EV Code Signing?

DigiCert offers two main levels: Organization Validation (OV) and Extended Validation (EV).

OV Code Signing requires DigiCert to verify that your business is legitimate. Once approved, you can sign software to prove it’s from your company.

EV Code Signing goes further. DigiCert performs stricter checks, confirms your legal entity with more documents, and issues the certificate on a secure hardware token.

Why does this matter?

• EV Code Signing is the only way to bypass Microsoft SmartScreen’s reputation hurdles immediately.

• If you sign Windows drivers for WHQL submission, EV is mandatory.

• EV offers stronger security because your private key is stored on a physical USB token.

Do I Really Need EV Code Signing?

It depends on what you’re signing.

• If you’re signing standard desktop applications for Windows, OV may be enough, but SmartScreen might still show warnings until you build up download reputation.

• If you’re signing Windows drivers, you must have EV to submit them to Microsoft.

• If you want to skip SmartScreen reputation delays and look more professional right away, EV is highly recommended.

How Long Does It Take to Get a DigiCert Code Signing Certificate?

For OV Code Signing, it usually takes 1–3 business days if you have your business paperwork ready and DigiCert can verify your identity quickly.

For EV Code Signing, it can take 3–5 business days on average because of the extra validation steps. You’ll also need to wait for the physical USB token to arrive by courier.

How Do I Use a DigiCert Code Signing Certificate?

Once you’re approved:

1. Download your certificate (OV) or plug in your hardware token (EV).

2. Use a signing tool like Microsoft SignTool, Visual Studio, or Apple’s codesign for Mac.

3. Run the signing command to attach your digital signature to your software.

4. Use DigiCert’s timestamp server to ensure your signature stays valid even after the certificate expires.

For EV, your signing tool must detect the USB token plugged into your machine — without it, you can’t sign.

What Happens if My Private Key Gets Lost or Stolen?

This is serious. If someone gets access to your private key, they could sign malicious software pretending to be you.

If you suspect your key is compromised:

• Revoke your certificate immediately through your DigiCert account.

• Issue a replacement certificate and re-sign your software.

• Timestamp your signed files properly so already-signed builds stay trusted.

This is why EV keys must stay on hardware tokens — it’s much harder for hackers to steal them.

What is Timestamping and Why is it Important?

Timestamping is crucial for any code signing.

When you sign software, you should also add a timestamp using DigiCert’s trusted timestamp server. This tells operating systems that your signature was valid at the time of signing.

Even if your certificate later expires or is revoked, your timestamped files remain trusted and installable. Without a timestamp, old signed builds may break after your certificate expires.

Can I Use DigiCert to Sign Mac Apps?

Yes — but with a catch.

To distribute apps to the public on macOS, you still need to use Apple’s Developer ID Certificate for Gatekeeper trust and notarization.

However, DigiCert is very useful for:

• Cross-platform developers who want a single CA for Windows and macOS.

• Enterprise apps distributed internally.

• Browser plugins that need trust beyond the App Store.

• Developers who want consistent signing policy across Windows, Linux, and Mac.

For public macOS apps, sign with Apple Developer ID, notarize with Apple, and optionally use DigiCert for consistency across other builds.

What Does a DigiCert Code Signing Certificate Cost?

Pricing varies, but DigiCert is usually on the premium end of the market:

• OV Code Signing typically starts around $400–$500 per year.

• EV Code Signing is higher, usually around $600–$700 per year, partly because it includes the secure hardware token.

For many companies, the price is worth it for the trust, support, and SmartScreen advantage.

How Do I Renew My DigiCert Code Signing Certificate?

Renewal is simple:

• Log in to your DigiCert account.

• Order a renewal before your certificate expires.

• Complete any required validation steps (usually faster if nothing has changed).

• Download the new certificate or wait for your new EV token if needed.

• Start signing with your new certificate and revoke the old one if appropriate.

Pro tip: Renew early — overlapping your old and new cert avoids signing delays.

How Can I Get Support if I Have an Issue?

DigiCert’s customer support is well regarded. If you run into installation problems, signing errors, or validation questions, you can:

• Open a support ticket through your DigiCert dashboard.

• Use live chat for quick help.

• Call DigiCert directly — they have dedicated reps for code signing customers.

Conclusion

Code signing doesn’t just protect your software — it protects your brand. A DigiCert Code Signing Certificate tells your users that you’re legitimate, your code is safe, and you take security seriously.

Whether you’re a solo developer, a small software house, or an enterprise with complex signing needs, knowing how code signing works — and choosing the right certificate — will help you release software that earns trust, bypasses SmartScreen, clears Gatekeeper, and installs cleanly every time.