Code Signing Price Changes as CAs Align With New Industry Standards

DigiCert & Sectigo code signing certificate pricing is changing as they adopt new CA/B Forum standards

As we reported last year, the Certificate Authority & Browser (CA/B) Forum is requiring enhanced security standards for code signing certificates starting June 1, 2023. The good news: your code will be safer. The bad news: since these changes necessitate additional processes, hardware, and shipping costs, this (as expected) is resulting in a price increase for code signing certificates.

Additionally, we took this opportunity to make our code signing provisioning process better and more user-friendly. So, keep an eye out for some new streamlined workflows on Itbrands.pk coming very soon; these are expertly designed to make it easy for you to breeze through the new processes. In the meantime, here’s what you can learn to expect with the code signing provisioning and price changes.

Let’s hash it out.

Quick Recap: What are the New CA/B Forum Changes for Code Signing?

the TLDR is:

Starting June 1, 2023, code signing certificate keys must be stored on a hardware security module or token that’s certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. This is intended to fight against an increasingly common problem—stolen code signing keys being used to sign and distribute malware.

To meet these new requirements, CAs will (in most cases) ship a compliant hardware token to the customer as part of the code signing product purchase.

DigiCert & Sectigo Increase Prices for Code Signing Certificates

As is often the case, increasing security takes time and money—and that’s certainly the case here. With hardware and shipping costs added to the price of the code signing certificate, Certificate Authorities are introducing new pricing for code signing certificates.

DigiCert

  • DigiCert’s price for OV code signing certificates will stay the same: $539 (MSRP for 1 year)
  • Starting June 1, DigiCert will begin charging an additional $120 for a DigiCert-provided hardware token.

Customers who already have a compliant token, HSM, or key vault may use it instead of purchasing a DigiCert-provided hardware token.

Sectigo

Sectigo is changing their prices in two phases:

  • On March 7, code signing certificate prices were increased to $379 (MSRP for 1 year) from $179.
  • Starting May 8, Sectigo will add a $50 token fee and a $40-90 shipping fee.

Customers may choose not to purchase a token from Sectigo if they have a Thales/SafeNet Luna or NetHSM device, or Yubico FIPS Yubikey (ECC keys only).

Other CAs are also updating their code signing prices—you can expect to see new pricing from all code signing providers by about June 1 at the latest.

What Are These Hardware Tokens?

You might be surprised by the cost of these hardware tokens if you’re comparing them to typical USB flash drives. You might be thinking: “For just a couple bucks, I can get a USB drive with gigabytes of storage…way more than is needed to store a certificate and key. What’s the deal?” However, these aren’t typical USB drives.

The CA/B Forum standards require tokens certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. These tokens include hardware and software features to run cryptographic operations while keeping the key secure—they’re specialized cryptographic devices similar to hardware security modules (HSMs) or Trusted Platform Modules (TPMs).

Don’t Want to Mess with Tokens? Switch to a Signing Platform

Code signing platforms such as DigiCert Software Trust Manager store the certificate keys in an HSM. That means you don’t need to worry about hardware tokens—just log in to the platform and sign your code.

Simplify Code Signing

Schedule a demo to see how DigiCert Software Trust Manager makes code signing easy and secure.

All in all, the code signing industry changes are happening and there’s only so much that can be done to minimize the impact. One quick suggestion is to purchase a 3-year certificate now and get it issued before the cut-off date and you won’t have to deal with tokens for the next few years.

If you have any further questions, please reach out to our team and we will help you navigate the new processes.