Code Signing Price Changes as CAs Align With New Industry Standards
1 Star2 Stars3 Stars4 Stars5 Stars (8 votes, average: 4.75 out of 5)
Loading...

Code Signing Price Changes as CAs Align With New Industry Standards

DigiCert & Sectigo code signing certificate pricing is changing as they adopt new CA/B Forum standards

As we reported last year, the Certificate Authority & Browser (CA/B) Forum is requiring enhanced security standards for code signing certificates starting June 1, 2023. The good news: your code will be safer. The bad news: since these changes necessitate additional processes, hardware, and shipping costs, this (as expected) is resulting in a price increase for code signing certificates.

Additionally, we took this opportunity to make our code signing provisioning process better and more user-friendly. So, keep an eye out for some new streamlined workflows on TheSSLstore.com coming very soon; these are expertly designed to make it easy for you to breeze through the new processes. In the meantime, here’s what you can learn to expect with the code signing provisioning and price changes.

Let’s hash it out.

Quick Recap: What are the New CA/B Forum Changes for Code Signing?

You can check out our blog post from 2022 if you want to read the full details, but the TLDR is:

A photo of a hardware security token
An example of a hardware security token.

Starting June 1, 2023, code signing certificate keys must be stored on a hardware security module or token that’s certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. This is intended to fight against an increasingly common problem—stolen code signing keys being used to sign and distribute malware.

To meet these new requirements, CAs will (in most cases) ship a compliant hardware token to the customer as part of the code signing product purchase.

DigiCert & Sectigo Increase Prices for Code Signing Certificates

As is often the case, increasing security takes time and money—and that’s certainly the case here. With hardware and shipping costs added to the price of the code signing certificate, Certificate Authorities are introducing new pricing for code signing certificates.

DigiCert

  • DigiCert’s price for OV code signing certificates will stay the same: $539 (MSRP for 1 year)
  • Starting June 1, DigiCert will begin charging an additional $120 for a DigiCert-provided hardware token.

Customers who already have a compliant token, HSM, or key vault may use it instead of purchasing a DigiCert-provided hardware token.

Sectigo

Sectigo is changing their prices in two phases:

  • On March 7, code signing certificate prices were increased to $379 (MSRP for 1 year) from $179.
  • Starting May 8, Sectigo will add a $50 token fee and a $40-90 shipping fee.

Customers may choose not to purchase a token from Sectigo if they have a Thales/SafeNet Luna or NetHSM device, or Yubico FIPS Yubikey (ECC keys only).

Other CAs are also updating their code signing prices—you can expect to see new pricing from all code signing providers by about June 1 at the latest.

What Are These Hardware Tokens?

You might be surprised by the cost of these hardware tokens if you’re comparing them to typical USB flash drives. You might be thinking: “For just a couple bucks, I can get a USB drive with gigabytes of storage…way more than is needed to store a certificate and key. What’s the deal?” However, these aren’t typical USB drives.

The CA/B Forum standards require tokens certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. These tokens include hardware and software features to run cryptographic operations while keeping the key secure—they’re specialized cryptographic devices similar to hardware security modules (HSMs) or Trusted Platform Modules (TPMs).

Don’t Want to Mess with Tokens? Switch to a Signing Platform

Code signing platforms such as DigiCert Software Trust Manager store the certificate keys in an HSM. That means you don’t need to worry about hardware tokens—just log in to the platform and sign your code.

Simplify Code Signing

Schedule a demo to see how DigiCert Software Trust Manager makes code signing easy and secure.

A screenshot of the DigiCert Software Trust Manager dashboard

All in all, the code signing industry changes are happening and there’s only so much that can be done to minimize the impact. One quick suggestion is to purchase a 3-year certificate now and get it issued before the cut-off date and you won’t have to deal with tokens for the next few years.

If you have any further questions, please reach out to our team and we will help you navigate the new processes.

Author

Bill Grueninger

Bill is a veteran of the SSL industry, with more than 15 years of experience helping businesses navigate the challenges of PKI. He's currently CEO of The SSL Store.