Code signing certificates ensure that code cannot be tampered with. They prevent malicious tampering with code to protect end-users.

Similarly, TLS/SSL certificates establish an encrypted connection between a browser or user’s computer and a server or website to protect end-users.

However, they are not the same thing and cannot be used interchangeably.

What is a code signing certificate?

Code signing certificates are used to authenticate the software developer or publisher of the software and to ensure that the software has not been altered or compromised. Software developers can use code signing certificates to digitally sign applications, drivers, executables and software programs as a way for end-users to verify that the code they receive has not been compromised by a third party. They include your signature, your company’s name and, if desired, a timestamp.

What is a TLS/SSL certificate?

SSL (secure sockets layer) is the standard technology for securing an internet connection by encrypting data sent between a website and a browser (or between two servers). SSL certificates prevent hackers from seeing or stealing any information transferred, including personal or financial data.

TLS (transport layer security) is an updated, more secure version of SSL. Some still refer to security certificates as SSL because it’s a more common term, but when you buy from DigiCert, you get the most trusted, up-to-date TLS certificates.

Can I use a TLS certificate for code signing?

TLS certificates cannot be used for code signing. You must use separate certificates for code signing and for TLS.

Difference between code signing certificates and TLS certificates

Code signing certificates are used to digitally sign code and guarantee its integrity from the time of signing, while TLS certificates encrypt communication between a client and server. However, both are used to protect end-users and companies.

If you don’t use these certificates, end-users will get warning messages that could prevent them from using your services.

• If a user tries to download software that is not signed using a code signing certificate, then it will be flagged and a warning message will pop up.
• If a user visits a website without a TLS certificate, the browser will display a “not secure” message next to the URL.

Do I need a code signing certificate?

You need a code signing certificate when deploying software and updates to protect your intellectual property, protect end-users, and meet industry and platform requirements.

Code signing certificates allow customers to verify that your code is authentic and has not been tampered with — protecting both you and your customers against fraud, malware and theft. Your customers expect a smooth and professional installation process when they download your software. Digitally signed programs can avoid warning messages during download and installation for better adoption.

Additionally, the partners, channels and platforms that distribute software expect you to safeguard their customers’ data and will require or expect code signing best practices.

Types of code signing certificates

DigiCert offers both code signing and EV code signing certificates. Code signing certificates offer an encrypted digital signature, while Extended Validation (EV) code signing certificates include all the standard benefits of digitally signed code plus a rigorous vetting process and two-factor authentication security requirement, so your users can have even greater confidence in the integrity of your applications. Plus, for Microsoft Defender SmartScreen Reputation filter, an EV code signing certificate gains you automatic trusted status to reduce warning messages and increase end-user trust.

How to manage code signing certificates

If not managed properly, code signing can put your business at great risk. Incidents like the SolarWinds attack are good examples of the consequences of poorly implemented code signing practices.

Studies show that over half of IT security professionals are worried about cybercriminals stealing or forging certificates to sign code or applications, yet less than a third consistently enforce code signing policies. To make code signing management simpler, DigiCert has innovative solutions for today’s enterprises.

DigiCert^® Software Trust Manager in DigiCert ONE™ is a modern way of managing code signing, by enabling automated security across Continuous Integration/Continuous Delivery (CI/CD) pipelines with portable, flexible deployment models and secure key management. DigiCert Software Trust Manager supports code signing best practices like unique key and certificate per signing for private signing, on-demand keys and rotating keys. DigiCert Software Trust Manager is compatible with most popular platforms and libraries, like Docker, Microsoft Authenticode, Java, OpenSSL and Android. Using DigiCert Software Trust Manager, enterprises integrate code into their product development processes easily while delegating cryptographic operations, signing activities and management in a controlled, auditable way.