EV Code Signing Certificates provide the highest level of validation in the authenticode certificate world. The EV stands for Extended Validation while standard code signing certificates are referred to as OV or Organization Validation level certificates.
The CA/B forum along with Microsoft maintain the guidelines that dictate how EV and OV code signing certificates are issued from all CAs (Certificate Authorities) like Sectigo (formerly Comodo). Because Sectigo has long followed validation procedures that exceeded the requirements set forth by Microsoft and the CA/B forum for OV code signing certificates, current customers of ours that have an OV level certificate will be pleased to know that the validation procedure is not much different than Sectigo'svalidation procedure for standard OV level code signing certificates. With very few exceptions, if you qualify for an OV cert then you qualify for an EV cert. The only exception is that EV certificates cannot be issued directly to an individual - though they can be issued to registered sole proprietorships.
What are the differences between OV and EV level code signing certificates?
EV Code Signing Certificates | OV Code Signing Certificates |
---|---|
Instant reputation with SmartScreen, Microsoft's reputation-based scanner (the scanner that shows the 'This file might harm your computer...' message). | Allows reputation to build organically as files are downloaded. See our SmartScreen tutorial for the details. |
Require two-factor authentication, meaning they are distributed on an encrypted hardware token that is required for signing. | The certificate is stored in an encrypted file on the purchaser's computer and remains portable to other computers by simply copying the file. |
Required for Windows 10 kernel mode driver signing. | Can sign drivers for Windows versions before Windows 10. |
Both EV code signing certificates and OV code signing certificates are trusted on virtually every platform (and browser, where applicable). | |
Who needs an EV level code signing certificate?
While anyone can use them for authenticode signing, the only hard requirement for an EV code signing certificate is for Windows 10 kernel-mode driver signing (and even then, only in the Creators update). The instant reputation with SmartScreen is nice as well, though if you follow our SmartScreen tutorial you can gain reputation with SmartScreen very quickly and easily with an OV level code signing certificate. Microsoft may introduce extra benefits for EV code signing certificates in the future as well.