After the suggestion here in the forums from Thom M., about a month ago I went down the path of ssl.com. On a side note, as everyone says, give yourself lots of time to get through the process.
I just wrapped things up a week or so ago and there are lots of discoveries. Although I can’t say whether or not Sectigo’s products or offerings are the same, my guess is that they may offer something similar.
The first thing I discovered, is that after I got through the validation process, I was offered three solutions for getting my cert, one of them I was completely unaware of and wasn’t documented in ssl.com’s marketing documentation. Of course, as Tom C. mentioned and others have spoken to in other threads, the first option is to pay for a USB token and have this shipped to you. Cost as of this writing from ssl.com is $249 which seems rather pricey IMHO.
The second option that Greg talks to, is what ssl.com calls eSigner.com Cloud Signing. This option includes a free 30-day trial but then moves into a subscription cost thereafter, which for an EV cert, looks to run $100 a month and only allows for 20 signings in this period before additional charges accumulate. This definitely makes the USB token appear to be a steal.
The third option, and the one I went with, is the ability to bring your own YubiKey FIPS token and go through an attestation process with ssl.com where you can generate your certificate for your YubiKey token and install it. I was pleasantly surprised by ssl.com to offer this option, especially as their marketing collateral never mentioned this as a possibility and I only found out about it once I was almost entirely through ssl.com process. From my own internal testing, this mostly works fine (see one gotcha below), and I was pleasantly surprised to see my Inno Setup, or should I say signtool.exe, hit some OS level flag and get prompted by the OS for my PIN for signing via the token. Cost of this option was $80 directly from Yubico and forewarning that at least a week ago, if you tried to Amazon said key, I learned the hard way that you get a non-FIPS token which isn’t compatible with this process. During the purchase process, Yubico did recommend getting multiple keys so that you can have a backup. I personally did not, as ssl.com, from what I can tell, only allows you to do attestation against a single token. But who knows, they might allow more than one in their backend system (as I believe they do for the $249 purchased version where you can buy multiple). Theoretically in the house burned down scenario, one could simply switch to the eSigner process temporarily or permanently, or just buy a new Yubikey and go through the attestation and certificate install process again.
One gotcha with this process that I wasn’t aware of, is if you’re using Microsoft Remote Desktop to access the Windows machine that has the token inserted, everything will fail. Even though you might have the smart card passthrough functionality turned off in your RDC session, something in Remote Desktop continues to latch on and make the token unavailable for use. After some online searches, the solution is to use VNC not MS Remote Desktop in this scenario. It’s a bit more of a hassle, but this works just fine.
Two other semi-related notes. I ended up going with ssl.com instead of other vendors as they were one of the less expensive options and offer a “10 year cert”. Technically though it’s a 3-year cert that keeps renewing for 10 years.
The other thing to note, is that I called ssl.com several times during the process to always have someone pick up the phone who was solely an answering service. I never once in my U.S. West Coast timeframe, get someone who picked up who didn’t want to take a message to have someone else contact me back later. I generally did get a response within 24 hours, but said individuals, from what I could tell, were not based in the U.S. as responses were in the 3AM-12PM Pacific timeframe. So although ssl.com states they’re located in Houston, TX, be aware that your sole support lifeline will be via email, outside of the U.S. and generally not in U.S. working hours. This is also why I mentioned to give yourself lots of time, in my case weeks, to get through the process. Every support question/email has a one day turn around which means several days to get through an issue. For me personally, the process took just over a month, but in full transparency most of this time was simply working with Dun & Bradstreet to get my record correct for the validation process. Theoretically if you skipped the D&B validation process and did something like Google Business that ssl.com supports, the whole process is likely to take 1-2 weeks if you’re a newbie.
Sorry for the novella and hope this helps Tom C. and others down the road.