Posted on February 2026 by ivanrjlg
If you’re a Business Central developer publishing apps on Microsoft AppSource, you know the drill: every extension must be digitally signed with a valid code signing certificate. And if you’re like me, you’ve probably been paying more than you need to.
My team’s GlobalSign Code Signing HSM certificate was about to expire—at $434/year. That price felt steep, so I decided to do a deep dive into the market to find a more affordable alternative that still meets all of Microsoft’s requirements. This post shares everything I found, so you don’t have to go through the same research process.
Table of Contents
- What Microsoft Actually Requires
- The Hardware Mandate That Changed Everything
- Provider Comparison Table
- Top 3 Alternatives to GlobalSign
- Important Industry Changes Coming in 2026
- Practical Signing Workflow for Business Central
- Conclusion and Recommendation
What Microsoft Actually Requires
Before comparing providers, let’s be crystal clear about the requirements. Microsoft’s documentation for signing Business Central app packages and the AppSource code-signing validation FAQ specify the following:
- Certificate type: Code Signing Certificate (Authenticode), not SSL/TLS.
- Validation level: Organization Validation (OV) minimum. Domain Validation (DV) alone is not sufficient.
- Algorithm: SHA-256 minimum.
- Issuer: A Certificate Authority (CA) whose root is part of the Microsoft Trusted Root Certificate Program.
- EV is NOT required: As of August 2024, Microsoft no longer distinguishes between OV and EV code signing certificates. SmartScreen reputation no longer gives EV any advantage. So there’s zero benefit to paying the EV premium for AppSource purposes.
This last point is critical: if someone tells you that you need an EV certificate for AppSource, that information is outdated.
The Hardware Mandate
If you haven’t purchased a code signing certificate since mid-2023, you’re in for a surprise. The CA/Browser Forum’s Ballot CSC-13 now requires all code signing private keys (including OV, not just EV) to be stored on FIPS 140-2 Level 2 certified hardware.
What does this mean in practice?
- No more .pfx downloads. The days of getting a simple file-based certificate for $70-80/year are over.
- You need either: a physical USB hardware token (like a YubiKey or SafeNet), a cloud-based HSM service (like Certum SimplySign, SSL.com eSigner, or Azure Key Vault), or a managed service (like Azure Artifact Signing).
- This adds cost. Hardware tokens run $90-250, and cloud signing services charge monthly or annual fees.
This mandate fundamentally reshaped the market and is the reason why the cheapest certificates are no longer as cheap as they used to be.
Provider Comparison Table
Here’s a comprehensive comparison of the major providers. The “Total Year 1” column includes any one-time hardware or setup costs. The “Per-Year (3yr)” column shows the amortized annual cost if you commit to a 3-year term.
| Provider | Cert (1yr) | Token / Cloud Cost | Total Year 1 | Per-Year (3yr) | Cloud Signing? |
|---|---|---|---|---|---|
| Azure Artifact Signing | ~$120/yr | $0 (included) | ~$120 | ~$120 | ✅ Azure native |
| Certum Cloud (via SSLmentor) | $167 | $0 (SimplySign) | ~$167 | ~$108 | ✅ SimplySign |
| Certum Cloud (direct, EUR) | ~€209 (~$225) | $0 (SimplySign) | ~$225 | ~€139/yr | ✅ SimplySign |
| SSL.com + eSigner | $129 | $180/yr (eSigner) | ~$309 | ~$290 | ✅ eSigner |
| SSL.com + YubiKey | $129 | $249 one-time | ~$378 | ~$193 avg | ❌ Physical |
| Sectigo/Comodo (reseller) | ~$226/yr | $0–$90 (token) | ~$316 | ~$226–256 | ❌ Varies |
| DigiCert (reseller) | $370–411 | $120 (token) | ~$490–531 | ~$380+ | ✅ KeyLocker (extra) |
| GlobalSign (current) | ~$434 | Included (HSM) | ~$434 | 1-yr only | ✅ Azure KV |
Note: All providers listed have root certificates trusted by Microsoft and support Authenticode signing. Prices were verified in early 2026 and may vary.
Top 3 Alternatives
1. Azure Artifact Signing (formerly Trusted Signing)
Cost: $9.99/month (~$120/year) | Savings vs GlobalSign: ~72%
Microsoft’s own Azure Artifact Signing (formerly Trusted Signing) is a fully managed cloud service. It runs on Microsoft’s FIPS 140-2 Level 3 infrastructure, uses the standard signtool.exe, and requires no hardware tokens at all.
A fellow BC developer, Miljan Milosavljević, documented successfully using it for AppSource submissions in December 2024, which confirms it works for our use case.
The catch: As of early 2025, Microsoft restricted new onboarding to organizations based in the USA or Canada with 3+ years of verifiable operating history. Verification involves business registration records, tax history, and possibly a DUNS number. If your company qualifies, this is the cheapest and most native option available.
Pros:
- Cheapest ongoing cost
- Zero hardware hassle
- Native Microsoft ecosystem integration
- Works with
signtool.exe
Cons:
- Geographic and company-age restrictions for new enrollment
- Not yet mentioned in official BC documentation (works in practice though)
- Still in preview—availability could change
2. Certum Standard Code Signing in the Cloud
Cost: $108–249/year (depending on channel) | Savings vs GlobalSign: up to 75%
Certum, operated by Poland-based Asseco Data Systems S.A., offers the cheapest traditional OV code signing certificate on the market. Their standout feature is SimplySign—a free cloud-based signing service that presents your certificate as a virtual smart card in Windows. This means it works directly with signtool.exe using standard Authenticode commands, no USB token needed.
Pricing varies significantly by channel:
| Channel | 1-Year | 2-Year | 3-Year |
|---|---|---|---|
| Certum direct (EUR) | ~€209 (~$225) | Lower | ~€139/yr |
| Certum direct (USD) | $249 | — | — |
| SSLmentor (reseller) | $167 | $124/yr | $108/yr |
Certum’s root certificates (Certum Trusted Network CA) are confirmed participants in the Microsoft Trusted Root Certificate Program, and their certificates explicitly support Microsoft Authenticode and SHA-256.
Pros:
- Cheapest traditional certificate option
- SimplySign cloud signing included (free)
- Compatible with
signtool.exe - Multi-year pricing available (for now)
Cons:
- SimplySign sessions time out after ~2 hours (requires mobile app re-auth)
- CI/CD automation requires workarounds for TOTP authentication
- No Business Central-specific community testimonials found (though technically sound)
- Signing capped at 5,000 operations/month
3. SSL.com
Cost: $129/year (cert only) + signing method | Savings vs GlobalSign: ~30-55%
SSL.com offers OV code signing at $129/year with two key storage options:
- YubiKey FIPS token: $249 one-time purchase for physical signing
- eSigner cloud service: Starting at $180/year for 240 annual signatures, with CI/CD integration and malware scanning
SSL.com is a US-based CA with polished infrastructure and good documentation. The eSigner service is more mature than Certum’s SimplySign for automated workflows.
Pros:
- US-based CA with strong support
- Flexible signing options (physical or cloud)
- eSigner includes malware scanning
- Good CI/CD integration
Cons:
- Higher total cost than Certum when including eSigner fees
- YubiKey adds significant upfront cost
- eSigner’s base tier (240 signatures/year) may be limiting for active development
Important Industry Changes Coming in 2026
Two major shifts are happening that affect your purchasing decision right now:
Maximum Certificate Validity Is Shrinking
Effective March 1, 2026, the maximum code signing certificate validity drops from 39 months to 460 days (~15 months). GlobalSign already stopped issuing multi-year certificates on December 26, 2025. Other CAs will follow.
This means: if you want to lock in 3-year pricing, you need to act before March 2026. After that, everyone moves to annual-only issuance, and the multi-year discount advantage disappears.
Entrust Is No Longer an Independent CA
Microsoft began distrusting Entrust roots in February 2025. Entrust completed the sale of its entire public certificate business to Sectigo by September 2025. If anyone recommends Entrust, redirect them to Sectigo.
The EV/OV Distinction Is Gone
In February 2024, Microsoft declared it would no longer recognize EV code signing as a separate category. By August 2024, all EV code signing OIDs were removed from roots in the Trusted Root Program. There is no advantage to EV for AppSource.
Practical Signing Workflow for Business Central
Regardless of which certificate you choose, here’s what you need to know about the actual signing process for .app files:
Critical requirement: Dynamics 365 Business Central must be installed on the signing machine. Without it, signtool.exe won’t recognize the .app file format and will return the error: “This file format can’t be signed because it isn’t recognized.”
Microsoft documents two primary signing methods:
Traditional Method (signtool.exe)
Works with certificates accessible through the Windows certificate store—this includes Certum’s SimplySign (virtual smart card), physical USB tokens, or any locally installed certificate.
signtool sign /fd SHA256 /sha1 <certificate_thumbprint> /t http://timestamp.globalsign.com/scripts/timstamp.dll "MyApp.app"
Azure Key Vault Method (.NET Sign Tool)
Recommended for certificates stored in Azure Key Vault. Uses the sign code azure-key-vault command:
sign code azure-key-vault `
--azure-key-vault-url "https://your-vault.vault.azure.net/" `
--azure-key-vault-certificate "your-cert-name" `
--timestamp-url "http://timestamp.digicert.com" `
"MyApp.app"
Both approaches produce valid Authenticode signatures accepted by AppSource.
Tip: Always use a timestamp URL when signing. Without it, your signature becomes invalid when the certificate expires. With a timestamp, signatures remain valid indefinitely even after certificate expiration.
Conclusion and Recommendation
Your $434/year GlobalSign certificate is among the most expensive options available today. Here’s my recommended action plan:
Step 1: Try Azure Artifact Signing first. If your company is US-based with 3+ years of history (which appears to be the case for many of us in the BC community), this is the best deal at ~$120/year with zero hardware hassle and native Microsoft ecosystem integration.
Step 2: If Azure Artifact Signing doesn’t work out, purchase a 3-year Certum Standard Code Signing in the Cloud certificate through SSLmentor at $108/year. Do this before March 2026 to lock in the multi-year pricing before the validity reduction takes effect.
Step 3: For teams prioritizing automation, consider SSL.com with eSigner if you need robust CI/CD integration and don’t mind the higher total cost.
The bottom line: you can save 60-75% on your code signing costs without sacrificing any functionality or AppSource compatibility. The money saved is better spent on actual development.
Have you used any of these alternatives for signing Business Central apps? I’d love to hear about your experience in the comments below. If you found this guide helpful, feel free to share it with other BC developers who might be overpaying for their certificates.
Categories: Business Central / AppSource / Code Signing
Tags: Business Central, AppSource, Code Signing Certificate, OV, Authenticode, Azure Artifact Signing, Certum, SSL.com, GlobalSign, Dynamics 365