We’re using SSL.com .
They deliver their certificate on a YubiKey dongle though, which might be problematic for automated build chains. There are workarounds to facilitate automated build chains with YubiKey, but the regular old signtool will want a PIN entry on every signature with this. There is a 3rd party option (ScSignTool), which can handle the PIN for regular signatures, but I have yet to find a way for pace wraptool, to work with the pin… Right now I have all signatures automated with the exception of aax. So on every installer build I have to enter the pin once for aax…
Unfortunately it seems these days providers only distribute the EV certificates on dongles and only give you cert files for OV certificates, which have the advantage of working easily with signtool and pace wrapper, but don’t satisfy Windows Smart Screen off the bat (it will need a few startups on different machines until Microsoft knows you and deems you safe). I haven’t yet found a way to just disable the PIN on the YubiKey either…
Also check out this thread a few entries further down 