fun fact: every major code signing CA mandate that your private key is stored on a certified HSM or similar, but multiple CAs (including DigiCert and VeriSign) do not actually verify this from experience
Follow
I only know of one CA that absolutely makes sure of this - certum - and that's probably because their cheapest code signing cert is €25, so it would be trivial to test
