Does anyone have a suggestion for how to certify our code? 

In general... when talking about Security, you want to have the design reviewed prior to having the code reviewed... but I guess we can be agile about it. Maybe the thing to do would be to document what we have in terms of architecture, find someone to do an independent review of the architecture, incorporate architecture changes recommended by the reviewer, then make code changes, then have the code reviewed.

The word "certify" has a lot of different meanings to different people. If you're looking for FIPS certification, that's a long process... and it costs money. The OpenSSL FIPS certification process has been going on for at least a year or two with the bill being footed by OSSI, HP, DoD and a couple other people whose names escape me at the moment.

The motivation there was that HP and DoD believed the certification was an investment... pay a little up front so they can benefit from the cost savings of using an open implementation of various crypto algorithms. The last time I was involved in a CMVP effort, the total bill to the independent lab was something on the order of about $12k US. With the recent devaluation of the US peso, I'm guessing it would probably run at least $18k US these days.

I definitely agree with this!