16 June, 2022

News Code Signing Certificates

As of November 15, 2022, industry standards will require that private keys for OV code signing certificates be stored on hardware certified as: FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent.

This change strengthens private key protection for code signing certificates. Here you can find the new CAB Forum provision: https://cabforum.org/baseline-requirements-code-signing/

The new key storage requirement affects code signing certificates issued on or after November 15, 2022, and impacts the following parts of your code signing process:

  • Storage of private keys and installation of certificates – November 15, 2022
  • Code Signing
  • Application and renewal of certificates
  • Reissue of certificates

 

Private key storage and certificate installation: November 15, 2022

This new requirement means that Certificate Authorities (CAs) can no longer support browser-based key generation, as well as any process that includes creating a CSR (Certificate Signing Request) and installing your certificate on a laptop or server. Private keys and certificates must be stored and installed in tokens or HSMs (Hardware Security Modules) certified to at least FIPS 140-2 Level 2 or Common Criteria EAL 4+.

Code Signing – November 15, 2022

To use a code signing certificate installed on a device, you need access to the token or HSM and the credentials to use the certificate stored on it. For example, you need to connect the token to your computer, and then you need the password to sign your code with the code signing certificate in the token.

Application and renewal of code signing certificates – November 15, 2022

When requesting and renewing an OV code signing certificate, you must select a provisioning method. In other words, choose the hardware to store the private key. You have three provisioning options.

  • Use a preconfigured token provided by DigiCert*
  • Use your own compatible token
  • Install on a hardware security module (HSM)

Hardware tokens and HSM devices must be FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent. To use an HSM, you must submit a certification letter that includes an audit letter.

Certificate reissue – November 15, 2022

When reissuing code signing certificates, you must install the certificate in a compatible token or HSM. If you don’t have a token, you can buy a token from DigiCert at that time

DigiCert and CertiSur are working on the token purchase process for the reissue of code signing certificates. We will provide details about the new process and the price of the token as soon as possible in a follow-up email.

 

Do you want to eliminate the need for individual tokens?

Transition to DigiCert® Secure Software Manager (SSM) to enhance your software security with code signing workflow automation that reduces points of vulnerability with end-to-end security and control across the enterprise; in the code signing process, all without slowing down your process.

Main features:

  • Key storage in industry-compliant HSM
  • Application of policies
  • Centralized management
  • Integration with CI/CD (Continuous Integration/Continuous Delivery)
  • And more

To learn more about how DigiCert® Secure Software Manager has helped other organizations, see the case study Automated Signature Speeds Build Times While Improving User Experience.

We have put into this document all the information we have up to now about the changes required by the CAB Forum. As we have new information about the installation mechanism and use of the Code Signing certificate from a token, an HSM or through the Secure Software Manager (SSM) we will contact you again.

 

Do you need help, do you have questions?

If you have questions or would like more information about upcoming industry changes, please contact us by sending an email to soporte@certisur.com

Contact us to learn more about our solutions.