Code Signing Certificate Requirements
Industry postponed implementation until June 1, 2023, to allow more time to prepare for the new OV Code Signing Certificate private key storage requirement.
Starting June 1, 2023 00:00 UTC, industry standards will require that private keys for OV code signing certificates be stored on hardware certified as: FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent. This change strengthens private key protection for code signing certificates and aligns it with Extended Validation (EV) code signing certificate private key protection. Here you can find the new CAB Forum provision: https://cabforum.org/baseline-requirements-code-signing/
The new key storage requirement affects code signing certificates issued on or after June 1, 2023, and impacts the following parts of your code signing process:
- Private key storage and certificate installation – June 1, 2023
- Code Signing
- Application and renewal of certificates
- Reissue of certificates
Private key storage and certificate installation: June 1, 2023
This new requirement means that Certificate Authorities (CAs) can no longer support browser-based key generation, as well as any process that includes creating a CSR (Certificate Signing Request) and installing your certificate on a laptop or server. Private keys and certificates must be stored and installed in tokens or HSMs (Hardware Security Modules) certified to at least FIPS 140-2 Level 2 or Common Criteria EAL 4+.
Code Signing – June 1, 2023
To use a code signing certificate installed on a device, you need access to the token or HSM and your credentials. For example, you need to connect the token to your computer, and then you need the password to sign your code with the code signing certificate in the token.
Request and renewal of code signing certificates – June 1, 2023
When requesting and renewing an OV code signing certificate, you must select a provisioning method. In other words, choose the hardware to store the private key. You have three provisioning options.
- Use a Token provided by CertiSur
- Use your own compatible token
- Install on a hardware security module (HSM)
Hardware tokens and HSM devices must be FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent. To use an HSM, you must submit a certification letter that includes an audit letter.
Reissuance of certificates – June 1, 2023
When reissuing code signing certificates, you must install the certificate in a compatible token or HSM. If you do not have a token, you can purchase a Safenet 5110 FIPS 140 Level 2 branded eToken.
Do you want to eliminate the need for individual tokens?
Transition to DigiCert® Secure Software Manager (SSM) to enhance the security of your software with code signing workflow automation that reduces points of vulnerability with end-to-end security and control across the enterprise; in the code signing process, all without slowing down your process.
- Key storage in industry-compliant HSM
- Application of policies
- Centralized management
- Integration with CI/CD (Continuous Integration/Continuous Delivery)
- And more
To learn more about how DigiCert® Secure Software Manager has helped other organizations, see the case study Automated Signature Speeds Build Times While Improving User Experience.
We have put into this document all the information we have up to now about the changes required by the CAB Forum. As we have new information about the installation mechanism and use of the Code Signing certificate from a token, an HSM or through the Secure Software Manager (SSM) we will contact you again.
Do you need help, do you have questions?
If you have questions or would like more information about upcoming industry changes, please contact us by sending an email to email@example.com