News Code Signing Certificates
As of November 15, 2022, industry standards will require that private keys for OV code signing certificates be stored on hardware certified as: FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent.
This change strengthens private key protection for code signing certificates. Here you can find the new CAB Forum provision: https://cabforum.org/baseline-requirements-code-signing/
The new key storage requirement affects code signing certificates issued on or after November 15, 2022, and impacts the following parts of your code signing process:
- Storage of private keys and installation of certificates – November 15, 2022
- Code Signing
- Application and renewal of certificates
- Reissue of certificates
Private key storage and certificate installation: November 15, 2022
This new requirement means that Certificate Authorities (CAs) can no longer support browser-based key generation, as well as any process that includes creating a CSR (Certificate Signing Request) and installing your certificate on a laptop or server. Private keys and certificates must be stored and installed in tokens or HSMs (Hardware Security Modules) certified to at least FIPS 140-2 Level 2 or Common Criteria EAL 4+.
Code Signing – November 15, 2022
To use a code signing certificate installed on a device, you need access to the token or HSM and the credentials to use the certificate stored on it. For example, you need to connect the token to your computer, and then you need the password to sign your code with the code signing certificate in the token.
Application and renewal of code signing certificates – November 15, 2022
When requesting and renewing an OV code signing certificate, you must select a provisioning method. In other words, choose the hardware to store the private key. You have three provisioning options.
- Use a preconfigured token provided by CertiSur
- Use your own compatible token
- Install on a hardware security module (HSM)
Hardware tokens and HSM devices must be FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent. To use an HSM, you must submit a certification letter that includes an audit letter.
Certificate reissue – November 15, 2022
When reissuing code signing certificates, you must install the certificate in a compatible token or HSM. If you do not have a token, you can purchase a CertiSur token at that time.
We are working on the token purchase process for the reissuance of code signing certificates. We will provide details about the new process and the price of the token as soon as possible in a follow-up email.
Do you want to eliminate the need for individual tokens?
Transition to DigiCert® Secure Software Manager (SSM) to enhance your software security with code signing workflow automation that reduces points of vulnerability with end-to-end security and control across the enterprise; in the code signing process, all without slowing down your process.
- Key storage in industry-compliant HSM
- Application of policies
- Centralized management
- Integration with CI/CD (Continuous Integration/Continuous Delivery)
- And more
To learn more about how DigiCert® Secure Software Manager has helped other organizations, see the case study Automated Signature Speeds Build Times While Improving User Experience.
We have put into this document all the information we have up to now about the changes required by the CAB Forum. As we have new information about the installation mechanism and use of the Code Signing certificate from a token, an HSM or through the Secure Software Manager (SSM) we will contact you again.
Do you need help, do you have questions?
If you have questions or would like more information about upcoming industry changes, please contact us by sending an email to firstname.lastname@example.org