CertiSur
Control Panel
SSL / TLS June 16, 2022

Code Signing Certificates News

As of November 15, 2022, industry standards will require that private keys for OV code signing certificates be stored in certified hardware such as: FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent.

Novedades Certificados Firma de Código
This change strengthens private key protection for code signing certificates. You can find the new CAB Forum provision here:https://cabforum.org/baseline-requirements-code-signing/ The new key storage requirement affects code signing certificates issued on or after November 15, 2022 and impacts the following parts of your code signing process:
  • Private Key Storage and Certificate Installation – November 15, 2022
  • Code Signing
  • Certificate Request and Renewal
  • Certificate Reissuance

Private Key Storage and Certificate Installation: November 15, 2022

This new requirement means that Certification Authorities (CA) can no longer allow browser-based key generation, nor any process that includes creating a CSR (Certificate Signing Request) and installing your certificate on a laptop or server.Private keys and certificates must be stored and installed on tokens or HSM (Hardware Security Modules) certified at minimum with FIPS 140-2 Level 2 or Common Criteria EAL 4+.

Code Signing – November 15, 2022

To use a code signing certificate installed on a device, you need access to the token or HSM and the credentials to use the certificate stored on it. For example, you must connect the token to your computer and then you need the password to sign your code with the code signing certificate on the token.

Code Signing Certificate Request and Renewal – November 15, 2022

When requesting and renewing an OV code signing certificate, you must select a provisioning method. In other words, choose the hardware to store the private key. You have three provisioning options.
  • Use a pre-configured token provided by CertiSur
  • Use your own compatible token
  • Install in a Hardware Security Module (HSM)
Hardware tokens and HSM devices must be FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent.To use an HSM, you must send a certification letter that includes an audit letter.

Certificate Reissuance – November 15, 2022

When reissuing code signing certificates, you must install the certificate on a compatible token or HSM. If you don't have a token, you can purchase a token from CertiSur at that time. We are currently working on the token purchase process for code signing certificate reissuance. We will provide details about the new process and token pricing as soon as possible in a follow-up email.

Want to eliminate the need for individual tokens?

Transition to DigiCert® Secure Software Manager (SSM) to improve your software security with code signing workflow automation that reduces vulnerability points with end-to-end security and control across your enterprise; in the code signing process, all without slowing down your process. Key features:
  • Private Key Storage in Industry-Compatible HSM
  • Policy Application
  • Centralized Management
  • Integration with CI/CD (Continuous Integration/Continuous Delivery)
  • And more
For more information on how DigiCert® Secure Software Manager has helped other organizations, consult the case study Automated signing accelerates build times while improving user experience (in English) We have included in this document all the information we have at this time regarding the changes required by the CAB Forum. As we obtain new information about the mechanism for installing and using the Code Signing certificate from a token, an HSM, or through the Secure Software Manager (SSM), we will contact you again.

Need help or have questions?

If you have questions or would like more information about the upcoming industry changes, please contact us by sending an email to soporte@certisur.com
← Back to news