As of June 1, 2023 at 00:00 UTC, industry standards will require that private keys for OV code signing certificates be stored in certified hardware such as: FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent . This change strengthens private key protection for code signing certificates and aligns it with private key protection for EV (Extended Validation) code signing certificates. You can find the new CAB Forum provision here:https://cabforum.org/baseline-requirements-code-signing/
The new key storage requirement affects code signing certificates issued as of June 1, 2023 and impacts the following parts of your code signing process:
- Private Key Storage and Certificate Installation – June 1, 2023
- Code Signing
- Certificate Request and Renewal
- Certificate Reissuance
Private key storage and certificate installation: June 1, 2023
de junio de 2023Private key storage and certificate installation: June 1, 2023
This new requirement means that Certificate Authorities (CAs) can no longer support browser-based key generation, nor any process that includes the creation of a CSR (Certificate Signing Request) and the installation of your certificate on a laptop or server. Private keys and certificates must be stored and installed on tokens or HSM (Hardware Security Modules or hardware security modules) certified at a minimum with FIPS 140-2 Level 2 or Common Criteria EAL 4+.
Code Signing – June 1, 2023
To use a code signing certificate installed on a device, you need access to the token or HSM and your credentials. For example, you must connect the token to your computer and then you need the password to sign your code with the code signing certificate on the token.
Code signing certificate request and renewal – June 1, 2023
When requesting and renewing an OV code signing certificate, you must select a provisioning method. In other words, choose the hardware to store the private key. You have three provisioning options.
- Use a Token provided by CertiSur
- Use your own compatible token
- Install on a Hardware Security Module (HSM)
Hardware tokens and HSM devices must be FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent. To use an HSM, you must submit a certification letter that includes an audit letter.
Certificate reissuance – June 1, 2023
When reissuing code signing certificates, you must install the certificate on a compatible token or HSM. If you don't have a token, you can purchase a Safenet 5110 FIPS 140 Level 2 eToken.
Want to eliminate the need for individual tokens?
Make the transition to DigiCert® Secure Software Manager (SSM) to improve your software security with code signing workflow automation that reduces vulnerability points with end-to-end security and control across your enterprise; in the code signing process, all without slowing down your process.
Key Features:
- Key Storage in Industry-Compatible HSM
- Policy Enforcement
- Centralized Management
- Integration with CI/CD (Continuous Integration/Continuous Delivery)
- And more
For more information about how DigiCert® Secure Software Manager has helped other organizations, consult the case study Automated signing accelerates build times while improving user experience (in English)
We have compiled in this document all the information we have at this time about the changes required by the CAB Forum. As we obtain new data on the mechanism for installing and using the Code Signing certificate from a token, an HSM, or through the Secure Software Manager (SSM), we will contact you again.
Need help, have questions?
If you have questions or would like more information about upcoming industry changes, contact us by sending an email to soporte@certisur.com