(5 votes, average: 5.00 out of 5)
As of May 14, 2023, new requirements for Code Signing certificates have been introduced, impacting how organizations obtain and use these essential tools. This article sheds light on the changes, focusing on certificates purchased after the earlier date.
The recent updates mandate that Code Signing certificates must now be installed on physical hardware tokens. This requirement applies to Standard Organization Validation (OV) Code Signing certificates. Organizations have two options to fulfill this requirement:
One option is to purchase pre-configured certificate tokens directly from the Certificate Authority. These tokens are ready to use upon delivery, simplifying the installation process. The purchase price includes both the hardware token and the shipping fees.
For those who already possess compatible hardware devices, another option is available. You can order the Code Signing certificate installed on your existing hardware token, making it a cost-effective choice for some organizations.
When acquiring a Code Signing certificate, selecting the Certificate Delivery Method that best suits your needs is crucial. Please be aware that the chosen delivery method cannot be changed once the purchase is completed. Therefore, careful consideration is advised to ensure a seamless experience.
The Token + Shipping method is recommended for the majority of users. By opting for this method, you can conveniently order a pre-configured token from the Certificate Authority. The purchase price includes the hardware token and the associated shipping fees, providing a hassle-free solution.
If you own a compatible Hardware Security Module (HSM) and possess the expertise to manage your device independently, you can select the “Install on Existing HSM” method. This option is designed for advanced users confident in handling their HSM without requiring third-party support.
To proceed with this method, please ensure that your HSM meets the FIPS 140-2 level 2 standard as a minimum requirement. Meeting this standard is crucial to ensure the security and integrity of your Code Signing certificate installation.
For Sectigo Code Signing certificates, it is mandatory to provide an Attestation bundle from your HSM during the certificate generation process.
Sectigo supports the following HSM brands for Code Signing certificates:
If you are a DigiCert customer, you can install Code Signing certificates on an existing SafeNet USB device.
Please note that this installation option is exclusive to DigiCert certificates, and the supported SafeNet series are as follows:
When acquiring a certificate, selecting the right Certificate Delivery Method is crucial. However, we understand that sometimes mistakes can happen. In this article, we’ll explore the importance of choosing the correct delivery method and what to do if an incorrect method is selected.
Selecting the appropriate Certificate Delivery Method is a critical step during the purchase process. Different methods offer unique advantages and cater to varying user preferences. Whether it’s a pre-configured token or installation on an existing device, each method ensures seamless integration and ease of use for certificate holders.
Once your certificate purchase is completed, the selected Certificate Delivery Method becomes fixed and cannot be modified. This limitation is implemented to ensure the security and integrity of the certificate issuance process.
There is no need to worry if an incorrect delivery method is chosen. A solution is readily available through your account dashboard. To correct the mistake, follow these steps:
Log in to your account dashboard and navigate to the incorrect delivery method order. Initiate the cancellation process for this specific order.
After canceling the initial order, proceed to purchase a new certificate. This time, select the preferred Certificate Delivery Method that aligns with your requirements.
With the correct delivery method chosen, finalize the new purchase. The system will now process your order according to the updated information.
To prevent any potential issues, consider the following tips when acquiring a certificate:
Carefully Review Options:
Understand the available Certificate Delivery Methods and their implications before selecting.
Double-check Before Purchasing:
Before completing the purchase, verify that you have chosen the correct delivery method, as modifications cannot be made afterward.
Reach Out for Assistance:
Please contact customer support for guidance if you have any doubts or need clarification.
The Certificate Authority & Browser (CA/B) Forum has taken significant measures to bolster code signing certificates’ security, effective June 1, 2023.
The new requirements mandate hardware security modules or tokens that meet specific certification standards. This article sheds light on the changes and how they contribute to mitigating the risks associated with code signing.
The CA/B Forum now mandates that such keys must be stored on certified hardware security modules or tokens to enhance the protection of code signing keys. These devices must meet one of the following certification standards:
The Federal Information Processing Standard (FIPS) 140 Level 2 certification guarantees that the hardware module meets stringent security requirements defined by the National Institute of Standards and Technology (NIST).
The Common Criteria for Information Technology Security Evaluation (CC) establishes internationally recognized standards for evaluating security functions in IT products. EAL 4+ is one of the highest assurance levels under the Common Criteria.
Besides the specified certifications, the CA/B Forum also considers other equivalent standards that provide a comparable level of security.
The primary motivation behind these changes is to address the growing problem of stolen code signing keys. Cybercriminals have exploited stolen keys to sign and distribute malware, posing significant risks to users and organizations.
By mandating certified hardware modules, the CA/B Forum aims to mitigate the potential consequences of such security breaches.
Certificate Authorities (CAs) usually include a compliant hardware token with the code signing product purchase to facilitate compliance with the new requirements. This ensures customers receive the necessary hardware to store their code signing certificate keys securely.
As the demand for heightened cybersecurity continues to rise, Certificate Authorities (CAs) DigiCert and Sectigo are taking steps to enhance the security of their code signing certificates.
While these changes are essential to combat evolving cyber threats, they come with necessary adjustments in pricing. In this article, we’ll explore the price changes implemented by DigiCert and Sectigo and the reasons behind them.
DigiCert recognizes the significance of maintaining the same level of affordability for their Organization Validation (OV) code signing certificates. As such, the price for DigiCert’s OV code signing certificates remains steady at $539 (MSRP for one year).
However, beginning on June 1, a $120 fee will be introduced for customers opting to receive a DigiCert-provided hardware token.
Customers with a compliant token, Hardware Security Module (HSM), or critical vault can utilize their existing hardware instead of purchasing a DigiCert-provided hardware token. It provides an opportunity for cost savings while still meeting the new security requirements.
Sectigo’s price adjustments for code signing certificates are being implemented in two phases to ensure a seamless transition:
Similar to DigiCert, Sectigo offers an opportunity for cost-effective alternatives. Customers who already possess a Thales/SafeNet Luna or NetHSM device or a Yubico FIPS Yubikey (ECC keys only) can choose not to purchase a token from Sectigo.
Utilizing their compliant hardware allows customers to navigate the pricing changes while maintaining the required security standards.
DigiCert and Sectigo are not alone in their efforts to enhance security and adapt to the changing cybersecurity landscape. Other code signing providers are expected to introduce new pricing structures to align with the industry’s heightened security standards. By June 1, customers can expect to see updated pricing from all CAs.
Adopting hardware tokens has become a focal point as the code signing industry embraces enhanced security measures. These specialized cryptographic devices, mandated by CA/B Forum standards, are crucial in securing certificate keys.
While hardware tokens might seem similar to typical USB flash drives at first glance, they serve a vastly different purpose. Comparing their cost to consumer-grade USB drives may raise questions, as hardware tokens are designed to meet specific security standards.
CA/B Forum requirements necessitate tokens certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. These certifications ensure that the hardware and software features of the tokens can perform cryptographic operations securely.
They are specialized cryptographic devices akin to Hardware Security Modules (HSMs) or Trusted Platform Modules (TPMs).
A convenient solution exists for those who prefer to avoid dealing with hardware tokens in code signing platforms like DigiCert Software Trust Manager.
These platforms securely store certificate keys in an HSM, removing the need for hardware tokens. This approach lets users quickly sign their code by logging into the platform.
DigiCert Software Trust Manager offers a streamlined and secure code signing experience. Users can avoid the complexities of hardware tokens by utilizing an HSM to store certificate keys.
Interested parties can schedule a demo to witness firsthand how DigiCert Software Trust Manager simplifies code signing while maintaining high security.
Organizations can take proactive steps to minimize the impact as the industry undergoes these code signing changes. A quick and practical suggestion is to purchase a 3-year certificate before the cut-off date. Users can avoid dealing with hardware tokens by obtaining and issuing the certificate for the next few years.
When obtaining a Code Signing certificate, carefully evaluate your hardware requirements and proficiency in managing advanced HSMs. The “Install on Existing HSM” method allows independent certificate installation for advanced users with a compatible HSM.
Ensure your HSM meets the FIPS 140-2 level 2 standard as a minimum requirement for security compliance.
DigiCert customers can choose the “Install on Existing Token” option, exclusive to SafeNet USB devices, for a streamlined Code Signing certificate installation process.
By making the appropriate choice, you can ensure a smooth and secure experience while protecting the integrity of your software and applications.