New Code Signing Changes: Delivery Modes, HSM

1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 5.00 out of 5)
New Code Signing Requirement Changes Delivery Modes

As of May 14, 2023, new requirements for Code Signing certificates have been introduced, impacting how organizations obtain and use these essential tools. This article sheds light on the changes, focusing on certificates purchased after the earlier date.

Updated Code Signing Certificate Installation:

The recent updates mandate that Code Signing certificates must now be installed on physical hardware tokens. This requirement applies to Standard Organization Validation (OV) Code Signing certificates. Organizations have two options to fulfill this requirement:

Pre-Configured Certificate Tokens:

One option is to purchase pre-configured certificate tokens directly from the Certificate Authority. These tokens are ready to use upon delivery, simplifying the installation process. The purchase price includes both the hardware token and the shipping fees.

Certificate Installation on Existing Hardware Devices:

For those who already possess compatible hardware devices, another option is available. You can order the Code Signing certificate installed on your existing hardware token, making it a cost-effective choice for some organizations.

What are the Right Certificate Delivery Methods?

When acquiring a Code Signing certificate, selecting the Certificate Delivery Method that best suits your needs is crucial. Please be aware that the chosen delivery method cannot be changed once the purchase is completed. Therefore, careful consideration is advised to ensure a seamless experience.

Token + Shipping Method:

The Token + Shipping method is recommended for the majority of users. By opting for this method, you can conveniently order a pre-configured token from the Certificate Authority. The purchase price includes the hardware token and the associated shipping fees, providing a hassle-free solution.

Install on Existing HSM (Advanced Users)

If you own a compatible Hardware Security Module (HSM) and possess the expertise to manage your device independently, you can select the “Install on Existing HSM” method. This option is designed for advanced users confident in handling their HSM without requiring third-party support.

To proceed with this method, please ensure that your HSM meets the FIPS 140-2 level 2 standard as a minimum requirement. Meeting this standard is crucial to ensure the security and integrity of your Code Signing certificate installation.

Sectigo Code Signing HSM Requirements:

For Sectigo Code Signing certificates, it is mandatory to provide an Attestation bundle from your HSM during the certificate generation process.

Sectigo supports the following HSM brands for Code Signing certificates:

  1. Yubikey 5 FIPS
  2. LUNA Network Attached HSM, version 7+

Install on Existing Token (DigiCert Only)

If you are a DigiCert customer, you can install Code Signing certificates on an existing SafeNet USB device.

Please note that this installation option is exclusive to DigiCert certificates, and the supported SafeNet series are as follows:

  1. SafeNet eToken 5110+ FIPS
  2. SafeNet eToken 5110 CC (RSA 4096 & ECC)
  3. SafeNet eToken 5110 FIPS (ECC ONLY)

Understand Certificate Delivery Methods to Choose Wisely!

When acquiring a certificate, selecting the right Certificate Delivery Method is crucial. However, we understand that sometimes mistakes can happen. In this article, we’ll explore the importance of choosing the correct delivery method and what to do if an incorrect method is selected.

The Importance of Choosing the Right Certificate Delivery Method:

Selecting the appropriate Certificate Delivery Method is a critical step during the purchase process. Different methods offer unique advantages and cater to varying user preferences. Whether it’s a pre-configured token or installation on an existing device, each method ensures seamless integration and ease of use for certificate holders.

The Unchangeable Nature of Certificate Delivery Method:

Once your certificate purchase is completed, the selected Certificate Delivery Method becomes fixed and cannot be modified. This limitation is implemented to ensure the security and integrity of the certificate issuance process.

Addressing an Incorrectly Chosen Delivery Method:

There is no need to worry if an incorrect delivery method is chosen. A solution is readily available through your account dashboard. To correct the mistake, follow these steps:

Cancel the Current Order:

Log in to your account dashboard and navigate to the incorrect delivery method order. Initiate the cancellation process for this specific order.

Purchase a New Certificate:

After canceling the initial order, proceed to purchase a new certificate. This time, select the preferred Certificate Delivery Method that aligns with your requirements.

Complete the New Purchase:

With the correct delivery method chosen, finalize the new purchase. The system will now process your order according to the updated information.

Tips for a Smooth Purchase Experience:

To prevent any potential issues, consider the following tips when acquiring a certificate:

Carefully Review Options:
Understand the available Certificate Delivery Methods and their implications before selecting.

Double-check Before Purchasing:

Before completing the purchase, verify that you have chosen the correct delivery method, as modifications cannot be made afterward.

Reach Out for Assistance:

Please contact customer support for guidance if you have any doubts or need clarification.

Strengthen Code Signing Security with New CA/B Forum Changes

The Certificate Authority & Browser (CA/B) Forum has taken significant measures to bolster code signing certificates’ security, effective June 1, 2023.

The new requirements mandate hardware security modules or tokens that meet specific certification standards. This article sheds light on the changes and how they contribute to mitigating the risks associated with code signing.

Code Signing Certificate Key Storage Requirements:

The CA/B Forum now mandates that such keys must be stored on certified hardware security modules or tokens to enhance the protection of code signing keys. These devices must meet one of the following certification standards:

FIPS 140 Level 2:

The Federal Information Processing Standard (FIPS) 140 Level 2 certification guarantees that the hardware module meets stringent security requirements defined by the National Institute of Standards and Technology (NIST).

Standard Criteria EAL 4+:

The Common Criteria for Information Technology Security Evaluation (CC) establishes internationally recognized standards for evaluating security functions in IT products. EAL 4+ is one of the highest assurance levels under the Common Criteria.

Equivalent Standards:

Besides the specified certifications, the CA/B Forum also considers other equivalent standards that provide a comparable level of security.

Fighting Against Stolen Code Signing Keys:

The primary motivation behind these changes is to address the growing problem of stolen code signing keys. Cybercriminals have exploited stolen keys to sign and distribute malware, posing significant risks to users and organizations.

By mandating certified hardware modules, the CA/B Forum aims to mitigate the potential consequences of such security breaches.

Compliant Hardware Token Shipment:

Certificate Authorities (CAs) usually include a compliant hardware token with the code signing product purchase to facilitate compliance with the new requirements. This ensures customers receive the necessary hardware to store their code signing certificate keys securely.

Price Adjustments for DigiCert and Sectigo

As the demand for heightened cybersecurity continues to rise, Certificate Authorities (CAs) DigiCert and Sectigo are taking steps to enhance the security of their code signing certificates.

While these changes are essential to combat evolving cyber threats, they come with necessary adjustments in pricing. In this article, we’ll explore the price changes implemented by DigiCert and Sectigo and the reasons behind them.

DigiCert’s Pricing Updates:

DigiCert recognizes the significance of maintaining the same level of affordability for their Organization Validation (OV) code signing certificates. As such, the price for DigiCert’s OV code signing certificates remains steady at $539 (MSRP for one year).

However, beginning on June 1, a $120 fee will be introduced for customers opting to receive a DigiCert-provided hardware token.

Buy DigiCert Code Signing Certificate Starts at $369.99/Year

Opportunity for Cost Savings with Compliant Tokens:

Customers with a compliant token, Hardware Security Module (HSM), or critical vault can utilize their existing hardware instead of purchasing a DigiCert-provided hardware token. It provides an opportunity for cost savings while still meeting the new security requirements.

Sectigo’s Two-Phase Pricing Changes:

Sectigo’s price adjustments for code signing certificates are being implemented in two phases to ensure a seamless transition:

  1. Phase One: On March 7, Sectigo raised code signing certificate prices from $179 to $379 (MSRP for one year). This adjustment aims to accommodate the additional security measures.
  1. Phase Two: Starting May 8, Sectigo will include a $50 token fee and a shipping fee ranging from $40 to $90. These fees are essential to cover the costs of hardware and shipping services.

Buy Sectigo Code Signing Certificate Starts at $225.99/Year

Cost-Effective Alternatives:

Similar to DigiCert, Sectigo offers an opportunity for cost-effective alternatives. Customers who already possess a Thales/SafeNet Luna or NetHSM device or a Yubico FIPS Yubikey (ECC keys only) can choose not to purchase a token from Sectigo.

Utilizing their compliant hardware allows customers to navigate the pricing changes while maintaining the required security standards.

Expectations from Other CAs:

DigiCert and Sectigo are not alone in their efforts to enhance security and adapt to the changing cybersecurity landscape. Other code signing providers are expected to introduce new pricing structures to align with the industry’s heightened security standards. By June 1, customers can expect to see updated pricing from all CAs.

How Hardware Tokens Simplify Code Signing Solutions?

Adopting hardware tokens has become a focal point as the code signing industry embraces enhanced security measures. These specialized cryptographic devices, mandated by CA/B Forum standards, are crucial in securing certificate keys.

Hardware Tokens: Beyond USB Flash Drives

While hardware tokens might seem similar to typical USB flash drives at first glance, they serve a vastly different purpose. Comparing their cost to consumer-grade USB drives may raise questions, as hardware tokens are designed to meet specific security standards.

CA/B Forum requirements necessitate tokens certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. These certifications ensure that the hardware and software features of the tokens can perform cryptographic operations securely.

They are specialized cryptographic devices akin to Hardware Security Modules (HSMs) or Trusted Platform Modules (TPMs).

Switch to a Signing Platform for Simplicity:

A convenient solution exists for those who prefer to avoid dealing with hardware tokens in code signing platforms like DigiCert Software Trust Manager.

These platforms securely store certificate keys in an HSM, removing the need for hardware tokens. This approach lets users quickly sign their code by logging into the platform.

Simplify Code Signing with DigiCert Software Trust Manager:

DigiCert Software Trust Manager offers a streamlined and secure code signing experience. Users can avoid the complexities of hardware tokens by utilizing an HSM to store certificate keys.

Interested parties can schedule a demo to witness firsthand how DigiCert Software Trust Manager simplifies code signing while maintaining high security.

Planning for the Future: Purchase a 3-Year Certificate

Organizations can take proactive steps to minimize the impact as the industry undergoes these code signing changes. A quick and practical suggestion is to purchase a 3-year certificate before the cut-off date. Users can avoid dealing with hardware tokens by obtaining and issuing the certificate for the next few years.

Wrapping up

When obtaining a Code Signing certificate, carefully evaluate your hardware requirements and proficiency in managing advanced HSMs. The “Install on Existing HSM” method allows independent certificate installation for advanced users with a compatible HSM.

Ensure your HSM meets the FIPS 140-2 level 2 standard as a minimum requirement for security compliance.

DigiCert customers can choose the “Install on Existing Token” option, exclusive to SafeNet USB devices, for a streamlined Code Signing certificate installation process.

By making the appropriate choice, you can ensure a smooth and secure experience while protecting the integrity of your software and applications.

Buy Authentic Code Signing Certificates from Trusted CA at affordable price!

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.