(2 votes, average: 5.00 out of 5)
Baseline Requirements (BRs) for granting CodeSigning Certificates have been updated, according to the Certificate Authority/Browser (CA/B) Forum. For both Standard and EV CodeSigning Certificates, a private key must be created and secured in a FIPS 140-2 Level 2 or Common Criteria EAL 4+ compliant device effective on June 1, 2023.
This would imply that for users of Standard CodeSigning Certificates, the key pair needs to be created and maintained in a hardware cryptographic module that fulfills FIPS 140-2 level 2 or Common Criteria EAL 4+ standards. Additionally, the updates outline precise methods of how the CA will make sure that the private key is created and secured on the compliant device.
How does my code signing certificate process get impacted by these new requirements?
As of June 1, 2023, the following aspects of your code signing process will be impacted by the new private storage key requirement:
Due to this new rule, Certificate Authorities (CAs) are no longer permitted to enable browser-based key creation, certificate installation, or any other process that involves generating a Certificate Signing Request (CSR) and installing your certificate on a computer, server, or other device.
Private keys and certificates must be maintained and installed on FIPS 140-2 tokens or HSMs verified as at least FIPS 140-2 Level 2 or Common Criteria EAL 4+.
To utilize a token-based code signing certificate, you must have access to the token or HSM as well as the login information for the certificate that has been stored.
For token-based code signing, you must pair the token to your computer. To sign your code using the code signing certificate on the token, you will then need the password.
You must choose a provisioning method when ordering or renewing a standard code signing certificate. To put it another way, select the hardware that can store the private key. Check the options of Certera.
– Certera provided hardware token
Note: The Hardware tokens or HSM devices have to fulfill the requirements of FIPS 140 Level 2, Common Criteria EAL 4+, or an equivalent standard.
You need to install the certificate on a compatible hardware token or HSM when reissuing code-signing certificates. You can purchase a token from Certera if you don’t have one.
On June 1st, 2023, in Coordinated Universal Time (UTC), modifications to the CA/Browser regulations will take effect.
But you must know that not all CAs will be ready to implement these changes. Many CAs could choose to implement the changes sooner to improve compliance at the same time. Therefore, they will initiate preparing for the changes before the official launch to ensure buffer time.
While there is no doubt that the end user’s private key security is the primary aim for the changes, it is crucial to realize that CAs will experience a significant effect on operations.
Anyone seeking to get an OV code signing certificate after June 1st, 2023, could be impacted by changes to the CA/B Forum regulations. The entire process of creating, storing, and auditing private keys must be made easier by certificate authorities. Therefore, they will notice a major change in the way OV code signing certificates are issued.
These recent changes in the CA/B Forum regulations can impact the OV code signing procedure’ initial stage i.e., the CSR generation process. It starts with a private key creation with key information for the organization that every CA requires to verify to issue the certificate.
Here are a few details that a private key might have for a verification procedure:
Your company’s legal identity is its operational existence, and this must be verified before a code signing certificate gets issued. For your organization, the verification procedure with operational existence includes legal registration and data from outside sources.
Your physical address must be genuine, and it must be verified using information from outside sources and your officially registered address with the proper authorities.
Business contact information has to be verified, consequently CAs review it
In conclusion, the new requirement for code signing certificates’ private keys to be stored securely is a crucial step in guaranteeing the security and integrity of software code.
The update makes it possible for code signing to be more proficiently trusted from threats like malware and other security breaches. Every participant engaged in code signing are obligated to abide by these new specifications.
From June 1st, 2023, the new criteria will be in effect. To allow participants more time to get used to this massive change, the original date (November 15, 2022) was changed.