New Private Key Storage Requirement for Code Signing Certificate

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
New Private Key Requirements


Baseline Requirements (BRs) for granting CodeSigning Certificates have been updated, according to the Certificate Authority/Browser (CA/B) Forum. For both Standard and EV CodeSigning Certificates, a private key must be created and secured in a FIPS 140-2 Level 2 or Common Criteria EAL 4+ compliant device effective on June 1, 2023.

This would imply that for users of Standard CodeSigning Certificates, the key pair needs to be created and maintained in a hardware cryptographic module that fulfills FIPS 140-2 level 2 or Common Criteria EAL 4+ standards. Additionally, the updates outline precise methods of how the CA will make sure that the private key is created and secured on the compliant device.

Reasons Behind These Changes

  • It has been observed that certificates that permit the export of confidential data are less secure and more prone to unauthorized usage. 
  • By implementing safer key storage constraints, the update makes it possible for code signing to be more thoroughly trusted.
  • It assists users in limiting the widespread of malicious software, trojans, and other types of technology-based malicious viruses by preventing unauthorized intervention or modification of software.

New Requirements for Standard Code Signing

How does my code signing certificate process get impacted by these new requirements?

As of June 1, 2023, the following aspects of your code signing process will be impacted by the new private storage key requirement:

  • Private key storage and certificate installation
  • Signing code
  • Ordering and renewing certificates
  • Reissuing certificates

Private Key Storage and Certificate Installation

Due to this new rule, Certificate Authorities (CAs) are no longer permitted to enable browser-based key creation, certificate installation, or any other process that involves generating a Certificate Signing Request (CSR) and installing your certificate on a computer, server, or other device.

Private keys and certificates must be maintained and installed on FIPS 140-2 tokens or HSMs verified as at least FIPS 140-2 Level 2 or Common Criteria EAL 4+.

Signing Code

To utilize a token-based code signing certificate, you must have access to the token or HSM as well as the login information for the certificate that has been stored.

For token-based code signing, you must pair the token to your computer. To sign your code using the code signing certificate on the token, you will then need the password.

Ordering and Renewing Code Signing Certificates

You must choose a provisioning method when ordering or renewing a standard code signing certificate. To put it another way, select the hardware that can store the private key. Check the options of Certera.

– Certera provided hardware token

  • Existing supported hardware token (With Token & US Shipping -$89.99)
  • Existing supported hardware token (With Token & International Shipping -$129.99)
  • Existing supported hardware token (With Token & Expedited Shipping -$139.99)

Note: The Hardware tokens or HSM devices have to fulfill the requirements of FIPS 140 Level 2, Common Criteria EAL 4+, or an equivalent standard.

Reissuing Certificates

You need to install the certificate on a compatible hardware token or HSM when reissuing code-signing certificates. You can purchase a token from Certera if you don’t have one.

When Will the Change Become Official?

On June 1st, 2023, in Coordinated Universal Time (UTC), modifications to the CA/Browser regulations will take effect.

But you must know that not all CAs will be ready to implement these changes. Many CAs could choose to implement the changes sooner to improve compliance at the same time. Therefore, they will initiate preparing for the changes before the official launch to ensure buffer time.

While there is no doubt that the end user’s private key security is the primary aim for the changes, it is crucial to realize that CAs will experience a significant effect on operations.

Who will be Affected by these Modifications?

Anyone seeking to get an OV code signing certificate after June 1st, 2023, could be impacted by changes to the CA/B Forum regulations. The entire process of creating, storing, and auditing private keys must be made easier by certificate authorities. Therefore, they will notice a major change in the way OV code signing certificates are issued.

These recent changes in the CA/B Forum regulations can impact the OV code signing procedure’ initial stage i.e., the CSR generation process. It starts with a private key creation with key information for the organization that every CA requires to verify to issue the certificate.

Here are a few details that a private key might have for a verification procedure:

Operational Existence:

Your company’s legal identity is its operational existence, and this must be verified before a code signing certificate gets issued. For your organization, the verification procedure with operational existence includes legal registration and data from outside sources.

Evidence of Existence:

Your physical address must be genuine, and it must be verified using information from outside sources and your officially registered address with the proper authorities.

Contact Details for Companies:

Business contact information has to be verified, consequently CAs review it

Important Implications (A Snippet of the Upcoming OV Code Signing Certificate Changes)

  • The hardware crypto module can be used by the user for storing private keys, which must be managed by an HSM, a cloud-based service, and credible CA’s signing services.
  • The essential function of CAs is to guarantee the creation of private keys using a FIPS 140-2 level 2 compliant device.
  • The report for key-pair creation in the subscriber-hosted or cloud-based HSM will be monitored and signed by an auditor.
  • Users must provide consent to use the code signing certificate.

In conclusion, the new requirement for code signing certificates’ private keys to be stored securely is a crucial step in guaranteeing the security and integrity of software code.

The update makes it possible for code signing to be more proficiently trusted from threats like malware and other security breaches. Every participant engaged in code signing are obligated to abide by these new specifications.


From June 1st, 2023, the new criteria will be in effect. To allow participants more time to get used to this massive change, the original date (November 15, 2022) was changed.

Janki Mehta

Janki Mehta

Janki Mehta is a passionate Cyber-Security Enthusiast who keenly monitors the latest developments in the Web/Cyber Security industry. She puts her knowledge into practice and helps web users by arming them with the necessary security measures to stay safe in the digital world.