Protect private keys
DigiCert requires all code signing private keys to be stored and managed in accordance with the code signing baseline requirements. These requirements reduce the risk of key compromise and maintain the integrity of signed software.
Control access to keys
Maintain access controls for all code signing keys and limit their distribution. Keep a record of who has access to each key. Restricting distribution helps enforce accountability for key use.
Physically secure the key storage device
Keep the device storing the private key in a locked desk drawer, cabinet, or room. Do not leave key storage devices on desks, in unlocked drawers, or in any location where they can be taken or copied.
Use a strong password
Passwords used to transport private keys must contain at least 16 randomly generated characters including uppercase letters, lowercase letters, numbers, and symbols. Avoid dictionary words, personal information, sequential characters, or other predictable patterns.
Store the private key on certified hardware
Store the private key on a cryptographic device certified to FIPS 140-2 Level 2 or Common Criteria EAL 4+. Private key export from these certified devices is not permitted. Most certified devices include multifactor authentication.
Notice
DigiCert recommends using a separate test signing certificate to sign prerelease code. Keep the test signing certificate trusted only in the test environment. Test signing certificates can be self-signed or issued by an internal test CA.
What's next
Request code signing certificate to order a Code Signing or EV Code Signing certificate