Filtern nach: CA/B Forum x Löschen
compliance

OV code signing certificates requirements are changing

Starting on November 15, 2022, at 00:00 UTC, industry standards will require private keys for OV code signing certificates to be stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. This change strengthens private key protection for code signing certificates and aligns it with EV (Extended Validation) code signing certificate private key protection. See Code Signing Baseline Requirements, current version

How do these new requirements affect my code signing certificate process? 

The new private storage key requirement affects code signing certificates issued from November 15, 2022, and impacts the following parts of your code signing process: 

  • Private key storage and certificate installation
    Certificate Authorities (CAs) can no longer support browser-based key generation and certificate installation or any other process that includes creating a CSR (Certificate Signing Request) and installing your certificate on a laptop or server. Private keys and certificates must be stored and installed on tokens or HSMs (hardware security modules) certified as at least FIPS 140-2 Level 2 or Common Criteria EAL 4+.
  • Signing code 
    To use a token-based code signing certificate, you need access to the token or HSM and the credentials to use the certificate stored on it.
  • Ordering and renewing certificates 
    When ordering and renewing an OV code signing certificate, you must select the hardware you want to store the private key on: a DigiCert-provided hardware token, your own supported hardware token, or a hardware security module (HSM).
  • Reissuing certificates
    When reissuing code signing certificates, you must install the certificate on a supported hardware token or HSM. If you do not have a token, you can purchase a token from DigiCert at that time. 

Want to eliminate the need for individual tokens? 

Transition to DigiCert® Secure Software Manager to improve your software security with code-signing workflow automation that reduces points of vulnerability with end-to-end company-wide security and control in the code signing process—all without slowing down your process. 

Key capabilities: 

  • HSM key storage—industry compliant 
  • Policy enforcement 
  • Centralized management
  • Integration with CI/CD pipelines 
  • And more 

To learn more about how DigiCert Secure Software Manager has helped other organizations, see our case study Automated Signing Speeds Build Times While Improving the User Experience