OV code signing certificates requirements are changing
Starting on November 15, 2022, at 00:00 UTC, industry standards will require private keys for OV code signing certificates to be stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. This change strengthens private key protection for code signing certificates and aligns it with EV (Extended Validation) code signing certificate private key protection. See Code Signing Baseline Requirements, current version.
How do these new requirements affect my code signing certificate process?
The new private storage key requirement affects code signing certificates issued from November 15, 2022, and impacts the following parts of your code signing process:
Want to eliminate the need for individual tokens?
Transition to DigiCert® Secure Software Manager to improve your software security with code-signing workflow automation that reduces points of vulnerability with end-to-end company-wide security and control in the code signing process—all without slowing down your process.
To learn more about how DigiCert Secure Software Manager has helped other organizations, see our case study Automated Signing Speeds Build Times While Improving the User Experience.
CertCentral: DigiCert KeyGen, our new key generation service
DigiCert is happy to announce our new key generation service—KeyGen. Use KeyGen to generate and install your client and code signing certificates from your browser. KeyGen can be used on macOS and Windows and is supported by all major browsers.
With KeyGen, you don't need to generate a CSR to order your client and code signing certificates. Place your order without a CSR. Then after we process the order and your certificate is ready, DigiCert sends a "Generate your Certificate" email with instructions on using KeyGen to get your certificate.
How does KeyGen work?
KeyGen generates a keypair and then uses the public key to create a certificate signing request (CSR). KeyGen sends the CSR to DigiCert, and DigiCert sends the certificate back to KeyGen. Then KeyGen downloads a PKCS12 (.p12) file to your desktop that contains the certificate and the private key. The password you create during the certificate generation process protects the PKCS12 file. When you use the password to open the certificate file, the certificate gets installed in your personal certificate store.
To learn more about generating client and code signing certificates from your browser, see the following instructions: