🥇 New private key storage requirement for Standard Code Signing certificates - June 2023 (Update) - SSLPOINT

New private key storage requirement for Standard Code Signing certificates – June 2023 (Update)


Starting June 1st, 2023 at 00:00 UTC, all private keys for standard code signing certificates must be stored on hardware that is certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. This change strengthens private key protection for code signing certificates and aligns it with the security standards for EV (Extended Validation) code signing certificates.

New Requirements for Standard Code Signing

The new private storage key requirement will affect code signing certificates issued from June 1st, 2023 onwards, and will have impact on the following parts of your signing process:

* Private key storage and certificate installation
* Signing code
* Ordering and renewing certificates
* Reissuing certificates

Ordering and renewing code signing certificates

This new requirement means that Certificate Authorities (CAs) will no longer be able to support browser-based key generation and certificate installation, or any other process that includes creating a CSR (Certificate Signing Request) and installing your certificate on a laptop or server.

Reissuing certificates after Junw 1st, 2023

When reissuing code signing certificates, you must install the certificate on a supported hardware token or HSM. If you do not have a token, you can purchase a token from the Certificate Authority at that time.

Alternative to hardware tokens

SSLPOINT partners with Certum, the leading Certificate Authority in Europe, to bring you the “Code Signing in the Cloud” product line as an alternative. With this software-based solution, the private key is stored in an virtual vault and therefore meets the high requirements of the industry standard. No additional hardware token is required.

Certum “Code Signing in the Cloud” offers an attractive pricing model, excellent support and rapid issuance as additional features.
You can order Certum “Code Signing in the Cloud” certificates here: Certum Code Signing Certificates


The new requirements will be applied from June 1st, 2023. The original date (November 15th, 2022) was amended to give participants more time for this significant change.

CAB Ballot CSC-13: Update to Subscriber Key Protection Requirements
CAB Ballot CSC-17: Subscriber Private Key Extension