Starting June 1st, 2023 at 00:00 UTC, all private keys for standard code signing certificates must be stored on hardware that is certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. This change strengthens private key protection for code signing certificates and aligns it with the security standards for EV (Extended Validation) code signing certificates.
New Requirements for Standard Code Signing
The new private storage key requirement will affect code signing certificates issued from June 1st, 2023 onwards, and will have impact on the following parts of your signing process:
* Signing code
* Ordering and renewing certificates
* Reissuing certificates
Ordering and renewing code signing certificates
This new requirement means that Certificate Authorities (CAs) will no longer be able to support browser-based key generation and certificate installation, or any other process that includes creating a CSR (Certificate Signing Request) and installing your certificate on a laptop or server.
Reissuing certificates after Junw 1st, 2023
When reissuing code signing certificates, you must install the certificate on a supported hardware token or HSM. If you do not have a token, you can purchase a token from the Certificate Authority at that time.
Alternative to hardware tokens
SSLPOINT partners with Certum, the leading Certificate Authority in Europe, to bring you the “Code Signing in the Cloud” product line as an alternative. With this software-based solution, the private key is stored in an virtual vault and therefore meets the high requirements of the industry standard. No additional hardware token is required.
You can order Certum “Code Signing in the Cloud” certificates here: Certum Code Signing Certificates
The new requirements will be applied from June 1st, 2023. The original date (November 15th, 2022) was amended to give participants more time for this significant change.
CAB Ballot CSC-13: Update to Subscriber Key Protection Requirements
CAB Ballot CSC-17: Subscriber Private Key Extension