Starting June 1st, 2023 at 00:00 UTC, all private keys for standard code signing certificates must be stored on hardware that is certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. This change strengthens private key protection for code signing certificates and aligns it with the security standards for EV (Extended Validation) code signing certificates.
New Requirements for Standard Code Signing
The new private storage key requirement will affect code signing certificates issued from June 1st, 2023 onwards, and will have impact on the following parts of your signing process:
* Signing code
* Ordering and renewing certificates
* Reissuing certificates
Since it is mandatory to store the key on a token, it is also no longer possible to export the certificate and the private key in PFX file format.
Ordering and renewing code signing certificates
This new requirement means that Certificate Authorities (CAs) will no longer be able to support browser-based key generation and certificate installation, or any other process that includes creating a CSR (Certificate Signing Request) and installing your certificate on a laptop or server.
Reissuing certificates after June 1st, 2023
When you reissue a code signing certificate, the certificate must be installed on a supported hardware token or HSM. If necessary, a hardware token must be ordered from the Certificate Authority for a fee.
SimplySign as an alternative to hardware tokens
SSLPOINT has teamed up with Certum, Europe’s top Certificate Authority, to offer you the “Code Signing SimplySign” product line. This software-based solution securely stores the private key in a virtual vault, meeting industry standards without the need for extra hardware tokens.
You can order Certum “Code Signing SimplySign” certificates here: Certum Code Signing Certificates
CAB Ballot CSC-13: Update to Subscriber Key Protection Requirements
CAB Ballot CSC-17: Subscriber Private Key Extension