Starting on June 1, 2023, at 00:00 UTC, industry standards will require private keys for OV code signing certificates to be stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. This change strengthens private key protection for code signing certificates and aligns it with EV (Extended Validation) code signing certificate private key protection.
Sectigo OV and EV Code Signing products generation
There are two options available:
- The certificate applicant chooses to have Sectigo install the certificate on suitable hardware (e.g. a token) and ship it to them.
- The certificate applicant has suitable hardware, generates the keys in a nonexportable form, certificate signing request (CSR), and key attestation on it, and includes the CSR and key attestation in their certificate request. The key attestation, which is a file generated by the HSM, contains the required evidence that the private key has been generated in suitable hardware.
Currently, the following hardware(s) modules are supported by Sectigo Key-Attestation Service in verifying the cryptographic data produced by them:
- Luna Network Attached HSM, Version 7.x
- Luna Cloud HSM
- YubiKey 5 FIPS Series
- Google Cloud KMS
- Fortanix
If the HSM is provided by Sectigo CA, the token + shipping costs should be paid additionally.
DigiCert and GoGetSSL OV and EV Code Signing products generation
Like EV code signing, OV code signing certificates have three provisioning options for tokens and HSMs:
- Use a DigiCert-provided preconfigured hardware token
- Use your own supported hardware token.
You must have one of the approved hardware tokens listed in the box above:
SafeNet eToken 5110 FIPS (ECC ONLY)
SafeNet eToken 5110 CC (RSA 4096 and ECC)
SafeNet eToken 5110+ FIPS - Install on a hardware security module (HSM)
Hardware tokens and HSM devices must be FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent.
If the hardware token is provided by DigiCert CA, the token + shipping costs should be paid additionally.
Code signing with a hardware token or HSM
To use a token-based code signing certificate, you need access to the hardware token or HSM and the credentials to use the certificate stored on it. For token-based code signing, you will need to plug the hardware token into your computer and enter the password to sign your code with the code signing certificate on the token.
Reissuing certificates
If you need to reissue a code signing certificate from June 1, 2023, you must install the reissued certificate on a supported hardware token or HSM. If you do not have a token, you can purchase a token from CA at that time.
Note: You do not need to reissue code signing certificates issued prior to June 1, 2023, to remain compliant. These certificates are not affected by the new requirement unless you reissue them.
