





Beginning on June 1, 2023, at 00:00 UTC, industry standards will mandate that private keys for code signing certificates must be stored on hardware that meets specific security certifications such as FIPS 140 Level 2, Common Criteria EAL 4+, or an equivalent standard.
This requirement applies to all new code signing certificate requests and requests for renewal and reissue of existing certificates.
DigiCert has implemented a timeline for changing its code signing certificate process. The goal is to ensure private keys for code signing certificates are stored securely on hardware that meets specific certifications.
These changes are scheduled to be completed by May 30, 2023. In addition, DigiCert has set a deadline of May 16, 2023, for users to transition to the supported provisioning methods.
Several changes have been made to DigiCert’s CertCentral platform, Services API, and account settings. CertCentral allows users to set a default provisioning method for code signing and EV code signing orders.
On May 2, 2023, the following changes were implemented:
CertCentral: When ordering or renewing a code signing certificate, users must utilize one of the new hardware token and hardware security module (HSM) provisioning methods.
Services API: Code signing certificate API integrations should be updated. Starting May 2, the Services API will support code signing orders using the current CSR form or the new provisioning methods.
CertCentral Account Settings: Users can set a default provisioning method for code signing and EV code signing orders in their CertCentral account settings.
Additionally, a default shipping address can be added for DigiCert-provided tokens. DigiCert will use the default settings associated with the user’s account if a code signing certificate request is submitted without specifying a provisioning method or a required token shipping address.
Other changes occurring on May 2, 2023, include updates to the CertCentral code signing certificate request form, preferences page, EV code signing certificates, and API integrations.
On May 16, 2023, the following changes will take effect:
DigiCert will no longer accept code signing requests that utilize the current CSR form. Users must discontinue using the DigiCert Certificate Utility to create certificate signing requests (CSRs) for code signing certificates. This applies to new requests and requests for renewal and reissue of existing certificates.
Changes will be made to the code signing certificate order form, CertCentral Preferences page, reissue code signing certificates, and API integrations for both code signing and EV code signing certificates.
On May 30, 2023, the following changes will be implemented:
These changes implemented by DigiCert aim to enhance the security and efficiency of the code signing certificate process.
Currently, when requesting a new, renewal, or reissue code signing certificate, you can use the CSR (certificate signing request) form.
If you include a CSR with your certificate request, you can easily download the issued certificate from your CertCentral account.
However, if you don’t include a CSR, DigiCert will send you instructions via email on how to use the DigiCert KeyGen tool to generate your code signing certificate.
To ensure higher security, they have introduced new supported provisioning methods that guarantee the storage of your private key and certificate on hardware certified with FIPS 140 Level 2, Common Criteria EAL 4+, or an equivalent standard.
You get an offer of two options for hardware token provisioning:
Additionally, you have the option to install the certificate on a hardware security module (HSM):
We wanted to bring your attention to some noteworthy developments in the field of code signing and EV code signing certificate integrations that occurred on May 16. These updates aim to enhance security measures and provide improved functionality for developers and organizations.
On May 16, several API changes were implemented, specifically targeting code signing and EV code signing certificate integrations. These changes are designed to streamline the process of code signing, making it more secure and efficient.
With the updated APIs, developers can easily integrate code signing capabilities into their workflows and ensure the authenticity and integrity of their software.
These API changes include enhanced certificate management features, improved validation processes, and stricter security measures. By adhering to these updates, developers can leverage the latest advancements in code signing technology, resulting in stronger trust relationships and better protection against tampering or unauthorized modifications.
May 16 API changes for code signing and EV code signing certificate integrations, coupled with the introduction of the DigiCert cloud-based HSM solution, mark significant milestones in the realm of software security.
These developments empower developers and organizations with enhanced capabilities to protect their software, establish trust with end-users, and maintain the integrity of their code.
Let us further discuss briefly the cloud-based HSM Solution of DigiCert.
In addition to the API changes, a significant advancement in the form of a new DigiCert cloud-based Hardware Security Module (HSM) solution has been introduced. HSMs are specialized devices or software solutions that provide secure key storage and cryptographic operations for sensitive data.
The DigiCert cloud-based HSM solution offers a secure and scalable environment for managing cryptographic keys and performing cryptographic operations required for code signing and EV code signing certificates.
By leveraging this cloud-based HSM solution, organizations can enhance the security of their code signing infrastructure, reduce operational complexities, and ensure compliance with industry regulations.
The key benefits of the DigiCert cloud-based HSM solution include increased key protection, improved scalability, simplified key lifecycle management, and seamless integration with existing code signing workflows.
This solution serves as a robust foundation for organizations looking to bolster their code signing practices and fortify the security of their software.
A: The new requirement eliminates browser-based key generation and certificate installation support. It affects the process of creating a Certificate Signing Request (CSR) and installing the code signing certificate on a laptop or server.
You may need to find alternative methods or contact your Certificate Authority (CA) for guidance on proceeding with your pending code signing certificate orders.
A: The new HSM process involves utilizing a dedicated hardware security module (HSM) to provide a secure environment for managing cryptographic keys and performing cryptographic operations. HSMs offer robust physical and logical security measures, key generation and management capabilities, and secure APIs for integrating with software applications, ensuring cryptographic operations’ confidentiality, integrity, and trustworthiness.
A: The changes in requirements may impact your Code Signing and EV Code Signing certificate API integrations. You may need to update your API integration to align with the new process that no longer supports browser-based key generation and certificate installation. It is advisable to consult with your Certificate Authority (CA) or review their documentation to understand the specific changes and make the necessary adjustments to your API integrations.
On May 30, 2023, DigiCert will launch DigiCert KeyLocker offering a cloud-based solution to eliminate the need for physical tokens.
KeyLocker provides a secure environment for code signing and extended validation (EV) code signing private keys, meeting the requirements set by the CA/B Forum.
It ensures strong key protection, secure key storage, key generation, and signing without the constraints associated with physical tokens.
Also there is another option, DigiCert® Software Trust Manager for automated software signing solutions. You can get more details about it at https://www.digicert.com/.