DigiCert Code Signing Changes: New Private Key Storage & API Modifications
Beginning on June 1, 2023, at 00:00 UTC, industry standards will mandate that private keys for code signing certificates must be stored on hardware that meets specific security certifications such as FIPS 140 Level 2, Common Criteria EAL 4+, or an equivalent standard.
This requirement applies to all new code signing certificate requests and requests for renewal and reissue of existing certificates.
Major Changes in DigiCert Code Signing [Date-wise]
DigiCert has implemented a timeline for changing its code signing certificate process. The goal is to ensure private keys for code signing certificates are stored securely on hardware that meets specific certifications.
These changes are scheduled to be completed by May 30, 2023. In addition, DigiCert has set a deadline of May 16, 2023, for users to transition to the supported provisioning methods.
First Update on CertCentral:
Several changes have been made to DigiCert’s CertCentral platform, Services API, and account settings. CertCentral allows users to set a default provisioning method for code signing and EV code signing orders.
On May 2, 2023, the following changes were implemented:
CertCentral: When ordering or renewing a code signing certificate, users must utilize one of the new hardware token and hardware security module (HSM) provisioning methods.
Services API: Code signing certificate API integrations should be updated. Starting May 2, the Services API will support code signing orders using the current CSR form or the new provisioning methods.
CertCentral Account Settings: Users can set a default provisioning method for code signing and EV code signing orders in their CertCentral account settings.
Additionally, a default shipping address can be added for DigiCert-provided tokens. DigiCert will use the default settings associated with the user’s account if a code signing certificate request is submitted without specifying a provisioning method or a required token shipping address.
Other changes occurring on May 2, 2023, include updates to the CertCentral code signing certificate request form, preferences page, EV code signing certificates, and API integrations.
Second Update on DigiCert Utility Tool
On May 16, 2023, the following changes will take effect:
DigiCert will no longer accept code signing requests that utilize the current CSR form. Users must discontinue using the DigiCert Certificate Utility to create certificate signing requests (CSRs) for code signing certificates. This applies to new requests and requests for renewal and reissue of existing certificates.
Changes will be made to the code signing certificate order form, CertCentral Preferences page, reissue code signing certificates, and API integrations for both code signing and EV code signing certificates.
Third Update Private Key Storage
On May 30, 2023, the following changes will be implemented:
- DigiCert will cease issuing code signing certificates that use the current CSR form due to new requirements for secure private key storage.
- From May 30 onwards, DigiCert will not issue certificates for pending requests that were submitted using the current CSR form. Users with such requests must cancel and resubmit with an alternative provisioning method.
- There will be changes to DigiCert-provided hardware tokens. These tokens will cost $120.00 (USD) and be shipped blank. Users will be responsible for installing the code signing certificate on the token themselves.
- Additionally, modifications will be made to the hardware security module (HSM) provisioning method and EV Code Signing certificate revocation process.
- DigiCert will introduce a new cloud-based solution called KeyLocker, which users can utilize for code signing certificate management.
These changes implemented by DigiCert aim to enhance the security and efficiency of the code signing certificate process.
Differences in Current and Future Hardware Tokens and CSR
Currently, when requesting a new, renewal, or reissue code signing certificate, you can use the CSR (certificate signing request) form.
If you include a CSR with your certificate request, you can easily download the issued certificate from your CertCentral account.
However, if you don’t include a CSR, DigiCert will send you instructions via email on how to use the DigiCert KeyGen tool to generate your code signing certificate.
To ensure higher security, they have introduced new supported provisioning methods that guarantee the storage of your private key and certificate on hardware certified with FIPS 140 Level 2, Common Criteria EAL 4+, or an equivalent standard.
You get an offer of two options for hardware token provisioning:
Option 1: DigiCert-provided Hardware Token:
- They will ship the hardware token containing the certificate to your specified shipping address.
- You will receive instructions via email on how to install the certificate on the supported token.
Option 2: Use your Own Supported Hardware Token:
- Get an email you instructions on how to install the certificate on your supported token.
Option 3: Install on Existing HSM:
Additionally, you have the option to install the certificate on a hardware security module (HSM):
- You will need a Common Criteria EAL4+ or FIPS 140-2 level 2 HSM to generate a private key.
- You can include a CSR with your certificate request once you have the HSM.
- They will email you a copy of your certificate, and you can install it on your HSM.
API Changes for OV/EV Code Signing Certificate Integrations
We wanted to bring your attention to some noteworthy developments in the field of code signing and EV code signing certificate integrations that occurred on May 16. These updates aim to enhance security measures and provide improved functionality for developers and organizations.
On May 16, several API changes were implemented, specifically targeting code signing and EV code signing certificate integrations. These changes are designed to streamline the process of code signing, making it more secure and efficient.
With the updated APIs, developers can easily integrate code signing capabilities into their workflows and ensure the authenticity and integrity of their software.
These API changes include enhanced certificate management features, improved validation processes, and stricter security measures.
By adhering to these updates, developers can leverage the latest advancements in code signing technology, resulting in stronger trust relationships and better protection against tampering or unauthorized modifications.
May 16 API changes for code signing and EV code signing certificate integrations, coupled with the introduction of the DigiCert cloud-based HSM solution, mark significant milestones in the realm of software security.
These developments empower developers and organizations with enhanced capabilities to protect their software, establish trust with end-users, and maintain the integrity of their code.
Let us further discuss briefly the cloud-based HSM Solution of DigiCert.
About the New DigiCert Cloud-based HSM Solution
In addition to the API changes, a significant advancement in the form of a new DigiCert cloud-based Hardware Security Module (HSM) solution has been introduced. HSMs are specialized devices or software solutions that provide secure key storage and cryptographic operations for sensitive data.
The DigiCert cloud-based HSM solution offers a secure and scalable environment for managing cryptographic keys and performing cryptographic operations required for code signing and EV code signing certificates.
By leveraging this cloud-based HSM solution, organizations can enhance the security of their code signing infrastructure, reduce operational complexities, and ensure compliance with industry regulations.
The key benefits of the DigiCert cloud-based HSM solution include increased key protection, improved scalability, simplified key lifecycle management, and seamless integration with existing code signing workflows.
This solution serves as a robust foundation for organizations looking to bolster their code signing practices and fortify the security of their software.
| Name of Product | Validation Needs | Issuance Time | Our Price |
|---|---|---|---|
| DigiCert OV Code Signing | Business | 1-5 Days | $369.99/yr |
| DigiCert EV Code Signing | Extended | 1-5 Days | $519.99/yr |
| Azure Key Vault Code Signing | Business | 1-3 Days | $369.99/yr |
| Azure Key Vault EV Code Signing | Extended | 1-5 Days | $519.99/yr |
Frequently Asked Questions (FAQs):
Q. How does this Affect my Pending Code Signing Certificate Orders?
A: The new requirement eliminates browser-based key generation and certificate installation support. It affects the process of creating a Certificate Signing Request (CSR) and installing the code signing certificate on a laptop or server.
You may need to find alternative methods or contact your Certificate Authority (CA) for guidance on proceeding with your pending code signing certificate orders.
Q. How does the New HSM Process Work?
A: The new HSM process involves utilizing a dedicated hardware security module (HSM) to provide a secure environment for managing cryptographic keys and performing cryptographic operations. HSMs offer robust physical and logical security measures, key generation and management capabilities, and secure APIs for integrating with software applications, ensuring cryptographic operations’ confidentiality, integrity, and trustworthiness.
Q. How does this affect my Code Signing and EV Code Signing Certificate API Integrations?
A: The changes in requirements may impact your Code Signing and EV Code Signing certificate API integrations. You may need to update your API integration to align with the new process that no longer supports browser-based key generation and certificate installation. It is advisable to consult with your Certificate Authority (CA) or review their documentation to understand the specific changes and make the necessary adjustments to your API integrations.
Want to Remove the Need of Physical Tokens?
On May 30, 2023, DigiCert will launch DigiCert KeyLocker offering a cloud-based solution to eliminate the need for physical tokens.
KeyLocker provides a secure environment for code signing and extended validation (EV) code signing private keys, meeting the requirements set by the CA/B Forum.
It ensures strong key protection, secure key storage, key generation, and signing without the constraints associated with physical tokens.
Also there is another option, DigiCert® Software Trust Manager for automated software signing solutions. You can get more details about it at https://signmycode.com/digicert-software-trust-manager.
