Simplifying Code Signing Certificate Delivery Methods (Private Key Storage Options)

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)
loadingLoading...
Code Signing Certificate Key Delivery Methods

At SignMyCode, we understand the importance of streamlined and secure code signing certificate delivery. Our certificate delivery methods have been updated to ensure compliance with the latest standards.

This article pertains to Code Signing certificates acquired after May 14, 2023.

All Code Signing certificates now require installation on physical hardware tokens.

For Individual Code Signing(IV), Organization Validation (OV) or Extended Validation (EV) Code Signing certificates, we offer two options:

  • Purchasing Pre-configured Certificate Tokens
  • Installing the Certificate on your Existing Hardware Device.

Note: Currently, the supported hardware includes:

  • Thales/Safenet Luna and netHSM devices
  • Yubico FIPS Yubikeys (for ECC keys only)

When purchasing your code signing certificate from us, selecting the appropriate Code Signing Certificate Delivery Method that suits your needs is essential.

Please carefully consider your choice before finalizing the purchase, as the delivery method cannot be modified later.

What are the Multiple Modes of Delivery for Secure Key Storage?

We offer four convenient delivery methods for your certificate, ensuring flexibility and reliability. Below are the available options:

Option 1:  Existing HSM for Installation (For Users Who Have Own Hardware Security Module)

If you are an advanced user and already possess a compatible Hardware Security Module (HSM), you can choose the Install on Existing HSM method.

This option grants you the flexibility to install the code signing certificate on your own device. It is crucial to note that your HSM must meet at least the FIPS 140-2 level 2 standard. We recommend this option for experienced users who are well-versed in HSM technology.

Existing Token Supports HSM Devices are:

YubiKey FIPS Series and Luna.

If you already own a compatible Hardware Security Module (HSM) device such as the YubiKey FIPS Series or Luna (please refer to the version supported by Sectigo), you can choose the “Use Existing Token” method. This option allows you to use your HSM device for code signing, ensuring convenience and familiarity.

Option 2: Token & US Shipping (New HSM from Certificate Authority Shipped to US Address)

If you prefer to have a new Hardware Security Module (HSM) device shipped to a US address, you can select the “Token & US Shipping” method. SignMyCode will provide you with a new HSM from Sectigo(Formely Comodo) and Certera, ensuring compatibility and optimal performance. The shipping service will deliver the HSM device directly to your specified US address.

Also, for a convenient and hassle-free experience, you can pick the Token + Shipping process. This option allows you to order a pre-configured token directly from the Certificate Authority. The cost of the hardware and shipping fees will be included in the overall purchase price. This option is recommended for most users.

Option 3: Token & International Shipping

We offer the “Token & International Shipping” method for customers outside the United States. With this option, you can have a new Hardware Security Module (HSM) device from Sectigo (Formerly Comodo) or Certera shipped to your international address. This ensures that you can securely sign your code regardless of your location.

Option 4: Token & Expedited US Shipping (New HSM from Reputed CA Shipped via UPS Next Day)

If you require urgent delivery of a new Hardware Security Module (HSM) device, you can select the “Token & Expedited Shipping” method.

This ensures that your new HSM device from Sectigo or Certera CA will be delivered to your US address the next day, guaranteeing minimal downtime and uninterrupted code signing operations.

Prerequisites for Sectigo Code Signing HSM:

If you opt for Sectigo Code Signing certificates, you must provide an Attestation bundle from your HSM during the certificate order generation process.

The following HSM brands are supported for Sectigo Code Signing certificates:

  • Yubikey 5 FIPS
  • LUNA Network Attached is HSM, version 7+

That’s all about Sectigo ( Formerly Comodo) and Certera Sub CA. Now Let’s understand the delivery modes of DigiCert CA.

Delivery Options provided by DigiCert:

DigiCert CA ensures a smooth and secure code signing certificate delivery process offering various delivery options to cater to your specific needs. Here are the available delivery methods:

Token & Standard Shipping:

If you prefer to receive a new hardware token along with your code signing certificate, you can select the “Token & Standard Shipping” option. Using standard shipping services, they will ship the hardware token to your specified address US or International. This ensures that you have a dedicated token for securely signing your code.

Use Existing Token:

For customers who already possess a compatible hardware token get the “Use Existing Token” option. By selecting this method, you can utilize your token for code signing. This option provides flexibility and convenience, allowing you to continue using your trusted hardware device.

Install on Existing HSM:

If you have a compatible Hardware Security Module (HSM) and prefer to install the code signing certificate on your existing device, you can choose the “Install on Existing HSM” method.

This option allows you to leverage the capabilities of your HSM for code signing. It is suitable for advanced users familiar with HSM technology and with the necessary infrastructure.

By providing these delivery options, DigiCert CA ensures that you have the flexibility to choose the most suitable method for your code signing certificate. You are covered whether you prefer a new hardware token, want to use your existing token or install the certificate on your HSM. Select the appropriate delivery method that aligns with your requirements and enjoy a streamlined and secure code signing process with DigiCert CA.

How to Use an Existing Token for Installing a DigiCert Code Signing?

For DigiCert Code Signing Certificates, you can install them on an existing SafeNet USB device.

The following SafeNet series are supported:

  • SafeNet eToken 5110+ FIPS
  • SafeNet eToken 5110 CC (RSA 4096 & ECC)
  • SafeNet eToken 5110 FIPS (ECC ONLY)

Ways to Alter the Delivery Method of Your Certificate

Once your purchase is completed, the certificate delivery method cannot be changed. However, if you realize you selected an incorrect delivery method, you can cancel your order through your account dashboard.

Following the cancellation, you can proceed to purchase another certificate with your preferred delivery method selected.

We constantly strive to provide an effortless code signing certificate experience.

By offering multiple delivery options and ensuring compliance with the latest security standards, we aim to simplify the process for our valued customers.

Choose the right delivery method for your needs and enjoy the benefits of secure and reliable code signing.

Hassle-Free Token Based Code Signing Certs

Buy Code Signing Certificate with FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent Hardware Tokens from SignMyCode at Affordable Prices Starts at $179.99/Yr.

Buy Token Based Code Signing Certificate

Related posts:

  1. DigiCert Code Signing Changes: New Private Key Storage & API Modifications
  2. What is a Certificate Authority & Key Role of Certificate Authority
  3. 3072-bit Key Length: Additional Strength to Code Signing Certificate
  4. Code Signing Certificate vs SSL Certificates: Key Differences

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.

Leave a comment

Your email address will not be published. Required fields are marked *