Simplifying Code Signing Certificate Delivery Methods (Private Key Storage Options)

Code Signing Certificate Key Delivery Methods

At SignMyCode, we understand the importance of streamlined and secure code signing certificate delivery. Our certificate delivery methods have been updated to ensure compliance with the latest standards.

This Article Pertains to Code Signing Certificates acquired After May 14, 2023.

All Code Signing certificates now require installation on physical hardware tokens.

For Individual Code Signing(IV), Organization Validation (OV) or Extended Validation (EV) Code Signing certificates, we offer two options:

  • Purchasing Pre-configured Certificate Tokens
  • Installing the Certificate on your Existing Hardware Device.

Note: Currently, the supported hardware includes:

When purchasing your code signing certificate from us, selecting the appropriate Code Signing Certificate Delivery Method that suits your needs is essential.

Please carefully consider your choice before finalizing the purchase, as the delivery method cannot be modified later.

Recommended: CA/B Forum Baseline Requirements v2.8 for Code Signing Certificates

What are the Multiple Modes of Delivery for Secure Key Storage?

We offer four convenient delivery methods for your certificate, ensuring flexibility and reliability. Below are the available options:

Option 1:  Existing HSM for Installation (For Users Who Have Own Hardware Security Module)

If you are an advanced user and already possess a compatible Hardware Security Module (HSM), you can choose the Install on Existing HSM method.

This option grants you the flexibility to install the code signing certificate on your own device. It is crucial to note that your HSM must meet at least the FIPS 140-2 level 2 standard. We recommend this option for experienced users who are well-versed in HSM technology.

Existing Token Supports HSM Devices are:

YubiKey FIPS Series and Luna.

If you already own a compatible Hardware Security Module (HSM) device such as the YubiKey FIPS Series (YubiKey 5 NFC FIPS) or Luna (please refer to the version supported by Sectigo), you can choose the “Use Existing Token” method. This option allows you to use your HSM device for code signing, ensuring convenience and familiarity.

Option 2: Token & US Shipping (New HSM from Certificate Authority Shipped to US Address)

If you prefer to have a new Hardware Security Module (HSM) device shipped to a US address, you can select the “Token & US Shipping” method. SignMyCode will provide you with a new HSM from Sectigo(Formerly Comodo), DigiCert and Certera, ensuring compatibility and optimal performance. The shipping service will deliver the HSM device directly to your specified US address.

Also, for a convenient and hassle-free experience, you can pick the Token + Shipping process. This option allows you to order a pre-configured token directly from the Certificate Authority. The cost of the hardware and shipping fees will be included in the overall purchase price. This option is recommended for most users.

Option 3: Token & International Shipping

We offer the “Token & International Shipping” method for customers outside the United States. With this option, you can have a new Hardware Security Module (HSM) device from Sectigo (Formerly Comodo) or Certera shipped to your international address. This ensures that you can securely sign your code regardless of your location.

Option 4: Token & Expedited US Shipping (New HSM from Reputed CA Shipped via UPS Next Day)

If you require urgent delivery of a new Hardware Security Module (HSM) device, you can select the “Token & Expedited Shipping” method.

This ensures that your new HSM device from Sectigo or Certera CA will be delivered to your US address the next day, guaranteeing minimal downtime and uninterrupted code signing operations.

Prerequisites for Sectigo Code Signing HSM:

If you opt for Sectigo Code Signing certificates, you must provide an Attestation bundle from your HSM during the certificate order generation process.

The following HSM brands are supported for Sectigo Code Signing certificates:

  • Yubikey 5 FIPS (YubiKey 5 NFC FIPS Only)
  • LUNA Network Attached is HSM, version 7+

That’s all about Sectigo ( Formerly Comodo) and Certera Sub CA. Now Let’s understand the delivery modes of DigiCert CA.

Delivery Options Provided by DigiCert:

DigiCert CA ensures a smooth and secure code signing certificate delivery process offering various delivery options to cater to your specific needs. Here are the available delivery methods:

Token & Standard Shipping:

If you prefer to receive a new hardware token along with your code signing certificate, you can select the “Token & Standard Shipping” option. Using standard shipping services, they will ship the hardware token to your specified address US or International. This ensures that you have a dedicated token for securely signing your code. For Further Process, you need to follow instructions provided by DigiCert.

Use Existing Token:

For customers who already possess a compatible hardware token get the “Use Existing Token” option. By selecting this method, you can utilize your token (SafeNet 5110 CC, SafeNet 5110 FIPS, or SafeNet 5110+ FIPS) for code signing. Also, You needs to use “DigiCert Hardware Certificate Installer” for installation process.

Install on Existing HSM:

If you have a compatible Hardware Security Module (HSM) and prefer to install the code signing certificate on your existing device, you can choose the “Install on Existing HSM” method.

For this a CSR needs to be generated and submitted by client which must be generated from token or from vault they are going to use like Azure KeyVault, Yubikey, etc.

Generate CSR and Key Attestation Using Luna Network HSM?

Generate Private Key and CSR Attestation with YubiKey Manager

Create Private Keys, CSR, and Import Code Signing Certificate in Azure KeyVault HSM?

This option allows you to leverage the capabilities of your HSM for code signing. It is suitable for advanced users familiar with HSM technology and with the necessary infrastructure.

By providing these delivery options, DigiCert CA ensures that you have the flexibility to choose the most suitable method for your code signing certificate. You are covered whether you prefer a new hardware token, want to use your existing token or install the certificate on your HSM.

Select the appropriate delivery method that aligns with your requirements and enjoy a streamlined and secure code signing process with DigiCert CA.

How to Use an Existing Token for Installing a DigiCert Code Signing?

For DigiCert Code Signing Certificates, you can install them on an existing SafeNet USB device.

The following SafeNet series are supported:

  • SafeNet eToken 5110+ FIPS
  • SafeNet eToken 5110 CC (RSA 4096 & ECC)
  • SafeNet eToken 5110 FIPS (ECC ONLY)

Recommended: How to Set Up Your DigiCert-Provided eToken?

Ways to Alter the Delivery Method of Your Certificate

Once your purchase is completed, the certificate delivery method cannot be changed. However, if you realize you selected an incorrect delivery method, you can cancel your order through your account dashboard.

Following the cancellation, you can proceed to purchase another certificate with your preferred delivery method selected.

We constantly strive to provide an effortless code signing certificate experience.

By offering multiple delivery options and ensuring compliance with the latest security standards, we aim to simplify the process for our valued customers.

Choose the right delivery method for your needs and enjoy the benefits of secure and reliable code signing.

Hassle-Free Token Based Code Signing Certs

Buy Code Signing Certificate with FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent Hardware Tokens Starts at $199.99/yr.

Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.

Leave a comment

Your email address will not be published. Required fields are marked *