What is Key Attestation for Code Signing Certificates?

What is Key Attestation in Code Sign

A lot has changed in the world of Code Signing since the month of June. And you must be curious about it too! The blog will explain key attestation, supporting hardware, and the pros and cons of using this method to deliver code signing certificates.

New guidelines for distributing code signing certificates went into effect on June 1, 2023, to increase security. One of the most significant improvements requires the delivery of certificates using safe Hardware Security Modules (HSMs)

There is now a choice for electronic distribution to subscriber-owned hardware that supports key attestation. This blog article will discuss key attestation, the hardware needed to implement it, and the benefits and drawbacks of this distribution mechanism.

Securing Code Signing Certificates via Key Attestation

In an effort to prevent abuse and unauthorized use of code signing certificates owned by third parties, new rules have been implemented requiring the delivery of certificates on secure Hardware Security Modules (HSMs).

These HSMs are specialized hardware devices that securely store cryptographic keys. This article explores the concept of key attestation, its significance, and the advantages it offers over traditional delivery methods.

Traditional Certificate Delivery Methods

Conventionally, code signing certificates were delivered by Certificate Authorities (CAs) such as Sectigo. The certificate would be placed on a token, which was then mailed to the recipient. While this method ensured secure delivery, it had drawbacks in terms of time and cost.

Introduction to Key Attestation

Key attestation refers to verifying the integrity and authenticity of cryptographic keys stored within an HSM or other hardware device.

It involves generating a cryptographic certificate that attests to the validity of the keys and ensures they have not been tampered with or compromised. With Code Signing certificates, key attestation helps guarantee that the delivered certificates are legitimate, assuring both issuers and recipients.

Key attestation, as defined by the baseline requirements, verifies the integrity and origin of private keys. It addresses whether the key has always been stored securely or originated from a trusted source.

However, not all equipment supports key attestation uniformly, leading to variations in the process across different devices and systems.

Importance of FIPS Compliance

FIPS (Federal Information Processing Standards) compliance is a crucial aspect of key attestation. It ensures that the information processing and safety standards are met.

Recommended: What is the Difference Between FIPS Validation and FIPS Compliance?

Furthermore, the token used for key transfer and attestation must also be FIPS compliant and support internet-based communication. Currently, there are only a limited number of devices available on the market that meet these requirements.

Supported Devices: Thales Luna and YubiKey

Two notable devices that support key attestation are the Thales Luna HSM and YubiKeys from Yubico. These devices are widely recognized and trusted in the industry.

However, the challenge lies in not everyone possessing these specific keys and HSMs, resulting in limited adoption of key attestation as a delivery mechanism.

Recommended: What are SafeNet Luna Network HSM 7 and Thales Luna Network HSM 7?

Industry Standard for Enhanced Security

The introduction of key attestation as an industry standard, driven by the CA/Browser Forum rules and Baseline Requirements, aims to reduce the risk of key theft and misuse of certificates by malware operators. Protecting the integrity of keys and ensuring secure code signing is of paramount importance.

Recommended: CA/B Forum Baseline Requirements v2.8 for Code Signing Certificates

Benefits for Repeat and Mass Purchasers

Organizations with recurring or large-scale code signing needs, such as enterprises, professional software development firms, and electronic supply chain manufacturers, stand to benefit significantly from these new guidelines. By adopting key attestation, they can enhance the security and trustworthiness of their code signing processes.

Reducing Wait Times for End Users

When purchasing code signing certificates, the price difference between obtaining it directly or through a CA is typically minimal, approximately $100-200.

The primary distinction lies in the time taken for delivery. Waiting for physical mail can be a significant concern for end users seeking prompt access to their certificates.

The implementation of key attestation through secure HSMs marks a significant step toward safeguarding code signing certificates. By verifying the integrity and origin of cryptographic keys, this approach mitigates the risk of key compromise and misuse.

While key attestation may require specific hardware and adherence to industry standards, its adoption offers substantial benefits to organizations.

Particularly those with recurring code signing needs. Ultimately, embracing key attestation helps maintain the prominence and security of code signing certificates in today’s digital landscape.

Supporting Hardware:

Subscriber-owned hardware capable of performing the attestation process is required to take advantage of electronic delivery with key attestation. It typically involves using specialized HSMs or similar devices to store and manage cryptographic keys securely.

Recommended: Simplifying Code Signing Certificate Private Key Storage Options

These hardware devices are engineered with robust security features, such as physical tamper resistance and protection against unauthorized access, making them suitable for handling sensitive code signing certificates.

Pros of Key Attestation:

Enhanced Security:

Key attestation ensures that code signing certificates are delivered with a higher level of security, reducing the risk of certificate tampering or unauthorized use.

Reduced Delivery Time:

Electronic delivery enables the faster distribution of Code Signing certificates, eliminating the delays associated with traditional shipping methods.


Key attestation can be easily integrated into existing infrastructure and scaled to accommodate growing certificate demands, making it suitable for organizations of all sizes.

Simplified Revocation:

In the event of a compromised certificate, key attestation allows for swift revocation, helping to mitigate potential security incidents more effectively.

Cons of Key Attestation:

Initial Setup:

Adopting key attestation requires investing in compatible hardware devices and configuring them appropriately, which can involve upfront costs and implementation efforts.

Dependency on Hardware:

Electronic delivery with key attestation relies on the availability and reliability of Subscriber-owned hardware. Failure or malfunction of the hardware could disrupt the delivery process.

Regulatory Compliance:

Organizations must ensure compliance with the specific regulations. So that it can govern HSMs and key attestation methods in their respective jurisdictions.

Wrap up

The new rules mandating secure delivery of Code Signing certificates via HSMs have introduced key attestation as an option for electronic delivery. This method enhances security by verifying cryptographic keys and ensuring the authenticity of certificates. It requires specialized hardware and compliance with relevant regulations.

Organizations should carefully weigh the advantages and disadvantages to determine whether key attestation suits their code signing certificate delivery needs. But if you ask for our recommendations, it is necessary in the current digital landscape.

Recommended: How to Generate CSR and Key Attestation Using Luna Network HSM?

Recommended: Private Key Generation and CSR Attestation with YubiKey Manager

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.

Leave a comment

Your email address will not be published. Required fields are marked *