Code Signing Certificate FAQs – Some Commonly Asked Questions

Here Are Answers to Some of the Most Commonly Asked Questions of Our Customers

What is FIPS?

FIPS means Federal Information Processing Standards, a collection of standards produced by the National Institute of Standards and Technology (NIST) for use in non-military American government departments, agencies, and contractors' computer systems. It is intended to preserve data and ensure secure data exchanges across systems. FIPS also gives guidelines on information technology FIPS also gives guidelines on information technology security measures such as authentication, ways to encrypt data, and access control. Overall, FIPS aims to guarantee that the federal government's technology is secure and trustworthy.

What is FIPS 140-2?

FIPS 140-2, or the Federal Information Processing Standard Publication 140-2, is a computer security standard developed by the United States government that defines rules for the certification of cryptographic modules. It was first published on May 25, 2001, and was most recently updated on December 3, 2002. It is a collection of rules for assuring the security of cryptographic modules when they are used to safeguard sensitive, unclassified data. Physical security, cryptographic key management, user authentication, access control, and intrusion detection are all covered. Finally, FIPS 140-2 is intended to assure cryptographic modules' security, effectiveness, and dependability.

What is HSM?

Hardware Security Modules (HSMs) are specialized tools to secure cryptographic keys and digital data. They guarantee that only authorized users may use key content by providing safe storage and cryptographic procedures like encryption, decryption, digital signatures, and authentication. HSMs are tamper-resistant, hardened devices that generate keys, encrypt and decode data, and validate digital signatures, enhancing the security of encryption procedures. They are necessary to protect sensitive data's security in various applications or sectors. In conclusion, HSMs are vital to every security system and are required for safe data management.

What is Token-Signing Certificate?

Code Signing with tokens add an essential layer of security to software and digital products. They are digital certificates used to identify software publishers and validate software code before it is published to the public. Code signing certificates ensure the code is trustworthy and comes from the stated, trusted publisher.

Is it Necessary to Require Hardware Token with OV Code Signing?

Based on the new CA/Browser Forum requirements by June 1, 2023. OV Code Signing Certificate is now required to store the private key in Hardware Security Module compliant with FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent from June 1, 2023. Understanding the role of hardware tokens while working with code-signing certificates is critical. OV Code Signing Certificates are used to digitally sign code to verify it has not been tampered with. Ensure the security and integrity of the generated code in these certificates using a secure USB token or an HSM. As a result, you require a hardware token with OV code signing.

This hardware token enables developers to produce codes securely, guaranteeing the code is legitimate and has not been tampered with. It also provides an extra degree of security for end users, guaranteeing that a third party has not tampered with the code they receive.

Can I use my Existing Token?

Yes, you can use it for multiple requests.

What is the Most Significant Change in Code Signing?

Before June 1, 2023, if an OV code signing Certificate is granted, the certificate authority must make sure that the user's private keys are protected by the following:

• The most significant change in code signing has been the adoption of the Trusted Platform Module (TPM). The TPM is a secure element designed to store private keys and authenticate code before signing it. By using the TPM, users can create and secure a private key more effectively and document the creation of their keys and other information.
• Another security measure is using Hardware Security Modules (HSMs). These devices commonly store private keys and other sensitive data securely. HSMs must meet Common Criteria EAL 4+ and FIPS 140-2 Level 2 or above, ensuring the key is stored in a secure environment.
• Many users can use a hardware storage token such as a USB or SD card. Although hardware tokens can be utilized, they may not meet the same level of security as an HSM or TPM, as the hardware tokens may not be FIPS 140-2 Level 2, certified, or even Common Criteria EAL 4+ compliant.

What is Changing in OV Code Signing?

The storage of private keys must be considered while discussing the considerable adjustments made to the Organization Validation (OV) code signing procedure. Certificate authorities must ensure that a user's private key is created, kept, and utilized in an HSM (Hardware Security Module) per the CA/B forum guidelines.

What is the New Private Storage Key Requirement?

All private keys for standard code signing certificates must be kept on hardware that has been FIPS 140 Level 2 or Common Criteria EAL 4+ certified as of June 1, 2023. Introducing more secure key storage requirements this improvement improves confidence in the code signing procedure.

Are there any Provisioning Options to Store the Private Key for Code Signing Certificate?

A user's public and private keys are used to sign codes. Using one of the numerous readily accessible free tools, users may build their digital certificates, including the public keys, or buy them from a dependable certificate authority (CA) to which they supplied the public keys.

After installation on a reusable CA token and securely sending it to the client. It will be accessible for download and installation on the customer's Hardware Security Module (HSM). Now, hardware devices (such as tokens, HSMs, and so on) need to be FIPS-compliant and offer externally verifiable key attestation for verification.

What are the Baseline Requirements for the Issuance of Code Signing Certificates?

The CA/Browser Forum has revised its Baseline Requirements for Code Signing Certificate Issuance and Management. This upgrade necessitates generating and storing Code Signing Certificate Private Keys securely. To maintain the safety and legitimacy of the code, organizations' and corporations' software signing certificates must be held in a secure environment.

Organizations and businesses have several options for storing software signing certificates: a subscriber, such as a security token, or a server Hardware Security Module (or HSM). Also, cloud services, such as AWS or Azure, or a signing service can be provided by the certification authority (CA) or another trusted service provider.

What's the Delivery Time of the HSM Token Provided With an EV Code Signing Certificate?

Once you submit all the required documents to get an EV Code Signing Certificate issued and your company gets verified, an HSM device, including Token with Private Key, will be shipped at your registered company address. Now, how long it takes to reach depends upon the service of the mail company. For example, some take a week, or some provide it within two to three days, depending on how close your company is.

Can We Renew Our Code Signing Certificate From SignMyCode.com?

Once you purchase Code Signing Certificate from SignMyCode.com and it expires, you can always renew it from our site. Unfortunately, if you have purchased from any other website and not from us, you'll require to buy from us first.

Can We Use the Same Token if We Renew an EV Code Signing Certificate?

Due to security reasons, it's not recommended to use the same Token for your renewed EV Code Signing Certificate. Also, if you've got a Java-based EV Code Signing Certificate, you'll require a new token for signing your Java applets every time you renew your certificate.

Is There Any Validation Needed From SignMyCode.com Regarding Our Software?

No, you don't need any specific validation from SignMyCode.com regarding the software you'll sign using an issued code signing certificate. The only validation process that you're required to fulfill is the validation step of verifying your company's legitimacy. Lastly, the steps of the validation process are predefined by respected certificate authorities DigiCert, Sectigo and Comodo.

Which Browser Do We Need to Generate CSR for Code Signing Certificate Installation?

Presently, the web browser recommended for generating CSR for your Code Signing Certificate installation is Microsoft Internet Explorer 11 on Windows and Safari on Mac. Also, only version 68 or older will work if you're using Mozilla Firefox. Lastly, Mozilla Firefox ESR or a portable copy of Mozilla Firefox also works.

What's the File Format Extension of an Issued Code Signing Certificate?

Once all the necessary steps are completed, and your company is verified by the certificate authority (CA), SignMyCode.com will issue your Code Signing Certificate in a .crt file format if it's a Windows Operating System or Mac OS.

If We Renew Our Code Signing Certificate Before Its Actual Expiry Date, Will the Remaining Days Be Added to Our Renewed Certificate?

It's recommended that you renew your code signing certificate before its actual expiry date. However, if you want, you can even renew it as early as 90 days before an expiration date. Likewise, all the remaining days are added to your renewed code signing certificate.

Once your code signing certificate is renewed, your old code signing certificate will become invalid, and you'll require to use a freshly issued renewed code signing certificate to sign any software or application.

Is It True That an Old 2048-Bit Key Size Is Not Accepted for Code Signing Certificate?

Yes, the CA/B Forum has made it mandatory that from June 1, 2021, the minimum key size for Code Signing Certificate will be 3072 Bits, and an old key size of 2048 bit size will not be accepted.