Upcoming Changes in Issuing OV Code Signing Certificate From June 2023

OV Code Signing Key Requirement Changes June 2023

The policy of the Code Signing Certificate is getting revamped and updated to align with the new trends in the digital world. The CA/Browser Forum has announced modifying the regulations for issuing Code Signing Certificates to developers/publishers. The new policies are coming into effect to reduce the attack surface and prevent private key theft.

When Will The Code Signing Changes Come Into Effect?

Lately, the initial time to implement new policies was November 2022. But, to let Certificate Authorities and Certificate providers seamlessly transform their operations, it got postponed.

And now, June 1st, 2023, is declared as the new and final date, from when you have to adopt one of the following methods to store the private key of IV and OV Code Signing Certificate:

USB Tokens

USB tokens are similar to pen drives, which a developer/publisher has to use to keep the private key safe from unauthorized people. But, you cannot use any such token, as CA/B Forum has defined some standards.

You will need to purchase a token that aligns with FIPS 140 Level 2 or Common Criteria EAL 4 standards. Otherwise, CA will not issue you an OV certificate.

Further, if you want to avoid buying a token yourself, you can ask the Certificate Authority to deliver a private key in a secure USB token.

HSM (Hardware Security Module)

HSM is another form of a secure token that has a built-in crypto-processor to reduce the load on the machine. You can also utilize it for storing the private key, but the condition is the same it must comply with FIPS 140 Level 2 or Common Criteria EAL 4+ standards.

Code Signing Solution

Most CAs offer dedicated code signing services through an application, which provides features to generate CSR, complete the validation procedure, and store a private key.

If the CA offers such a solution, you can opt for that and use it for storing, accessing, and utilizing the code signing certificate. In addition, it will provide you with an added advantage, as CA would be responsible for aligning with all relevant standards.

You read it right. Regardless of the validation level, every developer and software publisher will get the associated private key in a hardware token. And it’s also the primary reason “why certificate providers are increasing prices?”.

As the CAs will need to invest more and put more effort into shipping hardware tokens, prices of Code Signing Certificates are increasing. It’s the only possible thing that can support Certificate Authorities to cover expenses and run all operations smoothly.

And for this sole reason, Sectigo is also hiking the prices for its Code Signing Certificates. From the mentioned date, every customer will get the private key in a hardware token instead of receiving it in a single PFX file.

The Impact of Code Signing Changes

It’s expected to see a price rise of 200% to 300%, which can be heavy on the pocket. Also, the IV and OV certificate validation will be rigorous, similar to the EV validation. And you will require to provide the following documents to the CA to avail of an OV certificate:

Business Operational Proof

It can be a legal document defining that your organization has been active for a recent couple of years and is operating as per regulations and policies.

Physical Address Proof

In this document, you must mention your company’s complete physical address. It must include the building number, floor number, street name, city, state, and Pincode.

Contact Information

The mobile or landline number must be valid and associated with your organization. The CA will call you on the same number to verify the details.

Once you submit all the required proofs, the certificate authority will validate them before issuing the Code Signing Certificate. And if you opt to receive an HSM or a USB token, it will get shipped after the complete business verification.

Method To Save Money In The OV Code Signing Changes Situation

As you know, the price of a Code Signing Certificate will increase by up to 300%. But, still, there’s a legitimate method to save money, and that too for the upcoming three years.

Before implementing new policies, you can Buy Code Signing Certificate at the current lowest price. And to avail of the cheap price leverage in the future, make sure to select its validity period of three years. Regardless of the policy change and price, it will lock in the deal for the upcoming three years.

In addition, to save on certificate price, you will also get rid of managing the HSM and upgrading your systems. Hence, your Code Signing Certificate will work similarly to now. And you can use it as a software-based solution without facing any complexities.

Additionally, your users will not face an Unknown Publisher Warning, and timestamp functionality will work impeccably. However, you must only complete its validation before June 1st, 2023.

A Round-Up To All The Code Signing Changes

Following are the key points that you must remember about the upcoming changes for OV Code Signing:

  • The software-based OV Code Signing Certificate will not get issued after June 1st, 2023.
  • Suppose you purchase an OV Code Signing Certificate after June 1st, 2023. In that case, its private key will get shipped in a USB Token or Hardware Security Module, complying with FIPS 140 Level 2 or similar standards.
  • If you want to use your hardware token, ensure it must align with the CA-defined standards and policies, i.e., FIPS 140 Level 2 or equivalent.
  • The price of the OV Code Signing Certificate will increase by 200% to 300% after the changes.
  • To save money and use a software-based OV certificate, purchase it before the changes occur and complete its validation procedure. Also, ensure to buy it with three years validity plan to avail benefits in the extended period.
Get Code Signing Certificates

FAQs

Why is Sectigo changing issuance policies?

Sectigo is a Certificate Authority that always aligns with the latest CA/B Forum policies. And to comply with the new regulations and to provide high-end Code Signing Certificates, Sectigo is changing issuance policies.

When will the changes come into effect?

All the changes will come into effect from June 1st, 2023. All Code Signing Certificates will require a Hardware Security Module to work from and after the mentioned date. The CA will provide the private key for IV, OV, and EV certificates in a hardware token.

However, if you don’t want to use a hardware token, you must buy a Sectigo Code Signing Certificate before 14th April 2023. After it, Sectigo will only issue token-based certificates.

What will happen to the current Sectigo Code Signing Certificate?

Current Sectigo Code Signing Certificates will function without error until they don’t get expired. After that, you have to purchase a new Code Signing Certificate, aligning with the policies getting implemented from June 1st, 2023.

Can I utilize the Hardware Token of my choice?

Yes, you can utilize the hardware token of your choice. But, as per CA/Browser Forum regulations, your token must comply with one of the following standards:

  • FIPS 140 Level 2
  • netHSM Device
  • Yubico FIPS Yubikeys

What would be the main factors to get affected by this change?

The following are the main areas that will get affected by the policy change:

  • The price of all certificates will increase by a minimum of 300%.
  • Publishers need to put extra effort into securing the hardware token.
  • Without Hardware Token, the certificate will not sign any executable file.
  • Key theft through network attacks and breaches will get prevented.

How Much Price Increase is Expected?

According to Certificate Authorities and announcements in the industry, a 3x to 4x increase in price is expected. And certificates at all three validation levels will get impacted by it.

What would be the Best Way to Save Money in such a Situation?

The best method to save money would be to buy or Renew Code Signing Certificate with three years validity period. It will help you get rid of the hardware token, and you will pay the charges as per the current price for the next three years.

Lookout for the Existing Code Signing Price (Cheapest Option)

Buy CertificatesPrice
Certera Code Signing Certificate$199.99/yr
Comodo Code Signing Certificate$225.99/yr
Sectigo Code Signing Certificate$225.99/yr
Certera EV Code Signing Certificate$269.99/yr
Comodo EV Code Signing Certificate$295.99/yr
Sectigo EV Code Signing Certificate$295.99/yr
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.