(11 votes, average: 4.91 out of 5)
The policy of the Code Signing Certificate is getting revamped and updated to align with the new trends in the digital world. The CA/Browser Forum has announced modifying the regulations for issuing Code Signing Certificates to developers/publishers. The new policies are coming into effect to reduce the attack surface and prevent private key theft.
Lately, the initial time to implement new policies was November 2022. But, to let Certificate Authorities and Certificate providers seamlessly transform their operations, it got postponed.
And now, June 1st, 2023, is declared as the new and final date, from when you have to adopt one of the following methods to store the private key of IV and OV Code Signing Certificate:
USB tokens are similar to pen drives, which a developer/publisher has to use to keep the private key safe from unauthorized people. But, you cannot use any such token, as CA/B Forum has defined some standards.
You will need to purchase a token that aligns with FIPS 140 Level 2 or Common Criteria EAL 4 standards. Otherwise, CA will not issue you an OV certificate.
Further, if you want to avoid buying a token yourself, you can ask the Certificate Authority to deliver a private key in a secure USB token.
HSM is another form of a secure token that has a built-in crypto-processor to reduce the load on the machine. You can also utilize it for storing the private key, but the condition is the same it must comply with FIPS 140 Level 2 or Common Criteria EAL 4+ standards.
Most CAs offer dedicated code signing services through an application, which provides features to generate CSR, complete the validation procedure, and store a private key.
If the CA offers such a solution, you can opt for that and use it for storing, accessing, and utilizing the code signing certificate. In addition, it will provide you with an added advantage, as CA would be responsible for aligning with all relevant standards.
You read it right. Regardless of the validation level, every developer and software publisher will get the associated private key in a hardware token. And it’s also the primary reason “why certificate providers are increasing prices?”.
As the CAs will need to invest more and put more effort into shipping hardware tokens, prices of Code Signing Certificates are increasing. It’s the only possible thing that can support Certificate Authorities to cover expenses and run all operations smoothly.
And for this sole reason, Sectigo is also hiking the prices for its Code Signing Certificates. From the mentioned date, every customer will get the private key in a hardware token instead of receiving it in a single PFX file.
It’s expected to see a price rise of 200% to 300%, which can be heavy on the pocket. Also, the IV and OV certificate validation will be rigorous, similar to the EV validation. And you will require to provide the following documents to the CA to avail of an OV certificate:
It can be a legal document defining that your organization has been active for a recent couple of years and is operating as per regulations and policies.
In this document, you must mention your company’s complete physical address. It must include the building number, floor number, street name, city, state, and Pincode.
The mobile or landline number must be valid and associated with your organization. The CA will call you on the same number to verify the details.
Once you submit all the required proofs, the certificate authority will validate them before issuing the Code Signing Certificate. And if you opt to receive an HSM or a USB token, it will get shipped after the complete business verification.
As you know, the price of a Code Signing Certificate will increase by up to 300%. But, still, there’s a legitimate method to save money, and that too for the upcoming three years.
Before implementing new policies, you can Buy Code Signing Certificate at the current lowest price. And to avail of the cheap price leverage in the future, make sure to select its validity period of three years. Regardless of the policy change and price, it will lock in the deal for the upcoming three years.
In addition, to save on certificate price, you will also get rid of managing the HSM and upgrading your systems. Hence, your Code Signing Certificate will work similarly to now. And you can use it as a software-based solution without facing any complexities.
Additionally, your users will not face an Unknown Publisher Warning, and timestamp functionality will work impeccably. However, you must only complete its validation before June 1st, 2023.
Following are the key points that you must remember about the upcoming changes for OV Code Signing:
Sectigo is a Certificate Authority that always aligns with the latest CA/B Forum policies. And to comply with the new regulations and to provide high-end Code Signing Certificates, Sectigo is changing issuance policies.
All the changes will come into effect from June 1st, 2023. All Code Signing Certificates will require a Hardware Security Module to work from and after the mentioned date. The CA will provide the private key for IV, OV, and EV certificates in a hardware token.
However, if you don’t want to use a hardware token, you must buy a Sectigo Code Signing Certificate before 14th April 2023. After it, Sectigo will only issue token-based certificates.
Current Sectigo Code Signing Certificates will function without error until they don’t get expired. After that, you have to purchase a new Code Signing Certificate, aligning with the policies getting implemented from June 1st, 2023.
Yes, you can utilize the hardware token of your choice. But, as per CA/Browser Forum regulations, your token must comply with one of the following standards:
The following are the main areas that will get affected by the policy change:
According to Certificate Authorities and announcements in the industry, a 3x to 4x increase in price is expected. And certificates at all three validation levels will get impacted by it.
The best method to save money would be to buy or Renew Code Signing Certificate with three years validity period. It will help you get rid of the hardware token, and you will pay the charges as per the current price for the next three years.