5 Minute Guide: How to Securely Manage Your Code Signing Certificates & Keys
Home » 5 Minute Guide: How to Securely Manage Your Code Signing Certificates & Keys
(1 votes, average: 5.00 out of 5)
70% of surveyed technology organizations were impacted by a software supply chain attack in 2021. Explore five unbeatable certificates and key management tips that’ll help you protect the integrity of your software and help you secure your digital identity to stay a step ahead of attackers
50,000 This is the average number of digital certificates DigiCert reports organizations having to manage within their IT environments. (Yes, this stat includes code signing certificates.) No wonder 61% of them are concerned about the time required to manage such a massive number of certificates.
And it doesn’t stop here. Public key infrastructure (PKI) and digital certificates such as code signing certificates are quickly becoming critical factors for a more secure software supply chain. Their benefits? They help you add digital identity and data integrity to your software. As a result, finding an effective way to securely manage an ever-growing number of code signing certificates and keys has become paramount.
What about your organization? Is certificate management also causing you headaches? Don’t despair! This quick guide will show you five tips that’ll help you become a pro at securely managing code signing certificates and keys. Today, you’ll learn how visibility, automation, and more can make a real difference to the security of your data and organization. Right here, right now. Five key points in just five minutes — start the clock.
Discover How to Securely Manage Your Code Signing Certificates & Keys
Digital certificates and, specifically, code signing certificates have been used for years by organizations as an effective way to assert their identity as vendors and assure data integrity. Code signing certificates enable organizations to add an extra layer of security by signing everything from PowerShell scripts to executables and files.
However, if poorly managed, code signing certificates and keys can quickly turn into security issues that could impact the security of your whole software supply chain. And if you think about it, it isn’t something that it can be taken lightly — just look at the stats. In 2021, 661% of successful security breaches originated from attacks targeting vulnerabilities in the software supply chain.
So, how can you transform these potential weaknesses into strengths again? Let’s get right to it with these five key certificate management tips. Don’t have five minutes to spare? Then check out our table and get a quick overview of our tips in half the time.
Certificate and Keys Management Tips
Certificate and Keys Management Tips Examples
1. Ensure 100% Visibility of Your IT Environment
Make an inventory of all keys and certificates.
Map and manage your dependencies (e.g., external libraries).
2. Implement an Automated PKI Life Cycle Management Solution
Use a reliable certificate management tool
Adopt a public key infrastructure-as-a-service (PKIaaS) approach.
Automate the whole certificate life cycle.
3. Protect Your Private Keys
Limit access to keys by using a zero-trust baseline.
Securely store your private keys and certificates.
Use strong passwords.
Rotate your keys.
Use secure algorithms.
4. Integrate Code Signing Into Your Software Development Life Cycle (SDLC)
Code signing early and often during the whole SDLC.
Use different types of signing certificates.
5. Monitor Your Code Signing Certificates and Keys and Report Their Vulnerabilities
Constantly monitor your code signing certificates and keys.
Use a reporting tool.
1. Ensure 100% Visibility of Your IT Environment
How can you protect something that you can’t see? You simply can’t. Therefore:
Make an inventory of keys and certificates. List all of them and ensure you write down their key information. This includes everything from the expiration date to the actual owner of the certificate and its deployment location. Categorize both keys and certificates based on use cases. Make regular inventories and don’t forget to remove expired and revoked certificates.
Map and manage your dependencies (e.g., external libraries). Yup, this means all of them. In 2021, 97% of codes contained open-source components. Do your codes include open source materials? I bet they do. Do you have a list of all of them? If you don’t, a software bill of materials (SBOM) is what you need. List the individual components, check them, and update them. You can also use dependency management software like Dependabot, Sonatype, or Snyk (more on that in a minute) to help you carry out this crucial task.
2. Implement an Automated PKI Life Cycle Management Solution
Do you really believe that you’ll be able to secure every single step of your software supply chain manually? Forget it, it’s too complex and the risk is too high. Therefore:
Use a reliable certificate management tool. Don’t risk the security of your organization’s systems and data on manual tracking methods that are prone to failure. After all, using the average of 50,000 certificates, that’s an average of about 137 certificates (and their keys) to track per day! If even one of them slips through the cracks, it can spell disaster.
Opt for public key infrastructure as a service (PKIaaS) approach. Simplify and automate your PKI management responsibilities by moving them to the cloud and outsourcing them. This way, you don’t have to worry about managing your public and private PKI needs in house.
Automate the whole certificate life cycle. Regardless of the type of PKI management solution you opted for (in-house or outsourced like PKIaaS), ensure that it covers the whole certificate life cycle. Right from issuance to deployment, and renewal. This will help you to also reduce the possibility of human errors. Don’t forget to automate key creation for an efficient rotation. And this takes us to the next point.
The graphic shows the steps of the certificate management life cycle.
3. Protect Your Private Keys
Your private keys are the gateway to your organization. What are the best ways to protect the keys to your castle?
Limit access to keys by using a zero-trust baseline. Implement access control policies (e.g., least privilege principle) to code signing keys. Start from the assumption that no one is trusted (i.e., zero-trust, or deny by default) and minimize the number of users who have access to your cryptographic keys.
Securely store your private keys and certificates. Have you ever heard of hardware security modules (HSMs) and hardware security tokens? They’re physical, tamper-resistant appliances or devices used to generate, protect and manage private keys and certificates. The USB token you receive when you buy an eextended validation (EV) code signing certificate is an example of it. Want to keep your keys and certificates safe? Store them on devices like HSM, hardware security token, or on a FIPS 140 level 2 approved secure hardware device.
The graphic shows an example of a hardware security module used to sign a code signing certificate.
Rotate your keys. Enforce automatic rotation and renewal of keys, passwords, and certificates. This will help you minimize data breaches and outages, and limit the damage of security incidents due to expired certificates or stolen keys.
Use secure algorithms. Even the most bulletproof algorithm will be breached one day, we all know it. Keep your keys up to date by ensuring you’re always using the latest more secure algorithm.
4. Integrate Code Signing Into Your Software Development Life Cycle (SDLC)
Venafi’s new global study found that 85% of CIOs admit that developers and software engineers take shortcuts on security. Why? To release software faster. But haste makes waste. Avoid that by:
Code signing early and often during the whole SDLC. That’s not going to be easy. I hear you. Moving from the traditional software development life cycle (SDLC) process to the more modern secure SDLC will help your team incorporate security at every stage of the development life cycle. And you know what’s even cooler? There are frameworks ready for you to use, like NIST’s secure software development framework (SSDF).
An example of the secure software development life cycle (SSDLC) process.
Use different types of signing certificates. Do you want to make sure you circumscribe the damage in case a code signing certificate gets stolen? See that your developers use self-signed certificates during development and then swap them out for publicly trusted ones when they go to production. By the way, don’t think even for a moment about using a self-signed certificate in production: it’s a no-go!
5. Monitor Your Code Signing Certificates and Keys and Report Their Vulnerabilities
Have you ever tried to organize something without knowing what had to be organized in the first place? It sounds virtually impossible, right? The same goes for certificate management. You can’t effectively manage and protect something if you don’t know who you’re up against, what the issues are, and what you have to protect looks like. The solution?
Constantly monitor your code signing certificates and keys. This year Keyfactor’s report indicates that 42% of organizations are still tracking their certificate via spreadsheets. In point two, we talked about automation. A PKI certificate management tool platform like DigiCert CertCentral Enterprise or Sectigo Certificate Manager will bring your certificate monitoring into the 21st century. And you’ll never miss a certificate expiration date again.
Use a reporting tool. Are you sure that your organization isn’t affected by Log4j (Log4Shell) vulnerability? What if your boss comes to your desk and asks you to confirm that all software you’ve developed is compliant with privacy and security regulations like The EU payment service directive (PSD2) and the California Consumer Privacy Act (CCPA)? Run a report with tools like Xray or Sourcegraph and you’ll quickly get an answer to both questions. You still don’t have a reporting tool? Time to find one and impress your boss.
Tick-tock, five minutes are nearly gone. Time to act! Securely manage your code signing certificates and keys before they’re gone.
Prove Your Software Is Trustworthy
Signing your code shows users that your software and updates can be trusted.
Download our free code signing best practices eBook to learn how to help keep your supply chain secure and your company, customers & end-users safe.
Sign up below to get access to your FREE Code Signing Best Practices Guide
Final Thoughts on 5-Minute Guide: How to Securely Manage Your Code Signing Certificates and Keys
Is your organization aiming to produce only bulletproof secure software? You can use what you’ve just learned to make this dream become a reality. All you have to do is build a robust certificate management system that focuses on:
Visibility,
Automation,
Keys protection,
Integration, and
Reporting.
These five key items will not only give your business an extra security boost to keep pace with today’s cyber threats, but they’ll also:
Keep your organization, customer’s data, and your software supply chain secure,
Speed up and simplify certificates procedures for developers during the whole SSDLC,
Protect you against attacks like SolarWinds, where a single compromised file affected their whole supply chain, and
Ensure your code signing certificates and keys will be securely managed.
What do you think? Weren’t these five minutes well spent?
Code Signing Best Practices
Want to keep your software and code safe?
Enter your contact information below below to receive your FREE Best Practices PDF:
Contact details collected by CodeSigningStore.com may be used to send you requested information, blog update notices, and for marketing purposes. Learn more…
New users – if this is your first time purchasing a cloud signing product from us, check the email address entered during enrollment for a message from DigiCert. Create your password and follow this guide.
Existing users – if you’ve purchased a cloud signing certificate in this account before, you already have an account. We’ve update your DigiCert CertCentral account to allow another Code Signing Certificate request. Login to your account here.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Token + Shipping
This is the simplest option and what we recommend for most customers. DigiCert will ship a USB eToken to you, then you’ll use DigiCert’s provided software to download and install the certificate onto your USB Token.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Use an Existing Token
If you already own a compatible USB eToken (SafeNet 5110 CC, SafeNet 5110 FIPS, or SafeNet 5110+ FIPS), you can use DigiCert’s provided software to download and install the certificate onto your USB token.
Advanced Option: Install on a Hardware Security Module (HSM)
If you use a cloud or on-prem hardware security module (HSM), you can choose this option to download and install your certificate onto your HSM. DigiCert will send you an email asking you to confirm that your HSM meets the security standards, then they’ll deliver the certificate to you digitally for installation.
Any FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent HSM is compatible for this option. You can use an HSM you manage directly or you may use a key storage/vault solution that uses a compliant HSM (for example, Azure Key Vault or AWS KMS).
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Sectigo on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose this option to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Comodo CA on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose “Install on Existing HSM” to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.
Email Us
+1 (727) 291-0611
Chat Now
