What to Know When Purchasing Your Next Code Signing Certificate

Home » What to Know When Purchasing Your Next Code Signing Certificate

To protect signing keys against theft and misuse, the industry rolled out new security requirements for code signing certificates. Here’s what to know about these changes and what they mean to you as a developer or publisher when purchasing a certificate.

An Overview of the Changes

Effective June 1, 2023, the industry’s standards body issued new security code signing baseline requirements for individual and standard validation certificates. All certificates must be issued on secure hardware (such as a token or hardware security module [HSM]) that’s compliant with FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. The goal is to secure your cryptographic keys from bad guys and prevent compromise using secure hardware.

The specifics of how the provisioning method works vary depending on which certificate authority (CA) you choose to issue your certificate. For example, either the CA will generate the certificate signing request (CSR) and private key for you, or you’ll have to generate the key pair yourself, which must be stored on a secure, approved device.

What These Changes Mean to You

If you already have a valid code signing certificate, then there’s nothing for you to do. You’re set for the life of your certificate (or until you have to renew or reissue it).

These changes impact users who purchase a new code signing certificate or re-issue an existing certificate after June 1. In this case, you must store the certificate and its private key on a supported secure device.

How to Get Your Code Signing Certificate (Provisioning Methods Listed By CA)

There are differences between different brands’ code signing certificates regarding their certificate provisioning methods and processes. You’ll want to keep these differences in mind when choosing a certificate.

1. Receive a blank hardware token in the mail to store your certificate and keys (default),
2. Use an existing compliant token you own, or
3. Store your certificate on an approved HSM.

DigiCert ranks among the industry’s fastest CAs when it comes to certificate issuance. Their standard code signing certificates typically take 1-4 days to issue.

1. Get a pre-configured hardware token in the mail containing your certificate and keys (default), or
2. Receive a downloadable certificate you can manually store on an approved HSM.

NOTE: To use an HSM, you’ll need to use a supported HSM that can provide key attestation. Currently, Sectigo supports Thales/SafeNet Luna and netHSM devices, and Yubico FIPS Yubikeys (for ECC keys only).

Sectigo-brand code signing certificates typically take 4-8 days to issue.

1. Get a pre-configured hardware token in the mail containing your certificate and keys (default), or
2. Receive a downloadable certificate you can manually store on an approved HSM.  

Comodo code signing certificates are typically issued within 4 to 8 days.

1. Receive a blank hardware token in the mail to store your certificate and keys (default),
2. Store it on an existing compliant token you own, or
3. Store your certificate on an approved HSM.

GoGetSSL standard code signing certificates typically take 1-4 days to issue.

Next Steps to Start Securely Signing Your Code and Software

Once you purchase your certificate, you’ll undergo the CA’s validation process. This may take a few days. Once validated, you’ll receive your certificate via your chosen delivery method. Then you’ll need to install the token’s client software onto your computer and activate the token. (You’ll receive directions in the mail along with your token.)

If you selected the default method as your delivery method for a DigiCert code signing certificate, you may have additional steps to set up your token. Don’t worry; there’s an installation wizard that will walk you through the process.

To learn more about the new process for getting a code signing certificate, check out CodeSigningStore.com’s Support page and FAQs.

Store Your Certificate and Keys in the Cloud with DigiCert Software Trust Manager

Don’t want to manage a bunch of individual USB tokens or purchase an expensive HSM? Then don’t. DigiCert’s Software Trust Manager enables you to digitally store and use your code signing keys securely in a cloud-based HSM.

DigiCert Software Trust Manager also allows you to do many other things, including:

• Assign permissions to authorized developers without them ever having direct access to your signing keys.
• Automate flows using APIs or integrations.

Track how, when, and who uses your signing certificates via permanent signing logs.

Final Takeaways on These Code Signing Industry Changes

Change is inevitable. Although these changes may seem like a pain, when you consider the risks associated with insecure code signing keys, it makes sense why the industry’s standards body implemented such an important security requirement for signing certificates and keys.

We’ve seen several instances over the past year or so where the signing keys of major organizations became compromised — GitHub, NVIDIA, and Intel (via MSI’s data breach). Insecure signing keys can result in everything from unauthorized modifications to code and software to compromises of your supply chain. Don’t give cybercriminals a chance to ruin your good name; get a code signing certificate with secure key storage.

Our team at CodeSigningStore.com is here to help. Whether it’s answering your questions or guiding you through the process of getting or re-issuing a certificate, we’re here to ensure that your signing certificates and keys meet the industry’s latest security requirements.