What are Code Signing Certificate Delivery Methods?

1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 5.00 out of 5)
Loading...
Code Signing Certificate Delivery Methods

Exploring the Various Delivery Methods to issue Code Signing Certificates

As of June 1st, 2023, the Certificate Authority/Browser Forum has made it mandatory to use physical hardware tokens to secure OV Code Signing Certificates. To meet this regulation, you have a couple of code signing delivery methods at your disposal, such as:

  • Acquire pre-configured certificate tokens that are readily available for purchase.
  • If you already possess a FIPS 140 compliant hardware device, you have the choice to order a certificate to be installed on that existing device.
  • Use Cloud-Based Key Storage

But, before you finalize your purchase, it is crucial to carefully consider and be 100% sure that you have chosen the correct delivery option, as you cannot modify it once the purchase process is completed and payment has been made. Hence, think twice before finalizing your code signing order.

Code Signing Certificate Delivery Methods

  • USB Token Delivery
  • Utilizing Your Own Hardware Security Module (HSM)
  • YubiKey FIPS 140-2
  • Cloud-Based Key Storage

USB Token Delivery

One recommended option for complying with the updated guidelines is using USB tokens for storing cryptographic keys. USB tokens provide a convenient and secure solution for key storage. They are designed to meet the highest security standards, such as FIPS 140 Level 2, Common Criteria EAL 4+, or their equivalents. These tokens seamlessly integrate into existing workflows and offer peace of mind while maintaining efficiency.

To obtain a USB token, you have several delivery options to choose from:

  • Token + US Delivery: For a cost-effective fee of $80.00, you can have the USB token securely shipped to any location within the United States.
  • Token + International Delivery: Developers located outside the United States can take advantage of international delivery for $110.00.
  • Token + Expedited US Delivery: If you require the USB token urgently within the United States, expedited delivery is available at $120.00. This option ensures prompt delivery, minimizing potential workflow disruptions.

Utilizing Your Own Hardware Security Module (HSM)

If you already possess a certified Hardware Security Module (HSM) or USB token, you can leverage its capabilities for secure key storage. But before utilizing your own HSM, ensure that the device you plan to use meets stringent security standards, such as FIPS 140-2 Level 2 or Common Criteria EAL 4+, to guarantee optimal protection. Utilizing your HSM allows you to maintain control over the entire key management process while adhering to the new guidelines.

YubiKey FIPS 140-2

YubiKeys can be used for code signing in two main ways:

As an authentication factor: The YubiKey is used to authenticate the user before they can perform the code signing. This provides two-factor authentication (2FA) for improved security.

As a cryptographic key store: The YubiKey stores the private key used for code signing. This provides a hardware-backed key store that is more secure than software key stores.

To use a YubiKey for code signing, you will typically need:

  • A YubiKey with appropriate storage (either OTP or FIDO credentials or a YubiKey with NFC/USB-C that can store private keys).
  • A code signing certificate installed on the YubiKey.
  • Code signing software that supports the YubiKey.

For authentication, you’ll present the YubiKey when prompted by the code signing software. The software will read the OTP, FIDO credential or private key from the YubiKey to verify your identity.

For key storage, the private key used for code signing remains securely always stored on the YubiKey. The code signing software interacts with the YubiKey to perform signing operations using that private key.

Cloud-Based Key Storage

Cloud-based key storage is an attractive option for those seeking a simplified code signing process without compromising security. This method stores private keys in a secure cloud environment equipped with HSM capabilities.

Conclusion

In conclusion, you can choose any one of the following delivery options to comply with the security guidelines:

  • USB Token Shipping: You can purchase pre-configured certificate tokens by using any one of the shipping options – Token + US Delivery ($80.00), Token + International Delivery ($110.00), and Token + Expedited US Delivery ($120.0).
  • Utilize Your Own HSM: If you have a certified HSM or USB token that is at least FIPS 140-2 complaint, you can use that.
  • YubiKey: Before performing code signing, users are required to authenticate themselves using the YubiKey.
  • Cloud-Based Key Storage: You can also store cryptographic keys in a cloud environment with HSM capabilities. This option is ideal for distributed development teams, providing accessibility and simplified code signing.

It is important to note that the delivery method cannot be changed once you have purchased the certificate. Hence, choose it carefully!

Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.