(2 votes, average: 5.00 out of 5)
As of June 1st, 2023, the Certificate Authority/Browser Forum has made it mandatory to use physical hardware tokens to secure OV Code Signing Certificates. To meet this regulation, you have a couple of code signing delivery methods at your disposal, such as:
But, before you finalize your purchase, it is crucial to carefully consider and be 100% sure that you have chosen the correct delivery option, as you cannot modify it once the purchase process is completed and payment has been made. Hence, think twice before finalizing your code signing order.
One recommended option for complying with the updated guidelines is using USB tokens for storing cryptographic keys. USB tokens provide a convenient and secure solution for key storage. They are designed to meet the highest security standards, such as FIPS 140 Level 2, Common Criteria EAL 4+, or their equivalents. These tokens seamlessly integrate into existing workflows and offer peace of mind while maintaining efficiency.
To obtain a USB token, you have several delivery options to choose from:
If you already possess a certified Hardware Security Module (HSM) or USB token, you can leverage its capabilities for secure key storage. But before utilizing your own HSM, ensure that the device you plan to use meets stringent security standards, such as FIPS 140-2 Level 2 or Common Criteria EAL 4+, to guarantee optimal protection. Utilizing your HSM allows you to maintain control over the entire key management process while adhering to the new guidelines.
YubiKeys can be used for code signing in two main ways:
As an authentication factor: The YubiKey is used to authenticate the user before they can perform the code signing. This provides two-factor authentication (2FA) for improved security.
As a cryptographic key store: The YubiKey stores the private key used for code signing. This provides a hardware-backed key store that is more secure than software key stores.
To use a YubiKey for code signing, you will typically need:
For authentication, you’ll present the YubiKey when prompted by the code signing software. The software will read the OTP, FIDO credential or private key from the YubiKey to verify your identity.
For key storage, the private key used for code signing remains securely always stored on the YubiKey. The code signing software interacts with the YubiKey to perform signing operations using that private key.
Cloud-based key storage is an attractive option for those seeking a simplified code signing process without compromising security. This method stores private keys in a secure cloud environment equipped with HSM capabilities.
In conclusion, you can choose any one of the following delivery options to comply with the security guidelines:
It is important to note that the delivery method cannot be changed once you have purchased the certificate. Hence, choose it carefully!