Code Signing Key Storage Requirements Will Change on June 1, 2023

Important Announcement:

• Effective June 1, 2023, key storage requirements for Organization Validation (OV) and Individual Validation (IV) Code Signing Certificates will change. New code signing certificates will either be issued with Federal Information Processing Standard 140-2 (FIPS) validated Yubikey USB tokens or have signing operations enabled through the SSL.com eSigner Cloud Signing Service.   
• SSL.com is initiating the change based on new CA/Browser Forum requirements  by June 1, 2023.  
• After June 1, 2023, key material for all code signing certificates will no longer be exportible and there will no longer be activation links sent as part of the issuing process.  

Why Is This Occurring?

• Certificates that allow for key material to be exported are found to be less secure and more vulnerable to unauthorized use.  
• The modification enables more substantial trust in the code signing process by instituting safer key storage requirements. 
• It helps prevent unauthorized modification of software helping users limit the spread of malware, trojans, and other technology-based viruses. 

Impact of the Change: 

• This is an industry-wide mandate and affects everyone purchasing new, renewing, or reissuing OV (Organization Validated) or IV (Personal or Individual Validation) Code signing certificates. 
• The key material bound to affected code signing certificates will no longer be enabled for exporting through formats such as PKCS#12 or PFX to be installed in a certificate store or key manager. 
  • The options for key storage include:
    • SSL.com’s eSigner cloud signing service for remote signing
    • A secure FIPS-compliant security key USB device 
    • A dedicated cloud HSM service such as AWS CloudHSM or Azure Dedicated HSM 
    • An on-premises  FIPS-compliant Hardware Security Module (HSM)

Using an on-premises or cloud HSM service will require a key generation attestation

SSL.com Solution 

• SSL.com will begin deploying under the new guidance effective June 1, 2023. 
• If your organization needs Digital Code Signing, SSL.com has two options. 
  • The first is a USB token that complies with the FIPS (Federal Information Processing Standards) 140-02 
  • The other is through the SSL.com eSigner Cloud signing service. 
    • The link provides a complete summary of the various code signing certificates and cloud services available. 

The benefits of a Personal or Organization Code Signing Certificate:

• A digital signature displays a publicly trusted validated identity in either a personal name or an organization name.
• An intact digital signature proves software files remain uncompromised.
• The software is timestamped by SSL.com’s publicly trusted timestamp authority.
• Can be enrolled in our eSigner cloud signing service for remote signing.  https://www.ssl.com/esigner/
  • The service lets you conveniently add globally trusted digital signatures and timestamps to your software code from anywhere, with no need for USB tokens, HSMs, or other special hardware.
  • The eSigner signing operations and API enables integration with CI/CD services and signing automation.

For a higher level of trust and authentication, Extended Validation Code Signing certificates offer the highest level of security available in signing code. Click here for additional information. 

For Sales or Support Information 

SSL.com has a team standing by to assist with any questions, concerns, or problems. Contact information is below:

• SSL.com Sales

• 877-775-7328
• Email Sales@ssl.com
• SSL.com Service

• 775-237-8434
• Email: Support@ssl.com
• The SSL.com Chat Line is available for either sales or support

• It can be found in the lower right corner of the SSL.com home page.
• Https://ssl.com

You can also use the form below.