According to the latest Baseline Requirements of CA/B Forum, starting from Jun 1, 2023, the private key of the newly issued OV code signing certificate must be generated and stored in a hardware crypto module that meets or exceeds FIPS 140 level 2 or common criteria EAL4+.

To comply with the CA/B Forum regulations, Sectigo will transition to HSM-based code signing certificates. Customers themselves will no longer determine how and where the private key can be stored after these changes. Sectigo code signing certificate will be installed on a hardware security module (HSM) and sent securely to the customer. It is important to note that Sectigo will implement these changes on May 8, 2023, 3 weeks prior to the deadline appointed by CA/B Forum.

How does this affect users?

1. The new requirements apply to OV code signing certificates only, as EV certificates are already issued on HSMs. Now OV code signing certificates and EV code signing certificates follow the same standards to protect private keys.
2. Customers can continue to use Sectigo code signing certificates issued and effective before May 8, 2023 and no action is required to be taken for those.
3. From May 8, 2023, to resign, renew, and purchase Sectigo code signing certificates need to comply with the new CA/B regulations.

Why has CA/B made the changes?

Before these changes, the private key of the OV code signing certificate can be generated locally, which easily leads to the unsafe distribution of private keys, and there is a high risk of compromised private keys. To comply with the new CA/B regulations, both OV and EV code signing certificates will be issued on physical security hardware. The security of the code signing certificates will be improved by forcing key storage requirements, preventing the private key from falling into the unauthorized use, and minimizing the consequences from the compromise of a private key.

Can I Use My Own Hardware or Token?

Although it is possible to use customer-supplied hardware to provide code signing certificates, it will need to have specific features and be supported by Sectigo’s verification system. Currently, the supported hardware includes: Thales/Safenet Luna and netHSM devices, Yubico FIPS Yubikeys (for ECC keys only).

This list may be expanded in the future, as more hardware and services offer support for key attestation.

What is the code signing certificate being used?

Code signing allows software developers to add digital signatures to code and to include information about themselves and the integrity of the code within their software. End users who download digitally signed software can be confident that the code comes from a verified developer and has not been altered or corrupted since it was signed.

1. Eliminate “Unknown publisher” unsafe warning.
2. Increase download and usage rate of software.
3. Identify and protect the developer’s identity.
4. Improve the software brand image and establish brand trust.
5. Validate code integrity.

NicSRS recommends you check the expiration dates for your code signing certificates to see if you are affected by these changes. If you have any questions about these changes or the code signing certificate operation process under these new regulations, you can always reach out to us.

Read Sectigo’s notice here.

Note: The new regulations were originally scheduled to take effect in November 2022, while the CA/B Forum has pushed its deadline for implementation to June 1, 2023, allowing more time for preparation and adjustment.