- Contact Us
-
choose your language
Knowledge Base
Code signing changes in 2023
New Code Signing certificate private key storage requirement
Starting May 30, 2023, DigiCert requires private keys for code signing certificates to be stored on hardware certified as FIPS 140-2 level 2, Common Criteria EAL 4+, or equivalent that supports 3072-bit or larger keys.
The DigiCert timeline ensured we had updated our code signing certificate process so that private keys for code signing certificates are stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent by June 1, 2023.
Reminder: On June 1, 2023, industry standards will require private keys for code signing certificates to be stored on hardware certified as FIPS 140-2 level 2, Common Criteria EAL 4+, or equivalent that supports 3072-bit or larger keys.
For more information about these changes, see our knowledge base articles:
DigiCert timeline: Code signing’s new private key storage requirement
New private key storage requirement for Code Signing certificates
Frequently asked questions
What if I need to reissue my code signing certificate after May 30?
Code signing certificates can be reissued. However, the reissued certificate and its private key must be stored on FIPS 140-2 level 2, Common Criteria EAL 4+, or equivalent that supports 3072-bit or larger keys.
When reissuing your code signing certificate, you will need to select a provisioning method:
- You can use an existing hardware token if you already have a supported token: SafeNet 5110 CC, SafeNet 5110+ FIPS, and SafeNet 5110 FIPS.
- If you don't have a supported hardware token, you can use a DigiCert-provided hardware token as the provisioning method.
You can also use the reissue process to replace older tokens that do not meet the current RSA key size requirements.
Is there a cost to reissue my code signing certificate?
This depends on the Provisioning method you select. See the chart below.
| Provisioning Options | Additional Cost: Yes/No | Price (USD) |
| DigiCert provided hardware token | Yes | $120 |
| Use existing token | No | - |
| Install on an HSM | No | - |
| DigiCert KeyLocker | Yes | Reach out to your account manager |
Can I get a new security token when I renew my Code Signing certificate?
When you renew a certificate, you can get a new token as part of your order by selecting DigiCert-provided hardware token as the provisioning method. See Renew a Code Singing certificate.
Can I order extra eTokens?
Additional USB eTokens can be purchased to go with your Code Signing order. To purchase additional tokens, you must reissue your Code Signing certificate. On the reissue form, select DigiCert provided hardware token as the provisioning method.
If I want to get my own supported token, which eTokens does DigiCert support?
| Token | Capabilities | Bits |
| Safenet 5110 FIPS | ECC P-256 | 3072/4096 |
| ECC P-384 | 3072/4096 | |
| Safenet 5110 CC* | RSA 4096 | 4096 |
| ECC P-256 | 4096 | |
| ECC P-384 | 4096 | |
| Safenet 5110+ FIPS* | RSA 4096 | 4096 |
| ECC P-256 | 4096 | |
| ECC P-384 | 4096 | |
| *Note: Safenet 5110 CC and SafeNet 5110+ FIPS supports a minimum of 4096 bit even though the industry standard is 3072 bit. | ||
How do I get the new provisioning method DigiCert KeyLocker enabled for my account?
Reach out to your account manager or our sales team to assist with getting DigiCert KeyLocker enabled for your account.
-
The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.
-
-
© 2022-2024, DigiCert, Inc. All rights reserved.
Cookie Settings
