Knowledge Base

Description

Starting June 1, 2023, at 00:00 UTC, industry standards will require private keys for code signing certificates to be stored on hardware certified as FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent. See our knowledge base article, New private key storage requirement for Standard Code Signing certificates.

This requirement affects new, renewal, and reissue code signing certificate requests.

Important: DigiCert will update this article as new information becomes available.

 

DigiCert’s timeline for changes

DigiCert’s timeline ensures we update our code signing certificate process so that private keys for code signing certificates are stored on hardware certified as FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent by May 30, 2023. Our timeline also allows you to transition to the supported provisioning methods by May 16, 2023.

• May 2, 2023, changes
  
  CertCentral: Use one of the new hardware token and hardware security module (HSM) provisioning methods when you order or renew a code signing certificate.
  
  Services API: Update your code signing certificate API integrations. Starting May 2, the Services API will allow you to create code signing orders using the current CSR form or the new provisioning methods.
  
  CertCentral account settings: CertCentral will allow you to set a default provisioning method for code signing and EV code signing orders. CertCentral will also allow you to add a default shipping address for DigiCert-provided tokens. If your code signing certificate request omits a provisioning method or a required token shipping address, DigiCert will use your account's default settings when processing your requests.
  • CertCentral Code signing certificate request form changes.
  • CertCentral Preferences page changes.
  • EV code signing certificate changes.
  • API changes for code signing certificate integrations.
    
    
• May 16, 2023, changes
  
  DigiCert will stop accepting code signing requests using the current CSR form. You must also stop using the DigiCert Certificate Utility to create CSRs for your code signing certificate requests. This includes new, renewal, and reissue requests.
  • Code signing certificate order form changes.
  • CertCentral Preferences page changes.
  • Reissue code signing certificate changes.
  • API changes for code signing and EV code signing certificate integrations.
     
• May 30, 2023, changes
  
  DigiCert will stop issuing code signing certificates using the current CSR form per the new code signing private key storage requirements.
  • Starting May 30, DigiCert will stop issuing certificates for pending requests using the current CSR form. You need to cancel these requests and resubmit them with another provisioning method.
  • DigiCert-provided hardware token changes:
    • Token cost $120.00 (USD).
    • DigiCert ships blank tokens.
    • You install the certificate on the token.
  • Hardware security module (HSM) provisioning method changes
  • EV Code Signing certificate revocation changes.
  • DigiCert’s new cloud-based solution, KeyLocker, will be available.
     

Background

Currently, new, renewal and reissue code signing certificate requests support the CSR form.

• When you include a CSR with your certificate request, you can download the issued certificate from your CertCentral account.
• When you don’t include a CSR with your certificate request, we email instructions for using the DigiCert KeyGen tool to generate your code signing certificate.
   

The new supported provisioning methods ensure your private key and certificate are stored on hardware certified as FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent.

• DigiCert-provided hardware token.
  We ship the certificated hardware token to your shipping address and email instructions for installing the certificate on your supported token.
  
  
• My own supported hardware token.
  We email instructions for installing the certificate on your supported token.
  
  
• Install on hardware security module (HSM).
  To generate a private key, you must have a Common Criteria EAL4+ or FIPS 140-2 Level 2 HSM. Then you can include a CSR with your certificate request. We email you a copy of your certificate, and you install it on your HSM.
   

May 2, 2023, changes

Starting May 2, at approximately 12:00 MDT (18:00 UTC), you can select one of the new hardware token and hardware security module (HSM) provisioning methods when you order or renew a code signing certificate.

CertCentral code signing certificate request form changes

On the code signing certificate request forms, we will provide the following provisioning options for you to choose from:

• Provide a CSR*.
• DigiCert-provided hardware token.
• My own supported hardware token.
• Install on hardware security module (HSM).

NOTE:   Current provisioning method for code signing certificates. 

CertCentral Preferences page changes

DigiCert is adding new account settings that affect code signing and EV code signing request pages in CertCentral and Services API integrations. CertCentral administrators should check the default settings applied to their accounts and update them as needed to meet the needs of their code signing and EV code signing certificate processes.

These new settings allow you to control which provisioning methods will appear on the code signing and EV code signing certificate request forms, set a default provisioning method when two or more methods are available, and add a default shipping address for the DigiCert-provided hardware token.

On the Preferences page (in the left main menu, go to Settings > Preferences), we will add the settings listed below under code signing and EV code signing certificate settings. 

• Select the provisioning methods to include on your code signing request form.
  • Provide a CSR (code signing only).
  • DigiCert-provided hardware token.
  • My own supported hardware token
  • Install on hardware security module (HSM).
     
• Set a default provisioning method for code signing certificate requests when two or more methods are available. 
  We will set the Provide a CSR (code signing only) option as the default provision method for code signing requests upon release.
  
  Note:
  If your code signing certificate request omits a provisioning method, DigiCert will use your account's default provisioning method setting when processing your requests.
  
  
• Set a default provisioning method for EV code signing requests when two or more methods are available.
  We will set the DigiCert-provided hardware token option as the default provisioning method for EV code signing requests upon release.
  
  
• Add a default shipping address for the DigiCert-provided hardware token.
  This default address applies to code signing and EV code signing certificates
  • This is also the default address for API requests using the DigiCert-provided token provisioning method that omits a shipping address.
  • Requestors can still update the shipping address as needed.
  • API integrations can override the default address by providing an address in the request body.

May 2 API changes for code signing and EV code signing certificate integrations

Code signing certificate request changes

On May 2, 2023, you may begin updating your code signing certificate API integrations. The API will start accepting orders for code signing certificates using the new provisioning methods. 

For more information, see our CertCentral Services API documentation:  Order a code signing certificate.

 

Items to note:

1. Until May 16, code signing requests will continue supporting the current provisioning method: 
   Provide a CSR.
2. The new code signing request body will be similar to the EV code signing request body.
   To use the new provisioning methods, use these parameters:
   •  cs_provisioning_method: specify the provisioning method you will use to store your private key and certificate. If requests don’t include the cs_provisioning_method parameter, we will use the default provisioning method set for your account on the CertCentral Preferences page.
   • ship_info: for requests using the ship token provisioning method (ship_token), specify the shipping address for the DigiCert-provided token.
     If the request uses the ship token provisioning method ("cs_provisioning_method": "ship_token") but omits a shipping address (ship_info), we will ship the token to the default shipping address set up for your account.
3. Verify the default shipping address.
   DigiCert will add a setting on the Preferences page that lets you enter a default shipping address for code signing and EV code signing certificate requests using the ship_token provisioning method. This affects requests submitted without a shipping address. See CertCentral Preferences page changes above.
   
   DigiCert recommends verifying that the default shipping address will work for code signing certificate requests submitted without a shipping address.

May 16, 2023, changes

Starting May 16, at approximately 12:00 MDT (18:00 UTC), DigiCert will stop accepting requests using the Provide a CSR method.

We will remove the Provide a CSR method from CertCentral. You will no longer see this provisioning method when requesting, renewing, and reissuing a code signing certificate.

Code signing certificate order form changes

On the code signing certificate request forms, we will only provide the following provisioning options:

• DigiCert-provided hardware token.
  This provisioning method will be the default method for code signing certificate requests. 
• My own supported hardware token.
• Install on hardware security module (HSM).

Warning: Starting May 30, DigiCert can no longer issue certificates for requests that do not meet the new private key storage requirement. For more information about what you can do to ensure your certificates are issued before May 30, see the What’s next section in our Order a Code Signing certificate instructions.

 

CertCentral Preferences page changes

On the Preferences page, the Provide a CSR provisioning option will be removed to align with new industry standards. For accounts that used Provide a CSR as the default option before May 16, we will set the default provisioning method to DigiCert-provided hardware token.

CertCentral administrators can still control which provisioning methods will appear on the code signing certificate request forms and set a default method when two or more methods are available.

Reissue code signing certificate changes

You can change the provisioning method when reissuing your Code Signing or EV Code Signing certificate. Before May 16, you had to order a new certificate to change the provisioning method.

May 16 API changes for code signing and EV code signing certificate integrations

Code signing certificate request changes

If your certificate request omits a provisioning method or a required token shipping address, DigiCert will use your account's default settings when processing your requests.

Items to note:

• Omit the provisioning method.
  For accounts that used Provide a CSR as the default option before May 16, we will set the default provisioning method to DigiCert-provided hardware token ("cs_provisioning_method": "ship_token").
• Convert server_platfom.id of 51 – 57 to -1 (other)
  If the request includes a server_platform.id of 51 – 57, we will automatically convert the server_platform.id to -1 (other) before creating the order or order request.

EV code signing certificate request changes

The Services API will no longer return errors for EV code signing certificate requests that omit a provisioning method or use the DigiCert-provided token provisioning method but omit a shipping address. Instead, we will use your account default settings to update requests to ensure they are successfully submitted.

Items to note:

• Omit the provisioning method.
  
  If your request omits a provisioning method (cs_provisioning_method), we will use the default provisioning method set for your account.
  
  
• Omit the shipping address for the ship token provisioning method.
  
  If the request uses the ship token provisioning method ("cs_provisioning_method": "ship_token") but does not include a shipping address (ship_info), we will ship the token to the default shipping address set up for your account.
  
  DigiCert recommends verifying that the default shipping address will work for EV code signing certificate requests submitted without a shipping address.

May 30, 2023, changes

DigiCert to stop issuing code signing certificates using the Provide a CSR provisioning method

On May 30, 2023, DigiCert will no longer issue Code Signing certificates using a provisioning method that does not meet the new private key storage requirement. This includes new, renewal, and reissue requests.

How does this affect my pending code signing certificate orders?

To get your pending Provide a CSR provisioning method certificates, you must do the following:

• Cancel pending orders using the Provide a CSR provisioning method.
• Place new requests using one of the supported provisioning methods.

To avoid this problem, issue your code signing certificates by May 29, 2023, before we make the changes.

DigiCert-provided hardware token changes

Starting May 30, DigiCert will make the changes below to the DigiCert-provided hardware token option for code signing and EV code signing certificates.

• DigiCert-provided token cost: $120.00 (USD).
  DigiCert will no longer include a DigiCert-provided hardware token in the cost of code signing and EV code signing certificates. When you request, reissue, or renew a code signing and EV code signing certificate, selecting the DigiCert-provided token provisioning method will add a $120.00 (USD) charge for the token to your order.
• Ship blank tokens for code signing and EV Code Signing certificate orders.
  DigiCert will no longer install your code signing and EV code signing certificates on the DigiCert-provided hardware tokens. Instead, we will ship you a blank hardware token and provide instructions for installing your certificate on the token.

Hardware security module (HSM) agreement email

Starting May 30, 2023, when you use the HSM provisioning method for your Code Signing or EV Code Signing certificate request, you will need to agree to the private key protection requirements for HSMs before we can issue your certificate.

• How does the new HSM process work?
  When you choose to store your private key and certificate on an HSM, we will send the certificate requestor an agreement email. This email is to ensure that a private key is stored on an HSM that is certified as FIPS 140-2 Level 2, Common Criteria EAL 4+, or equivalent. DigiCert will only issue the certificate after the requester agrees to the private key protection requirement.
  
  
• How does this affect my Code Signing and EV Code Signing certificate API integrations?
  Before May 30, if the needed validation for the request was completed (up-to-date), we immediately issued your certificate. However, with this change, you will need to agree to the private key protection requirements for HSMs before we can issue your certificate.

EV Code Signing revocation changes

If you need to revoke an EV Code Signing certificate, you can now do it from your CertCentral account or via the Services API. Before May 16, you had to send the EV Code Signing certificate hardware token to DigiCert, and we would revoke the certificate for you.

New DigiCert cloud-based HSM solution

May 30, 2023, DigiCert KeyLocker general availability. For those who want to eliminate the need for tokens.

DigiCert KeyLocker delivers strong key protection for code signing and extended validation (EV) code signing private keys in a cloud-delivered service that meets CA/B Forum requirements. KeyLocker provides secure key storage, key generation, and signing without the constraints of a physical token.