DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

New private key storage requirement for Code Signing certificates

Solution ID : GN110822183726
Last Modified : 11/01/2023

Starting on June 1, 2023, at 00:00 UTC, industry standards will require private keys for standard code signing certificates to be stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. This change strengthens private key protection for code signing certificates and aligns it with EV (Extended Validation) code signing certificate private key protection.

How do these new requirements affect my code signing certificate process? 

The new private storage key requirement affects code signing certificates issued from June 1, 2023, and impacts the following parts of your code signing process: 

  • Private key storage and certificate installation
    This new requirement means Certificate Authorities (CAs) can no longer support browser-based key generation and certificate installation or any other process that includes creating a CSR (Certificate Signing Request) and installing your certificate on a laptop or server. Private keys and certificates must be stored and installed on tokens or HSMs (hardware security modules) certified as at least FIPS 140-2 Level 2 or Common Criteria EAL 4+.
  • Signing code
    To use a token-based code signing certificate, you need access to the token or HSM and the credentials to use the certificate stored on it. For example, you must plug the token into your computer for token-based code signing. Then you need the password to sign your code with the code signing certificate on the token. 
  • Ordering and renewing code signing certificates after June 1, 2023
    When ordering and renewing a standard code signing certificate, you must select a provisioning method. In other words, choose the hardware to store the private key on. Like EV code signing, they have three provisioning options.

    - DigiCert provided hardware token – $120.00 (USD)
    - Existing supported hardware token
    - Hardware security module (HSM)

    Hardware tokens and HSM devices must be FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. To use an HSM, you must comply with the requirements found in Section 13 (Security and Use of Key Sets) in the Digital Certificates by DigiCert – Terms of Use
  • Reissuing certificates after June 1, 2023
    When reissuing code signing certificates, you must install the certificate on a supported hardware token or HSM. If you do not have a token, you can purchase a token from DigiCert at that time for $120.00 (USD).

Protect your brand and your users with a DigiCert Verified Mark Certificate.

Want to eliminate the need for hardware tokens? 

DigiCert® KeyLocker: General availability coming May 30, 2023

Want to eliminate tokens from your code signing certificate process? DigiCert will begin offering our new cloud-based solution, KeyLocker, where you can generate a private key and a CSR for code signing and EV code signing certificates. More information coming….

DigiCert® Software Trust Manager

Looking for something more robust? Transition to DigiCert® Software Trust Manager to improve your software security with code-signing workflow automation that reduces points of vulnerability with end-to-end company-wide security and control in the code signing process—all without slowing down your process. 

Key capabilities:

  • HSM key storage—industry compliant
  • Policy enforcement 
  • Centralized management  
  • Integration with CI/CD pipelines 
  • And more 

To learn more about how DigiCert® Software Trust Manager has helped other organizations, see our case study Automated Signing Speeds Build Times While Improving the User Experience

Please contact DigiCert Support for further assistance.