Ask a Question

Advanced Search

Alert ID : INFO2947

Last Modified : 05/17/2018

Private Key Protection Best Practices


In light of potential vulnerabilities that can be foreseen with regard to the unsecured storage of code-signing private keys, Thawte highly advocates to all code-signing customers to adhere to stringent private key management in order to protect your business and reduce the risk or stolen, misplaced or compromised code-signing private keys.

The following are the code-signing best practice solutions which Thawte strongly recommends to our customers for secure code-signing private key protection:

  1. A Trusted Platform Module (TPM) that generates and secures a key pair and that can document the Subscriber’s private key protection through a TPM key attestation.
  2. A hardware crypto module with a unit design form factor certified as conforming to at least FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent.

If neither of the above two mentioned options are feasible, the alternative method is to choose another type of hardware storage token with a unit design form factor of SD Card or USB token (not necessarily certified as conformant with FIPS 140 Level 2 or Common Criteria EAL 4+). In the case of this solution you should ensure to keep the token physically separate from the device that hosts the code signing function until a signing session is begun.

At no stage should you leave code-signing private keys unsecured in a web browser or share code-signing private-keys with a third party (known or unknown) as to do so will dramatically increase the risk of bad actors having the capability to compromise your code-signing service and thus enhances the likelihood of the distribution of malware signed by your organization.