Ask a Question

Advanced Search

Alert ID : GN110822183726

Last Modified : 09/27/2022

New private key storage requirement for Standard Code Signing certificates


Update: To provide you with more time to prepare for the new OV code signing certificate private key storage requirement, the industry has postponed the rollout until June 1, 2023. See Voting results Ballot CSCWG-17: Subscriber Private Key Extension.


Starting on June 1, 2023, at 00:00 UTC, industry standards will require private keys for standard code signing certificates to be stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. This change strengthens private key protection for code signing certificates and aligns it with EV (Extended Validation) code signing certificate private key protection.

How do these new requirements affect my code signing certificate process? 

The new private storage key requirement affects code signing certificates issued from June 1, 2023, and impacts the following parts of your code signing process: 

  • Private key storage and certificate installation
    This new requirement means Certificate Authorities (CAs) can no longer support browser-based key generation and certificate installation or any other process that includes creating a CSR (Certificate Signing Request) and installing your certificate on a laptop or server. Private keys and certificates must be stored and installed on tokens or HSMs (hardware security modules) certified as at least FIPS 140-2 Level 2 or Common Criteria EAL 4+.
  • Signing code
    To use a token-based code signing certificate, you need access to the token or HSM and the credentials to use the certificate stored on it. For example, you must plug the token into your computer for token-based code signing. Then you need the password to sign your code with the code signing certificate on the token. 

  • Ordering and renewing code signing certificates after June 1, 2023
    When ordering and renewing a standard code signing certificate, you must select a provisioning method. In other words, choose the hardware to store the private key on. Like EV code signing, they have three provisioning options. 

    - DigiCert provided hardware token
    - Existing supported hardware token
    - Hardware security module (HSM)

    Hardware tokens and HSM devices must be FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. To use an HSM, you must submit an attestation letter that includes an audit letter. 
  • Reissuing certificates after June 1, 2023
    When reissuing code signing certificates, you must install the certificate on a supported hardware token or HSM. If you do not have a token, you can purchase a token from DigiCert at that time.

    DigiCert is working on the process for purchasing tokens when reissuing your code signing certificates. 

Want to eliminate the need for hardware tokens? 

Transition to DigiCert® Secure Software Manager to improve your software security with code-signing workflow automation that reduces points of vulnerability with end-to-end company-wide security and control in the code signing process—all without slowing down your process. 

Key capabilities:

  • HSM key storage—industry compliant 
  • Policy enforcement 
  • Centralized management  
  • Integration with CI/CD pipelines 
  • And more 

To learn more about how DigiCert Secure Software Manager has helped other organizations, see our case study Automated Signing Speeds Build Times While Improving the User Experience

Please contact DigiCert Support for further assistance.

Join us on, Navigating the New OV Code Signing Requirements Webinar

Join us at 11 am ET on Tuesday, September 27th, for this educational webinar as we walk through all the different options available to our code-signing customers.