Updated Requirements for Code Signing Certificate Private Keys

The CA/Browser Forum has approved Ballot CSC-13, which aims to increase the protection of code signing certificate private keys by using hardware crypto module that meets or exceeds the requirements of FIPS 140-2 Level 2 or Common Criteria EAL4+.

What are the updated requirements?

The Code Signing Baseline Requirements (CSBRs) address the issuance of extended validation (EV) and non-EV code signing certificates. Previously, the CSBRs had different private key protection requirements for EV and non-EV code signing certificates. For instance, the non-EV key pair could be generated in software, which would easily allow the private key to be distributed and thereby increase the potential risk of it being compromised.

Effective 15 November 2022, the code signing certificate key pair must be generated and stored in a hardware crypto module that meets or exceeds the requirements of FIPS 140-2 Level 2 or Common Criteria EAL4+. This means the key pair will be generated in a device, where the private key cannot be exported. This will help to minimize the chance of the private key being compromised.

There is flexibility regarding where the code signing certificate subscriber may use a hardware crypto module, which is operated by:

  • The subscriber, such as a secure token or a server hardware security module (HSM)
  • A cloud service, such as AWS or Azure
  • A signing service that can be provided by the certification authority (CA) or another trusted service provider

In addition, the CA must verify or ensure the private key was generated in a hardware crypto module using one of the following methods:

  • CA ships a hardware crypto module with pre-generated key pair(s)
  • Subscriber certificate request is counter-signed by the hardware crypto module providing remote key attestation
  • Subscriber uses a CA enforced prescribed crypto library and a suitable hardware crypto module combination
  • Subscriber provides an internal or external IT audit indicating that it is only using a suitable hardware crypto module to generate the key pair(s)
  • Subscriber provides a suitable report from the cloud-based key protection solution subscription and resources configuration protecting the private key in hardware crypto module
  • CA relies on a report signed by an auditor who witnesses the key pair generation in a subscriber-hosted or cloud-based hardware crypto module
  • Subscriber provides an agreement that they use a signing service meeting the CSBRs

The goal is to reduce code signing certificate private key compromise, which mitigates risk to relying parties of installing signed malware in their systems.

 
 

----
Source: Security Boulevard - CA/Browser Forum Updates Requirements for Code Signing Certificate Private Keys - Security Boulevard

News

CREAplus Supported DragonHack 2022 Hackathon

DragonHackCREAplus is already the second time in a row supporter and sponsor of DragonHack, Slovenian student hackathon. 

Read more ...

CREAplus Successfully Delivered Event "Security on autopilot"

Security on autopilot26 participants attended our event "Security on autopilot" on 12 May 2022!

Read more ...

Technical Training on Hardware Security Module (HSM)

Security on autopilotCREAplus, authorized Utimaco training partner, is going to deliver an online hands-on technical training on general purpose hardware security module (HSM), on 8 - 9 September 2022.

Read more ...

CREAplus Successfully Delivered Two Trainings on HSM

Security on autopilotCREAplus successfully delivered two online hands-on technical trainings on Utimaco hardware security module (HSM) for a large multinational corporation in April 2022.

Read more ...

Event: Security on autopilot

Security on autopilotFinally, a physical event again! Join our event "Security on autopilot" on Thursday, 12 May 2022, in Ljubjana, Slovenia.

Read more ...