Updated Requirements for Code Signing Certificate Private Keys

The CA/Browser Forum has approved Ballot CSC-13, which aims to increase the protection of code signing certificate private keys by using hardware crypto module that meets or exceeds the requirements of FIPS 140-2 Level 2 or Common Criteria EAL4+.

What are the updated requirements?

The Code Signing Baseline Requirements (CSBRs) address the issuance of extended validation (EV) and non-EV code signing certificates. Previously, the CSBRs had different private key protection requirements for EV and non-EV code signing certificates. For instance, the non-EV key pair could be generated in software, which would easily allow the private key to be distributed and thereby increase the potential risk of it being compromised.

Effective 15 November 2022, the code signing certificate key pair must be generated and stored in a hardware crypto module that meets or exceeds the requirements of FIPS 140-2 Level 2 or Common Criteria EAL4+. This means the key pair will be generated in a device, where the private key cannot be exported. This will help to minimize the chance of the private key being compromised.

There is flexibility regarding where the code signing certificate subscriber may use a hardware crypto module, which is operated by:

  • The subscriber, such as a secure token or a server hardware security module (HSM)
  • A cloud service, such as AWS or Azure
  • A signing service that can be provided by the certification authority (CA) or another trusted service provider

In addition, the CA must verify or ensure the private key was generated in a hardware crypto module using one of the following methods:

  • CA ships a hardware crypto module with pre-generated key pair(s)
  • Subscriber certificate request is counter-signed by the hardware crypto module providing remote key attestation
  • Subscriber uses a CA enforced prescribed crypto library and a suitable hardware crypto module combination
  • Subscriber provides an internal or external IT audit indicating that it is only using a suitable hardware crypto module to generate the key pair(s)
  • Subscriber provides a suitable report from the cloud-based key protection solution subscription and resources configuration protecting the private key in hardware crypto module
  • CA relies on a report signed by an auditor who witnesses the key pair generation in a subscriber-hosted or cloud-based hardware crypto module
  • Subscriber provides an agreement that they use a signing service meeting the CSBRs

The goal is to reduce code signing certificate private key compromise, which mitigates risk to relying parties of installing signed malware in their systems.


Source: Security Boulevard - CA/Browser Forum Updates Requirements for Code Signing Certificate Private Keys - Security Boulevard


Another successful HSM training

Technical training on HSMCREAplus successfully delivered another online hands-on technical training on Utimaco hardware security module (HSM).

Read more ...

Protecting digital identities

Protecting Digital Identities, 14 September 2022, Vienna, AustriaWould you like to get the latest information on PKI & IoT, eSigning & eIDAS and PQC?Join us on 14 September 2022 in Vienna! 

Read more ...

CREAplus obtained the Excellent SME certificate

Excellent SMECREAplus received the Excellent SME certificate, issued by the Chamber of Commerce and Industry and credit rating agency Coface.


Read more ...

Protecting Digital Identities - Save the Date!

Excellent SMESave the date! Plan to attend our event "Protecting Digital Identities" on Wednesday, 14 September 2022, in Vienna, Austria. 

Read more ...

u.trust 360 v4.0 - Centralized Management and Monitoring Platform

u.trust 360 v4.0u.trust 360 v4.0 - the next generation of easy and convenient HSM administration is available now! 

Read more ...