Hardware Token is a must for OV Code Signing from June 1,2023

Starting June 1, 2023, code signing certificate keys must be stored on a hardware security module or token that’s certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. This is intended to fight against an increasingly common problem—stolen code signing keys being used to sign and distribute malware.

To meet these new requirements, CAs will (in most cases) ship a compliant hardware token to the customer as part of the code signing product purchase.

A user will have to use the following options to generate and protect the private key for the OV code signing certificate,

• The Trusted Platform Module (TPM) will help users generate and secure a private key. Further, it allows customers to document their information and private key generation through a TPM key.
• HSM is a secure way to generate and protect users’ private keys. Therefore, it should have a unit design form factor compliant with FIPS 140‐2 Level 2 and Common Criteria EAL 4+, or equivalent.
• Hardware storage tokens can be used with a USB or SD card design that may not be compliant or certified FIPS 140‐2 Level 2 or Common Criteria EAL 4+. However, a user must also keep the USB or SD card away from the device on which the code signing certificate is hosted.

OV Code Cigning Certificate application process has following stages,

• CSR generation
• Authentication and validation
• Issue of certificate
• Download and install of certificate

If you have any further questions, please reach out at the email sales@thessllock.com.