Regulatory changes in Code Signing certificates

Code Signing certificates are a cryptographic tool that allows software code to be digitally signed. However, for code signing to be secure, the certificate keys needed to sign the code must be properly stored. Until now, the regulations governing the operation of the certificate, in special cases, allowed the possibility to generate keys to the certificate using software available on the computer. This created a vulnerability that could have contributed to reduced certificate security, and a potential leak of the private key would have exposed the software to compromise and potential changes to its code. This is why it is so important to store a private key on a secure device. Accordingly, on May 22, the CA/Browser Forum, the group that regulates x.509 digital certificates, approved the cSC-13 vote, which aims to increase the protection of the private keys of code-signing certificates.

How will the new regulations affect Code Signing certificates?

Effective November 15, 2022, it is mandatory that private keys for Code Signing certificates be stored on a FIPS 140-2 or Common Criteria EAL 4+ compliant secure cryptographic device: 7. This changes the previous provisions that allowed keys to be generated in software or using a TMP (Trusted Module Platform). This means that the key pair will be generated on a device to which the private key cannot be exported.  The following will be allowed:

• generating and storing keys on a secure cryptographic device, including Certum’s recommended Starcos 3.5 card or hardware server security module (HSM),
• generating or storing keys in the cloud. Certum has been promoting cloud solutions and enabling certificate generation on the Certum cloud for years,
• storing the key in the service of Certification Authority or Trusted Provider (Signing Service)

What is the goal of the latest changes?

The goal behind the latest change is primarily to increase the protection of the private key used in the code signing process. This will help minimize the risk of the private key being broken or compromised. Additionally, it standardizes existing regulations to make them clearer and to make it clear how the key is to be stored. The goal is to reduce the security breach of the code signing certificate’s private key, which reduces the risk of relying parties installing signed malware on their systems.

What certificates are affected by the change?

The change applies to all certificates issued after November 15, other than EV Code Signing, that is:

• Standard Code Signing,
• Open Source Code Signing,

How will the change be implemented?

Any certification authority that is authorized to issue Code Signing certificates will need to ensure that the private key was generated in a hardware cryptographic module using, among other things  one of the following methods:

• providing the User with a hardware cryptographic module with pre-generated key pairs,
• providing a cloud solution by which keys are generated in the cloud,
• obtaining assurance from the User through an internal or external IT audit indicating that the User is using only the appropriate hardware cryptographic module to generate the key pair.

More information: https://cabforum.org/wp-content/uploads/Baseline-Requirements-for-the-Issuance-and-Management-of-Code-Signing.v2.8.pdf

Certum’s readiness for the above changes

Certum is a supporter of the above change and has been promoting for years the secure storage of keys in the Certum SimplySign cloud or on a cryptographic card, in line with the above regulations.  In Certum, the role of the secure device is fulfilled by:

• a Starcos 3.5 cryptographic card – Certum Code Signing Set,
• Certum EV Code Signing in the cloud.

Thanks to the convenience of use, more and more Users are choosing the cloud solution, which eliminates the need for a card, especially in its highest version, the Code Signing EV.