Minimum Requirements for Code Signing

Feb 21, 2024

Certificate Authority Security Council's Minimum Requirements for the Issuance and Management of Code Signing Certificates

The Certificate Authority Security Council's (CASC) Minimum Requirements for the Issuance and Management of Code Signing Certificates are required by all Certificate Authorities (CAs) in order for their Code Signing Certificates to be trusted in the Windows platforms.  

Only EV Code Signing Certificates will be Issued with USB Tokens (updated December 9th December 2019)

The Minimum Requirements specify that CAs shall ensure stronger protection for private keys. All EV Code Signing Certificates, will require a USB token. All New and Renewal EV Code Signing orders will require a USB token to store the Certificate and protect the private key. Also, all standard Code Signing products - except for EV Code Signing - will be integrated to one “multi-platform” Code Signing Certificate.
Standard CodeSigning will no longer required to be provided on a token, as you will now have the option to generate and install your CodeSigning certificate on one of the following:

  1.  Trusted Platform Module (TPM)
  2. Hardware Crypto Module
  3. Another Hardware Software Token (SD Card/USB Token)

Inclusion of State and/or Locality in the subjectDN

The Minimum Requirements specify standardized and strict identity verification practices. GlobalSign requires Code Signing Certificates to contain State and/or Locality in the subjectDN. 

New Timestamping Requirements

The Minimum Requirements specify timestamping requirements. GlobalSign's dedicated Code Signing timestamp URLs for this purpose are listed below:
 

Hashing Algorithm New Timestamp URL
SHA-2 http://timestamp.globalsign.com/tsa/r6advanced1  

Problem Certificate Reporting and Revocation

The Minimum Requirements specify standardized requirements for problem Certificate reporting and revocation. "Problem Certificates" are Certificates suspected of private key compromise, used to sign suspect or malicious code, etc.
Most likely, a revocation will be requested by a malware researcher or an application software supplier, such as Microsoft, where users of their software may be installing suspect code or malware. In this case, if Microsoft were to ask GlobalSign to revoke the Certificate, within two days the Certificate must be revoked or Microsoft must be informed that GlobalSign has started an investigation. Problem Certificates can be reported directly through our website at: https://www.globalsign.com/en/report-abuse/ 
 
For more information, please refer to our blog post What Do The New Code Signing Certificate Requirements Mean For Developers.
If you'd like to know more about our Code Signing Certificates, read our Code Signing FAQ Support Article.

References

1. Minimum Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates  
2. Microsoft Trusted Root Program Requirements

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support