New Requirements related to Private Key protection for CodeSigning Certificates

Background

The Certificate Authority/Browser (CA/B) Forum has introduced updates to Baseline Requirements (BRs) for issuing CodeSigning Certificates. Effective 1st June 2023, a private key should be generated and protected in a FIPS 140‐2 Level 2 or Common Criteria EAL 4+ compliant devices for both Standard and EV CodeSigning Certificates. This would mean for Standard CodeSigning Certificate users, the key pair must be generated and stored in a hardware crypto module that meets or exceeds the requirements of FIPS 140-2 level 2 or Common Criteria EAL 4+. In addition, the updates stipulates specific ways on how CA should ensure that private key is generated and protected on the compliant device.

The objective of these updates is to increase the protection of private keys associated with CodeSigning Certificates and reduce the risks of malware signing using these keys. 

Change or Impact

To be compliant, a subscriber would need to meet following prerequisites for issuing CodeSigning Certificates from GlobalSign effective 23 April 2023:

1. A compliant hardware token or HSM would be required for Standard CodeSigning Certificate
2. In case of issuing a Certificate on HSM, an internal or external audit letter will be required stating that subscriber will be using compliant HSMs for CodeSigning Certificates
3. For issuance of any CodeSigning Certificate (Standard or EV) on token, you will need to select one of the following two options at time of order:
    
   1. Install using Fortify - If this method is selected, you will need to install Fortify application from https://fortifyapp.com/ and follow the instructions provided on GlobalSign support here 
   2. Install using IE compatibility mode - You will need to run IE compatibility mode in Edge and then install the Certificate. Please find instructions for the same here from our support centre

If you are a Standard CodeSigning Certificate user from GlobalSign and try to resissue after 24 April 2023, GlobalSign will ship you a compliant token (in case not provided earlier). 

Frequently Asked Questions

1. Will it be possible to download the .PFX format of the Standard CodeSigning Certificate?
   
   Effective 24, April 2023, you will need to install the Certificate directly into a  FIPS 140-2 level 2 or Common Criteria EAL 4+ compliant device. User will not be able to download .PFX format of the Certificate. 
2. I have an existing Standard CodeSigning certificate. Will I be able to reissue my existing Certificate without a token?
   
   From 24, April 2023, you can only ressiue a Certificate in a FIPS 140-2 level 2 or Common Criteria EAL 4+ compliant device. We will be shipping you a token at the time of your reissuance request. You will be able to reissue exisiting Certificate without token before 24 April 2023. 

If you have any questions, please don't hesitate to contact a member of the GlobalSign Support Team.