Feb 12, 2024

New Requirements related to Private Key protection for CodeSigning Certificates

Background

The Certificate Authority/Browser (CA/B) Forum has introduced updates to Baseline Requirements (BRs) for issuing CodeSigning Certificates. Effective June 1, 2023, a private key should be generated and protected in a FIPS 140‐2 Level 2 or Common Criteria EAL 4+ compliant devices for both Standard and EV CodeSigning Certificates. This would mean that for Standard CodeSigning Certificate users, the key pair must be generated and stored in a hardware crypto module that meets or exceeds the requirements of FIPS 140-2 level 2 or Common Criteria EAL 4+. In addition, the updates stipulates specific ways on how CA should ensure that private key is generated and protected on the compliant device.

The objective of these updates is to increase the protection of private keys associated with CodeSigning Certificates and reduce the risks of malware signing using these keys. 

Change or Impact

To be compliant, a subscriber would need to meet the following prerequisites for issuing CodeSigning Certificates from GlobalSign effective April 23, 2023:

1. A compliant hardware token, or HSM, would be required for the Standard CodeSigning Certificate
2. In case of issuing a Certificate on HSM, an internal or external audit letter will be required stating that the subscriber will be using compliant HSMs for CodeSigning Certificates
3. For the issuance of any CodeSigning Certificate (Standard or EV) on token, you will need to select one of the following two options at the time of order:
    
   1. Install using Fortify: If this method is selected, you will need to install the Fortify application from https://fortifyapp.com/ and follow the instructions provided on the GlobalSign support website here.
   2. Install using IE compatibility mode: You will need to run IE compatibility mode in Edge and then install the Certificate. Please find instructions for the same here in our support centre.

If you are a Standard CodeSigning Certificate user from GlobalSign and try to reissue after April 24, 2023, GlobalSign will ship you a compliant token (in case it was not provided earlier).

Frequently Asked Questions

1. Will it be possible to download the .PFX format of the Standard CodeSigning Certificate?
   
   Effective April 24 2023, you will need to install the Certificate directly into a FIPS 140-2 level 2 or Common Criteria EAL 4+ compliant device.
   You will be unable to download the Certificate in .PFX format.
2. I have an existing Standard CodeSigning certificate. Will I be able to reissue my existing Certificate without a token?
   
   From April 24, 2023, you can only reissue a Certificate in a FIPS 140-2 level 2 or Common Criteria EAL 4+ compliant device. We will be shipping you a token at the time of your reissuance request. You will be able to reissue exisiting Certificate without a token before April 24 2023.
3. In case of reissuing a Certificate on HSM, an internal or external audit letter will need to be in place stating that the subscriber will be using compliant HSMs for CodeSigning Certificates. If needed, the vetting department will reach out to you.

If you have any questions, please don't hesitate to contact a member of the GlobalSign Support Team.