{"id":15615,"date":"2022-07-07T16:45:16","date_gmt":"2022-07-07T20:45:16","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=15615"},"modified":"2023-03-23T10:04:49","modified_gmt":"2023-03-23T14:04:49","slug":"changes-coming-to-ov-code-signing-certificates-keys-starting-nov-15","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/changes-coming-to-ov-code-signing-certificates-keys-starting-nov-15\/","title":{"rendered":"Changes Coming to OV Code Signing Certificates &#038; Keys Starting Nov. 15"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-ov-code-signing-certificates-and-key-generation-methods-are-getting-an-overhaul-they-ll-be-issued-on-physical-security-hardware-in-a-process-similar-to-how-ev-code-signing-certificates-are-currently-issued-explore-what-this-change-means-for-your-organization\">OV code signing certificates and key generation methods are getting an overhaul. They\u2019ll be issued on physical security hardware in a process similar to how EV code signing certificates are currently issued. Explore what this change means for your organization<\/h2>\n\n\n\n<div class=\"wp-block-advanced-gutenberg-blocks-notice is-variation-info has-icon\" data-type=\"info\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><circle cx=\"12\" cy=\"12\" r=\"10\"><\/circle><line x1=\"12\" y1=\"16\" x2=\"12\" y2=\"12\"><\/line><line x1=\"12\" y1=\"8\" x2=\"12\" y2=\"8\"><\/line><\/svg><p class=\"wp-block-advanced-gutenberg-blocks-notice__title\">Changes Were Pushed Back to June 1, 2023<\/p><p class=\"wp-block-advanced-gutenberg-blocks-notice__content\">After this article was published, industry leaders decided to <a href=\"https:\/\/www.thesslstore.com\/blog\/ov-code-signing-key-storage-requirement-changes-pushed-to-2023\/\">push back the date for rolling out the new secure key storage requirements<\/a> for organization validation (OV) code signing certificates to June 1, 2023. To learn more about the upcoming <a href=\"https:\/\/www.thesslstore.com\/blog\/code-signing-price-changes-as-cas-align-with-new-industry-standards\/\">changes to code signing certificate pricing as CAs align with the new industry standards<\/a>, check out our latest article on the topic.<\/p><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Earlier this year, <a href=\"https:\/\/threatpost.com\/nvidias-stolen-code-signing-certs-sign-malware\/178784\/\">NVIDIA experienced what happens<\/a> when bad guys get their hands on some of your organization\u2019s most sensitive digital assets: <a href=\"https:\/\/www.thesslstore.com\/blog\/protecting-your-software-from-cyberattacks-with-code-signing\/\">code signing<\/a> certificates. Cybercriminals used these stolen certificates to sign their malicious software. The purpose? To make it look like the malware programs legitimately came from the graphics processor company.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Preventing attacks like that is why the CA\/B Forum has voted to make some changes to the issuance and installation process for code signing certificates. But what do these changes mean for your business and code signing operations?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s hash it out.<span id=\"newline\"><\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-you-need-to-know-an-overview-of-the-ov-code-signing-certificate-changes\">What You Need to Know (An Overview of the OV Code Signing Certificate Changes)<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We won\u2019t dive too deep into all of the details since they\u2019re still being hashed out by the <a href=\"https:\/\/www.thesslstore.com\/blog\/what-is-a-certificate-authority-ca-and-what-do-they-do\/\">certificate authorities<\/a> (CAs). Our intention here is to give you a quick overview of what to expect in the coming months. We\u2019ll publish another blog posts in a few months\u2019 time that will talk more about the specifics once we know more from the CAs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-what-will-occur-once-the-change-rolls-out\">What Will Occur Once the Change Rolls Out<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Starting Nov. 15, new and reissued publicly trusted organization validation (OV) and individual validation (IV) <a href=\"https:\/\/www.thesslstore.com\/products\/code-signing-certificates.aspx\">code signing certificates<\/a> will have to be issued or stored on preconfigured secure hardware by the issuing certificate authority (CA). In particular, this includes FIPS 140-2 Level 2, Common Criteria EAL 4+ (or equivalent) compliant devices or signing solutions (as a minimum) such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hardware security modules (HSMs), either cloud or physical appliances<\/li>\n\n\n\n<li>Physical security tokens such as USB hardware devices<\/li>\n\n\n\n<li>Key storage and signing services<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Note: FIPS stands for the Federal Information Processing Standards (FIPS). We\u2019ll speak more about FIPS-compliant devices in a few moments.<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Practically speaking, this will mean that all code signing certificates will be delivered in a way similar to how EV code signing certificates are today \u2014 shipped to the customer on a USB device, delivered to the customer\u2019s hardware security module (HSM), etc. (We\u2019ll share specific details about how all of this will work once the individual CAs announce them.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But a key takeaway is that you\u2019ll no longer be required to complete certificate signing requests (CSRs) yourself anymore since all that technical stuff will be handled on the CA\u2019s end.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-why-these-changes-are-occurring\">Why These Changes Are Occurring<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">These changes are outlined in the CA\/Browser Forum (CA\/B Forum) <a href=\"https:\/\/cabforum.org\/wp-content\/uploads\/Baseline-Requirements-for-the-Issuance-and-Management-of-Code-Signing.v2.8.pdf\">Baseline Requirements (BR) for the Issuance and Management of Code Signing<\/a> (version 2.8). It was updated via <a href=\"https:\/\/cabforum.org\/2022\/04\/06\/ballot-csc-13-update-to-subscriber-key-protection-requirements\/\">Ballot CSC-13 \u2014 Update to Subscriber Key Protections Requirements<\/a>, which applied to the previous version of the baseline requirements (v. 2.7). The idea here is to make the certificates\u2019 private keys as secure as they would be with extended validation (EV) code signing certificates.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To accomplish this, it means that keys need to be securely stored to keep them out of the hands of bad guys (and other unauthorized users). According to section 16.3.1 Subscriber Private Key Protection of the code signing certificates BR (version 2.8):<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><em>\u201cThe CA MUST obtain a contractual representation from the Subscriber that the Subscriber will use one of the following options to generate and protect their Code Signing Certificate Private Keys in a Hardware Crypto Module with a unit design form factor certified as conforming to at least FIPS 140-2 Level 2 or Common Criteria EAL 4+\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-when-the-official-change-will-take-place\">When the Official Change Will Take Place<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The change will occur on Tuesday, Nov. 15, 2022 at 12 a.m. Coordinated Universal Time (UTC) \u2014 that\u2019s <strong>Monday, Nov. 14, 2022 at 7 p.m. Eastern Standard Time (EST) for our U.S. readers<\/strong>. However, it\u2019s important to note that <strong>some certificate authorities<\/strong> (such as DigiCert, Sectigo, etc.) <strong>may choose to implement the change ahead of schedule to ensure that there\u2019s time to address any issues before the CA\/B Forum\u2019s official deadline! <\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Again, we\u2019ll share more specifics once the CAs finalize their plans.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-who-will-be-impacted-by-these-changes\">Who Will Be Impacted By These Changes<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This industry-wide mandate will affect anyone who purchases new OV code signing certificates on or after the November rollout. (This also may impact current OV code signing certificate holders who reissue or renew their existing certificates as well.) What about if you\u2019re an individual developer who has an IV code signing certificate? Yes, this change will impact you as well.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, it\u2019s important to note that this change won\u2019t impact you in the same way if you have an existing valid code signing certificate issued before the official change. Of course, the CA will have to recommend that you store your keys in one of the same methods. But you can still continue signing your software and other executables as you always have.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Existing certificate holders prior to the November date will have to affirm to their CA that they will use a secure method \u2014 trusted platform module, hardware crypto module, or a hardware security token) to generate and protect their keys. After the November rollout, certificate holders must affirm that they\u2019ll use one of the following to securely store their keys:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An HSM or hardware security token<\/li>\n\n\n\n<li>A cloud-based key generation and protection solution<\/li>\n\n\n\n<li>A signing service that meets the requirements outlined in the CA\/B Forum\u2019s Baseline Requirements section 16.2\n<ul class=\"wp-block-list\">\n<li><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n<span style=\"--tl-form-height-m:140.469px;--tl-form-height-t:116.8555px;--tl-form-height-d:116.8555px;\" class=\"tl-placeholder-f-type-shortcode_16066 tl-preload-form\"><span><\/span><\/span>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-why-securing-your-code-signing-certificate-and-key-matters\">Why Securing Your Code Signing Certificate and Key Matters<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Code signing is a way for you or your organization to assert your organization\u2019s digital identity for your code, software, or other executables. It\u2019s the difference between seeing \u201cYour Company, Inc.\u201d in the Windows User Account Control popup field versus \u201cPublisher: Unknown\u201d warning messages. No one wants the latter to display when they try to download or install your software.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"418\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/07\/user-account-control-unsigned-signed-software-comparison-1024x418.png\" alt=\"Side-by-side comparison screenshots of the Windows User Account Control pop-up screen. On the left is the unknown publisher warning message for unsigned software; on the right is a message that shows Microsoft Corporation as the verified publisher. \" class=\"wp-image-15631\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/07\/user-account-control-unsigned-signed-software-comparison-1024x418.png 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/07\/user-account-control-unsigned-signed-software-comparison-300x122.png 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/07\/user-account-control-unsigned-signed-software-comparison-768x313.png 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/07\/user-account-control-unsigned-signed-software-comparison.png 1056w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">A side-by-side comparison screenshot that shows what it looks like when users attempt to install unsigned (left) and digitally signed (right) software programs. The left message shows that the publisher is unknown, whereas the digitally signed certificate message on the right shows that the verified publisher is the Microsoft corporation.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Having those ugly warnings display isn\u2019t a good look if you want people to trust that your software is authentic and bad guys haven\u2019t messed with it. Not using one is like putting up a flashing neon sign that says \u201cI\u2019m not trustworthy\u201d next your company name and logo. Digitally signing your software bakes your organization\u2019s identity into your software and code in a way that users know it\u2019s authentic and that it hasn\u2019t been compromised since it was signed.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"454\" src=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/07\/signed-software-example-1024x454.jpg\" alt=\"An example set of screenshots that shows the digital signature information for piece of software that's signed by a code signing certificate\" class=\"wp-image-15632\" srcset=\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/07\/signed-software-example-1024x454.jpg 1024w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/07\/signed-software-example-300x133.jpg 300w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/07\/signed-software-example-768x340.jpg 768w, https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/07\/signed-software-example.jpg 1264w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">An example of what it looks like when you inspect a digitally signed executable.<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">By not storing your key securely, you risk your certificate becoming untrusted and a liability for your organization if bad guys use it to sign and distribute malware in your name.<\/p>\n\n\n<span style=\"--tl-form-height-m:886.734px;--tl-form-height-t:807.75px;--tl-form-height-d:807.75px;\" class=\"tl-placeholder-f-type-shortcode_16093 tl-preload-form\"><span><\/span><\/span>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-do-i-order-a-code-signing-certificate-after-nov-15\">How Do I Order a Code Signing Certificate After Nov. 15?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This is a great question \u2014 honestly, one we\u2019re waiting on the final details for ourselves. Each CA will have its own OV code signing certificate process. How exactly these changes will work, and what they\u2019ll mean for you, will depend on each individual CA. <strong>For most customers, each CA will provide a streamlined order process that will likely look a lot like the current process for EV code signing certificates.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">What we do know is that these changes will likely entail having to use a hardware security token that\u2019s either issued by your CA or one that you already own that meets <strong>FIPS 140 Level 2, Common Criteria EAL 4+<\/strong> compliance requirements as a minimum. Once we know more, so will you. So, stay tuned for a future follow-up article as we draw closer to the deadline.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>For advanced users, you have three options for provisioning your certificates and keys:<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-1-usb-tokens\">1. USB Tokens<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Hardware security tokens are typically small and convenient devices that are assigned to individual users within organizations. You can purchase these yourself, or have the certificate authority ship your code signing certificate already installed on one. For example, DigiCert currently requires the use of a specific security hardware token for storing EV code signing certificates\u2019 private keys: <a href=\"https:\/\/cpl.thalesgroup.com\/access-management\/authenticators\/pki-usb-authentication\/etoken-5110-usb-token\">SafeNet eToken 5110 CC<\/a> (RSA 4096-bit key and ECC P-256-bit key). This particular device exceeds the minimum requirements outlined by the CA\/B Forum \u2014 it supports FIPS 140-2 Level 3, CC EAL5+.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Another optional token you may be able to use is the SafeNet eToken 5110+ FIPS, a new token that will likely be released by Thales this summer.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Of course, each CA can choose which token(s) they\u2019ll use. Most customers will find that using a USB token provided by the CA is the easiest and simplest option. So, we\u2019ll go into all of that more in the future as we get closer to the rollout deadline.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-2-hardware-security-modules\">2. Hardware Security Modules<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">If you decide to go the hardware security module route to store your private keys, then you\u2019ll need to prove that you\u2019re using a device that\u2019s up to snuff. For example, you may have to provide a letter of attestation that shows the device:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Is FIPS 140 Level 2 or Common Criteria EAL4+ (CCE 4+) compliant at a minimum, and<\/li>\n\n\n\n<li>Supports ECC key size of 256 bits or larger or RSA 3072 bits or larger.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">With either physical security device method, you\u2019ll need to either have to connect your systems to your organization\u2019s hardware security module (HSM) or plug in a physical security token into your device before you can use the certificate to sign code. This allows you to access your private key for signing, which is securely stored on the device. You\u2019ll also have to enter your unique password as well as an additional layer of security.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But there is a third option that doesn\u2019t require you to manage and secure any physical appliances or hardware tokens\u2026<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-3-code-signing-services-and-applications\">3. Code Signing Services and Applications<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Another secure key storage option you can choose to use is a signing solution like <a href=\"https:\/\/www.digicert.com\/signing\/secure-software-manager\">DigiCert\u00ae\u2019s Software Trust Manager (STM)<\/a>, which is part of the DigiCert ONE platform. This software enables authorized users to securely store and use the private keys without requiring physical access to them. This means your employees can go about their business without you having to worry about managing a bunch of individual physical security tokens that could be damaged, lost, or stolen.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>STAY TUNED: If you\u2019re looking for more specifics about how all of these processes will work when ordering a new OV code signing certificates from The SSL Store after the November change, stay tuned. We\u2019ll post another update as we get closer to the date when these changes will roll out.<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-tl-dr-a-quick-overview-of-the-ov-code-signing-certificate-changes-to-come\">TL;DR \u2014 A Quick Overview of the OV Code Signing Certificate Changes to Come<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Alright, that was a lot of information to take in. Or, if you\u2019re like some of our readers, you may not have bothered reading it and may have just jumped straight to this section instead. Either way is good, as long as we\u2019re giving you the info you need! Here are the highlights you need to know:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The CA\/B Forum has issued new industry requirements for how to issue and store standard (OV) code signing certificates and private keys will roll out Nov. 15, 2022 at 12:00 a.m. UTC (Nov. 14 at 7 p.m. EST for North American users).<\/li>\n\n\n\n<li>These changes impact how new and reissued organizational validation (and individual validation) code signing certificates and their corresponding private keys will be created, stored, installed, renewed and reissued.<\/li>\n\n\n\n<li>Issuing certificate authorities will handle the certificate and key generation processes on the back end \u2014 you\u2019ll no longer have to complete a certificate signing request (CSR) yourself to get your code signing certificate.<\/li>\n\n\n\n<li>Certificate requestors (i.e., you) will be contractually required to use FIPS 140 Level 2\/EAL 4+ compliant secure hardware cryptographic modules or signing services as a minimum to store code signing certificates and private keys.<\/li>\n<\/ul>\n\n\n<span style=\"--tl-form-height-m:140.469px;--tl-form-height-t:116.8555px;--tl-form-height-d:116.8555px;\" class=\"tl-placeholder-f-type-shortcode_16066 tl-preload-form\"><span><\/span><\/span>\n","protected":false},"excerpt":{"rendered":"<p>OV code signing certificates and key generation methods are getting an overhaul. They\u2019ll be issued on physical security hardware in a process similar to how EV code signing certificates are&#8230;<\/p>\n","protected":false},"author":17,"featured_media":15616,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[13107,17],"tags":[4969],"class_list":["post-15615","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-beyond-hashed-out","category-industry-lowdown","tag-code-signing","post-with-tags"],"views":11262,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2022\/07\/ov-code-signing-certificate-changes-feature.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/15615","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=15615"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/15615\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/15616"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=15615"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=15615"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=15615"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}