OV Code Signing Certificate is now required to store private key in Hardware Security Module compliant with FIPS 140 Level 2, Common Criteria EAL 4+ or equivalent from November 15, 2022.
The OV code signing certificate will undergo significant changes starting from November 15, 2022. According to the new CA/B Forum guidelines, the OV code signing process will see changes for private critical storage compliance.
An OV code signing certificate is a digital certificate provided by a certificate authority or CA to organizations after a thorough vetting process. Changes in the OV code signing process can affect several businesses.
An OV code signing certificate is the security measure that allows companies to secure communications between users’ devices and servers. So, let’s discuss the changes first.
About the OV Code Signing Certificate Changes
First and one of the most significant changes in the OV code signing process will be the storage of private keys. According to the CA/B forum guideline, certificate authorities must ensure that a user’s private key is generated, stored, and used in an HSM (Hardware Security Module).
From November 15, 2022, every CA will have to take care of request generation for the OV code signing certificate and private key along with the storage. A user will have to use the following options to generate and protect the private key for the OV code signing certificate,
- The Trusted Platform Module (TPM) will help users generate and secure a private key. Further, it allows customers to document their information and private key generation through a TPM key.
- HSM is a secure way to generate and protect users’ private keys. Therefore, it should have a unit design form factor compliant with FIPS 140‐2 Level 2 and Common Criteria EAL 4+, or equivalent.
- Hardware storage tokens can be used with a USB or SD card design that may not be compliant or certified FIPS 140‐2 Level 2 or Common Criteria EAL 4+. However, a user must also keep the USB or SD card away from the device on which the code signing certificate is hosted.
If an OV code signing Certificate is issued before 15th November 2022, the certificate authority must ensure that the user’s private keys are secured according to the above methods.
Now that we have discussed some of the significant changes in the OV code signing certificate issuing process let’s understand why are they changing?
Why Are These Changes Occurring?
The core idea behind changes in the OV code singing guidelines by CA/B Forum is to ensure that the security of private keys remains intact. As per the changes that CA/ browser Forum’s BR (Baseline Requirements) outline is for the generation and management of subscriber’s private key.
An update in the subscriber’s essential requirements and shift of responsibility to the CA is an attempt at securing private keys. Especially CA’s technical prowess can be leveraged for the generation, management, and security of the subscriber’s keys. This is what the CA/B forum is looking to achieve with the new set of guidelines.
So, here is when it will come into effect!
When the Official Change Will Take Place?
Changes in the CA/Browser guidelines will be enforced from November 15, 2022, in Coordinated Universal Time (UTC). At the same time, it will be implemented at 7 PM on Monday, November 14th, for people in the Eastern Standard Time (EST) zone.
However, you must understand that not every CA will be ready to implement the changes. At the same time, many CAs may choose to implement the changes earlier for better compliance. So, they will start preparing for the changes before the official launch to ensure buffer time.
While there is no denying that the intended target for the changes safety of end user’s private keys, it’s essential to understand that CAs will see a massive impact on operations.
Who Will Be Impacted By These Changes?
Changes in the CA/B Forum guidelines can impact anyone looking to get an OV code signing certificate after November 15, 2022. Certificate authorities must facilitate the entire private key generation, storage, and audit process. So, they will see a massive impact on how OV code signing certificates will be issued.
It will impact the initiation phase of the OV code signing process. For example, the OV code signing certificate process has many stages like,
- CSR generation
- Authentication and validation
- Issue of certificate
- Download and install of certificate
New changes in the CA/B Forum guidelines will impact the CSR generation process. It begins with a private key generation with key information for the organization that every CA needs to verify to issue the certificate.
Here are the details that a private key may have for the vetting process,
- Operational existence is your organization’s legal identity, which needs to be verified for issuing a code signing certificate. The verification process with the operational existence combines the legal registration and information from third-party sources for your organization.
- Proof of existence is the identity of your physical address and verification of the address combining third-party sources with legal location registered with authorities.
- Business contact information needs to be validated, and so CAs verify it,
- Proper identification authorized by the government is necessary to issue an OV code signing certificate.
So, it becomes essential to secure the private key of subscribers. However, there are several reasons CAs and subscribers can secure private keys. This is why CA/Browser Forum changes are an essential step towards higher security.
How Do I Order a Code Signing Certificate After Nov. 15?
Subscribers will be communicated with the new ordering and issuing process for the OV code signing in due time. The current process involves several stages: CSR generation, private key generation, vetting process, issuing certificate, etc. However, with the new changes in the effect, the entire process for key generation is bound to change.
Though most CAs have their process for subscribers to order the OV code signing certificate. So, as the new changes are enforced, these CAs will change the ordering process accordingly.
Most CAs will have to facilitate hardware devices or ask subscribers to use storage that complies with FIPS 140 Level 2, Common Criteria EAL 4+. Such devices can be,
USB or pen drives are compact devices assigned to the subscribers to store security keys. Subscribers can purchase them based on recommendations by the CA, or certificate authorities can provide such devices to users. These devices should be compliant with the CA/Browser Forum requirements. Devices like SafeNet 5110CC or SD cards within compliance with FIPS 140 Level 2, Common Criteria EAL 4.
Hardware Security Modules
Hardware Security Modules (HSM) is another form of storage that allows subscribers to store private keys securely. However, as per new guidelines, subscribers will have to provide a letter of cognizance or audit report on compliance of HSM with FIPS 140 Level 2 or Common Criteria EAL4+. HSM can also be eligible for compliance if it supports an ECC key size of 256 bits or RSA 3072 bits.
Code Signing Services and Applications
Many CAs provide their solutions for the storage of private keys. If subscribers choose the code signing services for storage, generation, and security of keys, the CA must provide a capable solution. CAs must provide highly secure storage solutions for subscribers to ensure that keys are not exposed to cyber-attacks.
Some CAs also offer software to manage, generate and store keys without physical access. However, CAs must have a proper auditing process to ensure that the software is secure for subscribers.
Key takeaways (A Quick Overview of the OV Code Signing Certificate Changes to Come)
- The user or subscriber can use the hardware crypto module to store private keys, which need to be operated by the hardware security module (HSM), cloud service, and signing services provided by a trustworthy CA.
- Users or subscribers can use devices and crypto libraries prescribed by the CA.
- Ensuring the generation of private keys with a FIPS 140‐2 level 2 compliant device is the responsibility of CAs.
- Subscribers or users will have to provide an agreement to use the code signing certificate.
- An auditor will monitor and sign the report for key-pair generation in the subscriber-hosted or cloud-based HSM.
- Users or subscribers also will have to provide an internal or external IT audit that shows the use of standard HSM for key-pair generation.