A recent article by the Microsoft malware protection center, “Be a real security pro - Keep your private keys private,” reminded me of some best practices.

There are far too many cases of illegitimate code being signed by a stolen private key for legitimately signed code-signing certificates. In these cases, the owners of the private keys have not secured the keys.The problem with code-signing is that many developers may need to sign their code.

If there is no controlled signing process, then the signing private key, password and code-signing certificate are readily distributed among developers. The thinking? “Since more than one developer is using the private key, let’s make the password simple, so that everyone remembers it.”

With this process, there is no control on how the private key and password are protected. This makes the challenge of accessing these items even easier. When managing code-signing private keys, the following is recommended:

  • Minimize Access to Private Keys — Computers with private keys should have minimal external connections. Minimize the number of users who have access to the private keys.
  • Use Physical Security to Protect Keys — Protect private keys with cryptographic hardware products that meet the minimum of FIPS 140-2 Level 2 certified. Cryptographic hardware does not allow export of the private key to software where it could be attacked.
  • Test-Signing versus Release-Signing — Test-signing certificates require less protection than production code-signing certificates. Test-signing certificates can be self-signed or come from an internal test CA. Establish a separate test code-signing infrastructure to test-sign prerelease builds of their software. Test certificates must chain to a completely different root certificate than the root certificate that is used to sign publicly released products. This precaution helps ensure that test certificates are trusted only within the intended test environment.

If you’re interested in more information, Microsoft provides an extensive set of best practices to support code-signing.

Bruce Morton

Bruce Morton

Bruce Morton is a pioneering figure in the PKI and digital certificate industry. He currently serves as Director for Certificate Services at Entrust Datacard, where he has been employed since 1999. His day-to-day responsibilities include managing standards implementations, overseeing Entrust Datacard’s policy authority, and monitoring Entrust Certificate Service for industry compliance.