Outlining the minimum requirements for OV Code Signing certificate issuance. (Effective February 1, 2017)
As of February 1, 2017, Certification Authorities (CA) trusted by Microsoft Windows must issue code signing certificates in accordance with the Minimum Requirements for OV Code Signing.
The new requirements are designed to make OV Code Signing (CS) certificates more secure, specifically, higher protection of the private key. As of February 1, 2017 all CS certificates must be issued using a secure method such as a hardware crypto module/HSM FIPS 140-2 level 2 certified:
- USB, PCI and Rackmount HSMs
- Secure cloud-based hosting service (e.g., Azure Key Vault, Amazon Web Services Cloud HSM, Google Cloud HSM)
- Trusted Platform Module (TPM)
- (Non-HSM) USB drive* (note that the use of a non-HSM drive for a Code Signing certificate requires extra protection of the physical drive it is stored upon, including locking the drive in a safe place and only having the drive inserted into your device only when you are signing code)
Key items from the updated requirements:
- Private keys must be stored using a secure method such as a hardware crypto module/HSM FIPS 140-2 level 2 certified.
- An HSM USB Token is included with the purchase of Entrust Code Signing Certificate license.
- Subscribers can also use any third-party HSM or Cloud Service that meets the FIPS 140-2 level 2 requirements.
- The new requirements create a security standard that can allow for 135 month time-stamping certificates, so your OV code signing signature could be valid for more than 10 years.
- Malware researchers or an application software suppliers may request a Certification Authority to revoke a subscriber's OV Code Signing Certificate if proven it has been compromised to sign malicious code.
- If the private key is not secured using the method listed above the Certification Authority must revoke the certificate; a replacement certificate may be issued but the Certification Authority must ensure that the private key is stored using one of the qualified methods.
Microsoft's article relating to these new requirements can be found here.
Entrust Datacard is dedicated to implementing Best Practices in design, implementation and management of digital security, including the issuance of OV Code Signing certificates.
You can see our technote about Code Signing Best Practices here for further information.
If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance:
Hours of Operation:
Sunday 8:00 PM ET to Friday 8:00 PM ET
North America (toll free): 1-866-267-9297
Outside North America: 1-613-270-2680 (or see the list below)
NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.
|Australia||0011 - 800-3687-7863|
|Austria||00 - 800-3687-7863|
|Belgium||00 - 800-3687-7863|
|Denmark||00 - 800-3687-7863|
|Finland||990 - 800-3687-7863 (Telecom Finland)|
00 - 800-3687-7863 (Finnet)
|France||00 - 800-3687-7863|
|Germany||00 - 800-3687-7863|
|Hong Kong||001 - 800-3687-7863 (Voice) |
002 - 800-3687-7863 (Fax)
|Ireland||00 - 800-3687-7863|
|Israel||014 - 800-3687-7863|
|Italy||00 - 800-3687-7863|
|Japan||001 - 800-3687-7863 (KDD) |
004 - 800-3687-7863 (ITJ)
0061 - 800-3687-7863 (IDC)
|Korea||001 - 800-3687-7863 (Korea Telecom) |
002 - 800-3687-7863 (Dacom)
|Malaysia||00 - 800-3687-7863|
|Netherlands||00 - 800-3687-7863|
|New Zealand||00 - 800-3687-7863 |
|Norway||00 - 800-3687-7863|
|Singapore||001 - 800-3687-7863|
|Spain||00 - 800-3687-7863|
|Sweden||00 - 800-3687-7863 (Telia) |
00 - 800-3687-7863 (Tele2)
|Switzerland||00 - 800-3687-7863|
|Taiwan||00 - 800-3687-7863|
|United Kingdom||00 - 800-3687-7863 |
0800 121 6078
+44 (0) 118 953 3088