Search in this section
Note
Starting on 1 June 2023, new requirements of the CA/B Forum require that all code signing certificate keys are stored on an HSM or a compliant hardware token. This concerns the business cases order (Create), renewal (Renew) as well as reissue (Reissue).
When using cloud services, please clarify in advance with the provider whether use with USB tokens is possible. In addition to a USB token, CA Sectigo also offers Luna Network Attached HSM.
See below for more details.
Introduction
Code Signing Certificates are a means for developers on all platforms to digitally sign their applications and software that they make available over the internet. Signed code is marked with the name of the publisher, providing protection against the introduction of malware and other subsequent modifications.
All Code Signing Certificates use a unique cryptographic hash to bind the identity of the publisher to the software. Security warnings displayed for unsigned code are replaced with information about the publisher of the software. This helps prevent users from aborting the installation out of uncertainty. Code signing therefore adds an important level of trust to the installation process.
Code signing shows that the signed software is authentic, comes from a known software vendor and that the code has not been modified since it was signed. Code signing helps to alleviate users’ security concerns, reducing the number of installation abortions. It also prevents the code from being changed with malicious intent or the identity of a trusted software vendor from being misused by others.
Feature overview
Here is a brief overview of the features included for Code Signing Certificates:
- A single Code Signing Certificate for all applications:
- Microsoft Authenticode
- Adobe AIR
- Apple OS X
- SunJava
- Mozilla & Netscape Objects
- Macros & VBA
- Eliminates "Unknown Publisher" security warnings when downloading code
- Due to the time stamp service, the signature does not expire, even if the certificate expires
- Signs an unlimited number of applications
- Protects your brand and reputation
Features | Code Signing Certificate | EV Code Signing Certificate |
---|---|---|
Information displayed in the certificate | Company name | Company name |
Eliminates the "Unknown Publisher" security warnings | ||
Instant reliability with Microsoft Smartscreen* | ||
Sign an unlimited number of applications | ||
Compatible with popular platforms (MS Authenticode, Office VBA, Java, Adobe AIR, Mac OS, Mozilla) | ||
Signature does not expire when time stamp is applied | Time stamp available and recommended | Time stamp available and recommended |
*With an OV Code Signing Certificate, Microsoft SmartScreen requires a certain reputation of the files, e.g. a specific number of downloads. Only then is the signature fully classified as trustworthy.
Ordering a Code Signing Certificate
Enclosed are some brief overviews of the process flow for ordering code signing.
DigiCert
- Orders are carried out via our systems
- Verification of the company takes place on the basis of the commercial register entry and a telephone verification
- Select the provisioning method:
- Own compliant HSM
→ SafeNet eToken 5110 FIPS (ECC P-256 or P-384)
→ SafeNet eToken 5110 CC (RSA 4096 ECC P-256)
→ SafeNet eToken 5110+ FIPS (RSA 4096 ECC P-256) - Hardware token from the CA with costs (including shipping)
- Own compliant HSM
- The hardware token with the pre-installed certificate or an e-mail with a download link is sent out. The hardware token can no longer be cancelled
- After the successful issuing of the certificate, the so-called Hardware Init Code is visible in our system under the certificate details.
You need this initialization code for the installation with the DigiCert Hardware Certificate Installer - With the own HSM, the certificate must be installed on the token
Note
To install/initialize the certificate you need the Safenet Authentification Client and the DigiCert Hardware Certificate Installer (windows only).
Please ensure that you are always using the latest software version. Older versions of the Safenet client can lead to errors with the SafeNet eToken 5110+ FIPS
Sectigo
- Orders are carried out via our systems
A CSR is always requested by our system, but is only forwarded to the CA if the provisioning method 3a (see below) has been selected, otherwise the CSR is discarded.
If CN is filled in and not empty, Sectigo requires a domain name as value (otherwise error). If the CSR is created on the YubiKey or Luna hardware, the company name is not stored in the CN but in the subject and therefore does not lead to an error in the Sectigo backend. - Verification of the company takes place on the basis of the commercial register entry and a telephone verification
- Select the provisioning method:
- Own compliant HSM with key attestation and CSR
→ YubiKey 5 FIPS Series
→ Luna Network Attached HSM, Version 7.x - Hardware token from the CA with costs (including shipping)
- Own compliant HSM with key attestation and CSR
- The hardware token with the pre-installed certificate or an e-mail with a download link is sent out. The hardware token can no longer be cancelled
- With the own HSM, the certificate must be installed on the token
Note
The key attestation takes place directly on the hardware token and generates a certificate. The key attestation data must be submitted when ordering, renewing or reissuing a certificate.
This provisioning method also requires a CSR.
GlobalSign
- Orders are carried out via our systems
- A pickup password is mandatory to place an order
- Verification of the company takes place on the basis of the OV or EV guidelines
- The USB token is sent by a service provider located in Germany
- The email with download link is sent simultaneously
- After receiving the USB token, the certificate is downloaded via the SafeNet Authentication Client with link and password.
The certificate must be retrieved within 7 days after a reissue and within 30 days after create/renew, otherwise the certificate will be canceled and cannot be used. - After installation, the certificate is ready for use. More Information for the Installation can be found here.
Note
The USB token is sent on behalf of GlobalSign by a service provider based in Germany. The initial password of the USB token is 0000.
We recommend changing the password of the USB token by using SafeNet Authentication Client before installing the certificate.
General notes
For some applications, it may be necessary to convert the delivered Code Signing Certificate. Use tools like the MS SSL ToolKit for this.
Instructions for using the included time stamp function can be found under the following links:
Depending on the CA, the delivery of the Code Singing Certificate varies.
Please note that software may have to be installed locally to install the certificate and that there may be restrictions due to the respective operating system.
Code Signing Certificate | EV Code Signing Certificate | Miscellaneous | |
---|---|---|---|
DigiCert | New method effective as of 1 June 2023 Hardware token of the CA: Certificate is pre-installed Own compliant hardware token: Via e-mail for downloading | - | A hardware token can optionally be ordered in addition (create, renew or reissue). This may entail non-recurring fees including shipping as well as additional costs for customs fees. Cancellation of the order by the user is only possible after the certificate has been installed on the hardware token. Otherwise, please contact support. |
GlobalSign | Cryptographic USB token (incl.) | Cryptographic USB token (incl.) | With a create request the token is sent free of charge by GlobalSign and is already included in the basic price of the certificate. A cancellation of the token is not possible. If the token is shipped outside the EU, customs duties may be incurred under certain circumstances, which are to be borne by the certificate holder. The certificate must be retrieved within 7 days after a reissue and within 30 days after create/renew, otherwise the certificate will be canceled and cannot be used. For certificates issued before the 24th of April 2023, GlobalSign checks if a token is required and also sends out a token free of charge with the first renew or reissue. |
Sectigo | New method effective as of 1 June 2023 Hardware token of the CA: Certificate is pre-installed Own compliant hardware token: Via e-mail for downloading | - | A hardware token can optionally be ordered in addition (create, renew or reissue). This may entail non-recurring fees including shipping as well as additional costs for customs fees. |