As of June 1, 2023, all Code Signing Certificates must comply with the new CA/B Forum regulations to ensure that the subscriber’s private key is generated, stored, and used in a suitable FIPS-compliant hardware.
We recognize this requires customers to commit to a heavy lift. Between now and April 24, 2023, you can purchase Sectigo OV Code Signing certificates and lock-in the use of software-based Code Signing certificates for the next three years and will not be required to switch to a hardware-based token during that time. At the end of your 3-year certificate, Sectigo will ship a free FIPS-compliant token with an extra 12 months of OV Code Signing Certificate validity to you.
When I last looked at this a few months ago, I got the impression that the hardware based token was a requirement regardless of the current expiration date of your code signing cert. This was in an email from our cert vendor, as I recall. BTW, the free hardware token isnt useful if you happen to build on a cloud server - just a heads up.
I hope you’re wrong, Mark. Surely Sectigo wouldn’t have sold me (and others) three-year certificates in January that would die in June. Shirley…
But I guess we’ll find out
BTW, this is digicert’s take:
Ordering and renewing code signing certificates after June 1, 2023
When ordering and renewing a standard code signing certificate, you must select a provisioning method. In other words, choose the hardware to store the private key on. Like EV code signing, they have three provisioning options.
When I purchased one of those EV hardware token keys from Sectigo a few years back, it was a very frustrating experience. The vetting was very thorough and time consuming (as I expected, but man). And actually using the certificate was a big PITB, especially if trying to use on more than one VM.
Then that day came that my password stopped working. And the available re-tries ticked down from 15 to 0. So I got a replacement at no extra cost, but it took a long time to get.
We have CloudHSM very close to ready for testing with our build server but are reconsidering buying the sectigo deal simply to let the industry simmer on this a while.
Haven’t fully thought this through, but Im not sure you can do that, since there’s a CSR involved, which presumably is connected through values obtained from the hardware key.
Last time I ordered from Sectigo they sent a USB dongle with my certificate. I am assuming, based upon what I’ve read, that I should be good to go with the new rule?
I have EV version of sectigo codesign, so it’s a USB dongle already, got it for the 2nd time. Only stupid thing is that when you need an new cert (“renew”), they don’t provide an option to redeem the new cert onto the “old” dongle. They just send you another dongle and you pay again. So I have not two basically identical dongles and I will obviously get the 3rd one soon.
Ok, they can be used for other certs etc. but still.