Code-signing certs reminder (June 1 is coming!)

It’s Coming!!!

Sectigo is offering a “bargain” (not nearly as good as SetupBuilder’s) to help the transition to hardware key storage.

Even if your certificate still has some time left on it, it’s worth considering renewing it prior to the hardware requirement that begins on June 1.

The “bargain”

What is Changing?

As of June 1, 2023, all Code Signing Certificates must comply with the new CA/B Forum regulations to ensure that the subscriber’s private key is generated, stored, and used in a suitable FIPS-compliant hardware.

We recognize this requires customers to commit to a heavy lift. Between now and April 24, 2023, you can purchase Sectigo OV Code Signing certificates and lock-in the use of software-based Code Signing certificates for the next three years and will not be required to switch to a hardware-based token during that time. At the end of your 3-year certificate, Sectigo will ship a free FIPS-compliant token with an extra 12 months of OV Code Signing Certificate validity to you.


When I last looked at this a few months ago, I got the impression that the hardware based token was a requirement regardless of the current expiration date of your code signing cert. This was in an email from our cert vendor, as I recall. BTW, the free hardware token isnt useful if you happen to build on a cloud server - just a heads up.

I hope you’re wrong, Mark. Surely Sectigo wouldn’t have sold me (and others) three-year certificates in January that would die in June. Shirley…

But I guess we’ll find out :wink:

BTW, this is digicert’s take:

Ordering and renewing code signing certificates after June 1, 2023
When ordering and renewing a standard code signing certificate, you must select a provisioning method. In other words, choose the hardware to store the private key on. Like EV code signing, they have three provisioning options.

  • DigiCert provided hardware token
  • Existing supported hardware token
  • Hardware security module (HSM)

I also bought a 3-year certificate last February with the SB $ 200 dollar deal.

Best regards

Fwiw, we are going with AWS’ CloudHSM.

I’m unclear, can you have the same certificate on multiple hardware tokens?

When I purchased one of those EV hardware token keys from Sectigo a few years back, it was a very frustrating experience. The vetting was very thorough and time consuming (as I expected, but man). And actually using the certificate was a big PITB, especially if trying to use on more than one VM.
Then that day came that my password stopped working. And the available re-tries ticked down from 15 to 0. So I got a replacement at no extra cost, but it took a long time to get.

Good times

I’m assuming that was the
EV - Extend Validation – vs. the
OV - Organization Validation – that many of us use.

One advantage to the EV over the OV is that you get instant reputation for Mircosoft Smart Screen

The big drawback for EV was the hardware token, but that will soon be moot. :slight_smile:

We have CloudHSM very close to ready for testing with our build server but are reconsidering buying the sectigo deal simply to let the industry simmer on this a while.

Haven’t fully thought this through, but Im not sure you can do that, since there’s a CSR involved, which presumably is connected through values obtained from the hardware key.

Nothing wrong with a belt AND suspenders. :slight_smile:


I know nothing about CloudHSM, Mark, but reading Amazon’s instructions it sounds as if one uses certreq to generate the CSR.

And Sectigo apparently supports using certreq rather than their web portal to generate the request for a code-signing cert.

Last time I ordered from Sectigo they sent a USB dongle with my certificate. I am assuming, based upon what I’ve read, that I should be good to go with the new rule?


I have EV version of sectigo codesign, so it’s a USB dongle already, got it for the 2nd time. Only stupid thing is that when you need an new cert (“renew”), they don’t provide an option to redeem the new cert onto the “old” dongle. They just send you another dongle and you pay again. So I have not two basically identical dongles and I will obviously get the 3rd one soon.
Ok, they can be used for other certs etc. but still.