SSL CertificatesTrust solutions
15.00$ Basic Quick-Scan
  • OWASP Top 10 Scanning
  • Multi Page Web Applications
  • REST API & JavaScript Scan
  • Set it up in minutes
44.00$ Starting at
  • Protect up to 250 domains
  • Wildcard domains
  • Single and sub-domains
  • Public IP addresses
49.00$ Billed annually
  • Registered companies
  • Non Profit, Funds and Trusts
  • Government entities
  • Sole Proprietors/Individuals
Home Wiki General Questions Code Signing New Industry standards 2023

Code Signing New Industry standards 2023

  • Starting on June 1, 2023, at 00:00 UTC, industry standards will require private keys for OV code signing certificates to be stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. This change strengthens private key protection for code signing certificates and aligns it with EV (Extended Validation) code signing certificate private key protection.

    • 1

      Sectigo OV and EV Code Signing products generation

      There are two options available:

      1. The certificate applicant chooses to have Sectigo install the certificate on suitable hardware (e.g. a token) and ship it to them.
      2. The certificate applicant has suitable hardware, generates the keys in a nonexportable form, certificate signing request (CSR), and key attestation on it, and includes the CSR and key attestation in their certificate request. The key attestation, which is a file generated by the HSM, contains the required evidence that the private key has been generated in suitable hardware.

      Currently the following hardware(s) modules are supported by Sectigo Key-Attestation Service in verifying the cryptographic data produced by them:

      • Luna Network Attached HSM, Version 7.x
      • YubiKey 5 FIPS Series

      If the HSM is provided by Sectigo CA, the token + shipping costs should be paid additionally.

    • 2

      DigiCert and GoGetSSL OV and EV Code Signing products generation

      Like EV code signing, OV code signing certificates have three provisioning options for tokens and HSMs:

      1. Use a DigiCert-provided preconfigured hardware token
      2. Use your own supported hardware token.
        You must have one of the approved hardware tokens listed in the box above:
        SafeNet eToken 5110 FIPS (ECC ONLY)
        SafeNet eToken 5110 CC (RSA 4096 and ECC)
        SafeNet eToken 5110+ FIPS
      3. Install on a hardware security module (HSM)

      Hardware tokens and HSM devices must be FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent.

      If the hardware token is provided by DigiCert CA, the token + shipping costs should be paid additionally.

    • 3

      Code signing with a hardware token or HSM

      To use a token-based code signing certificate, you need access to the hardware token or HSM and the credentials to use the certificate stored on it. For token-based code signing, you will need to plug the hardware token into your computer and enter the password to sign your code with the code signing certificate on the token.

    • 4

      Reissuing certificates

      If you need to reissue a code signing certificate from June 1, 2023, you must install the reissued certificate on a supported hardware token or HSM. If you do not have a token, you can purchase a token from CA at that time.

      Note: You do not need to reissue code signing certificates issued prior to June 1, 2023, to remain compliant. These certificates are not affected by the new requirement unless you reissue them.

Fast Issuance within 3-5 minutes

Get a Domain Validation SSL certificate within just 5 minutes using our friendly and automated system. No paperwork, callback or company required.

Price Match 100% Guarantee

Found a better price? We will match it - guaranteed. Get the best possible price in the World with us. The correct place to save your money.

Free SSL 90-day for free

Try 90-day Trial SSL Certificate before the real purchase to test cert's functionality. 99.9% browser and mobile support. Free reissues.

Money Back 30-day guarantee

Customer satisfaction is our major concern. Get a full refund within 30 days for any purchase of SSL certificates with 100% guarantee.

Speed up SSL issuance

GoGetSSL® offers fastest issuance of SSL due to use of LEI code and API automation. Legal Entity Identifier (LEI) is a global identity code, just like DUNS. Learn how LEI works.

1,422,468+Total LEIs issued
224+Jurisdictions supported