Entrust Datacard

Entrust Certificate Services Support Knowledge Base

Last Modified: 2017-02-16 07:57:11.0

What are the minimum requirements for Code Signing issuance?

Article Number: 70589

User-added image

Outlining the minimum requirements for Code Signing certificate issuance. (Effective February 1, 2017)

As of February 1, 2017, Certification Authorities (CA) trusted by Microsoft Windows must issue code signing certificates  in accordance with the Minimum Requirements for Code Signing.

The new requirements are designed to make Code Signing (CS) certificates more secure, specifically, higher protection of the private key. As of February 1, 2017 all CS certificates must be issued using a secure method such as a hardware crypto module/HSM FIPS 140-2 level 2 certified:
  • USB, PCI and Rackmount HSMs
  • Secure cloud-based hosting service (e.g., Azure, Amazon Web Services Cloud HSM)
  • Trusted Platform Module (TPM)
  • (Non-HSM) USB drive* (note that the use of a non-HSM drive for a Code Signing certificate requires extra protection of the physical drive it is stored upon, including locking the drive in a safe place and only having the drive inserted into your device only when you are signing code)
A USB Token (HSM) is to be included with the purchase of Code Signing certificates from Entrust Datacard. The list of hardware security modules (HSMs) shown above are listed in order of the most expensive to least expensive HSM solution. 

Key items from the updated requirements:
  • Private keys must be stored using a secure method such as a hardware crypto module/HSM FIPS 140-2 level 2 certified.
    • An HSM USB Token is included with the purchase of Entrust Code Signing Certificate license.
    • Subscribers can also use any third-party HSM or Cloud Service that meets the FIPS 140-2 level 2 requirements.
  • The new requirements create a security standard that can allow for 135 month time-stamping certificates, so your code signing signature could be valid for more than 10 years.
  • Malware researchers or an application software suppliers may request a Certification Authority  to revoke a subscriber's Code Signing Certificate if proven it has been compromised to sign malicious code.
  • If the private key is not secured using the method listed above the Certification Authority must revoke the certificate; a replacement certificate may be issued but the Certification Authority must ensure that the private key is stored using one of the qualified methods.
The complete document that outlines the entire requirements for issuance of Code Signing certificates can be found here.

Microsoft's article relating to these new requirements can be found here.

Entrust Datacard is dedicated to implementing Best Practices in design, implementation and management of digital security, including the issuance of Code Signing certificates. 

You can see our technote about Code Signing Best Practices here for further information.

If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance: 

Hours of Operation: 

Sunday 8:00 PM ET?to Friday 8:00 PM ET 
North America (toll free): 1-866-267-9297 
Outside North America: 1-613-270-2680 (or see the list below) 
NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.
 

CountryNumber
Australia0011 - 800-3687-7863
1-800-767-513
Austria00 - 800-3687-7863 
Belgium00 - 800-3687-7863 
Denmark00 - 800-3687-7863 
Finland990 - 800-3687-7863 (Telecom Finland)
00 - 800-3687-7863 (Finnet) 
France00 - 800-3687-7863 
Germany 00 - 800-3687-7863 
Hong Kong001 - 800-3687-7863 (Voice) 
002 - 800-3687-7863 (Fax) 
Ireland00 - 800-3687-7863 
Israel014 - 800-3687-7863 
Italy00 - 800-3687-7863 
Japan001 - 800-3687-7863 (KDD)? 
004 - 800-3687-7863 (ITJ)? 
0061 - 800-3687-7863 (IDC) 
Korea001 - 800-3687-7863 (Korea Telecom) 
002 - 800-3687-7863 (Dacom) 
Malaysia00 - 800-3687-7863 
Netherlands00 - 800-3687-7863 
New Zealand00 - 800-3687-7863 
0800-4413101 
Norway00 - 800-3687-7863 
Singapore001 - 800-3687-7863 
Spain00 - 800-3687-7863 
Sweden00 - 800-3687-7863 (Telia) 
00 - 800-3687-7863 (Tele2) 
Switzerland00 - 800-3687-7863 
Taiwan00 - 800-3687-7863 
United Kingdom00 - 800-3687-7863 
0800 121 6078 
+44 (0) 118 953 3088 

Affected Products:

  • Entrust Certificate Services 1 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services 1 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services 2 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services 2 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Cert Admin Advantage Server Certificate 1 Year Version Not Applicable Language Not Applicable Platform Not Applicable
  • Entrust Certificate Services Cert Admin Advantage Server Certificate 2 Year Version Not Applicable Language Not Applicable Platform Not Applicable