Skip to main content

What are the minimum requirements for Code Signing issuance?

Summary

As of June 1, 2021, Entrust updated its Code Signing Certificate hierarchies and implemented changes to enforce a minimum key size of 3072-bit RSA. These changes accommodate new CAB Forum guideline which took effect on 1st June 2021.


User-added image

Important changes for OV and EV Code Signing certificate issuance (Effective June 1, 2021)

As of June 1, 2021, Entrust updated its Code Signing Certificate hierarchies and implemented changes to enforce a minimum key size of 3072-bit RSA. These changes accommodate the new CAB Forum guideline which took effect on 1st June 2021. Baseline Requirements for Code Signing Certificates

That means customers can now issue Code Signing Certificates with either 3072 or 4096-bit sizes. In addition to enforcing new minimum key sizes, a new Time Stamp Authority (TSA) has been established at http://timestamp.entrust.net/rfc3161ts2

Customers performing Code Signing operations should update their configuration to begin using this new TSA.

Besides the requirement for the new CAB Forum Code Signing guidelines, Microsoft has also limited the use of 2048-bit RSA root certificates to no later than the year 2030. In addition, new root key size requirements for Code Signing and time-stamping must be 4096-bit RSA.

Outlining the minimum requirements for OV Code Signing certificate issuance. (Effective February 1, 2017)

As of February 1, 2017, Certification Authorities (CA) trusted by Microsoft Windows must issue code signing certificates under the Minimum Requirements for OV Code Signing.

The new requirements are designed to make OV Code Signing (CS) certificates more secure, specifically, higher protection of the private key. As of February 1, 2017, all CS certificates must be issued using a secure method such as a hardware crypto module/HSM FIPS 140-2 level 2 certified:

  • USB, PCI and Rackmount HSMs
  • Secure cloud-based hosting service (e.g., Azure Key Vault, Amazon Web Services Cloud HSM, Google Cloud HSM)
  • Trusted Platform Module (TPM)
  • (Non-HSM) USB drive* (note that the use of a non-HSM drive for a Code Signing certificate requires extra protection of the physical drive it is stored upon, including locking the drive in a safe place and only having the drive inserted into your device only when you are signing code)

A USB Token (HSM) will be included with the purchase of OV Code Signing certificates from Entrust. The list of hardware security modules (HSMs) shown above is listed in order of the most expensive to least expensive HSM solution.

Key items from the updated requirements:

  • Private keys must be stored using a secure method such as a hardware crypto module/HSM FIPS 140-2 level 2 certified.
    • An HSM USB Token is included with the purchase of Entrust Code Signing Certificate license.
    • Subscribers can also use any third-party HSM or Cloud Service that meets the FIPS 140-2 level 2 requirements.
  • The new requirements create a security standard that can allow for 135 month time-stamping certificates, so your OV code signing signature could be valid for more than 10 years.
  • Malware researchers or an application software suppliers may request a Certification Authority  to revoke a subscriber's OV Code Signing Certificate if proven it has been compromised to sign malicious code.
  • If the private key is not secured using the method listed above the Certification Authority must revoke the certificate; a replacement certificate may be issued but the Certification Authority must ensure that the private key is stored using one of the qualified methods.

The complete document that outlines the entire requirements for issuance of OV Code Signing certificates can be found here .

Microsoft's article relating to these new requirements can be found here .

Entrust is dedicated to implementing Best Practices in the design, implementation and management of digital security, including the issuance of OV Code Signing certificates.

You can see our technote about Code Signing Best Practices here for further information.

If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance:

Hours of Operation:

Sunday 8:00 PM ET to Friday 8:00 PM ET

North America (toll free): 1-866-267-9297

Outside North America: 1-613-270-2680 (or see the list below)

NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.

Country Number
Australia 0011 - 800-3687-7863
1-800-767-513
Austria 00 - 800-3687-7863
Belgium 00 - 800-3687-7863
Denmark 00 - 800-3687-7863
Finland 990 - 800-3687-7863 (Telecom Finland)
00 - 800-3687-7863 (Finnet)
France 00 - 800-3687-7863
Germany 00 - 800-3687-7863
Hong Kong 001 - 800-3687-7863 (Voice)
002 - 800-3687-7863 (Fax)
Ireland 00 - 800-3687-7863
Israel 014 - 800-3687-7863
Italy 00 - 800-3687-7863
Japan 001 - 800-3687-7863 (KDD)
004 - 800-3687-7863 (ITJ)

0061 - 800-3687-7863 (IDC)
Korea 001 - 800-3687-7863 (Korea Telecom)
002 - 800-3687-7863 (Dacom)
Malaysia 00 - 800-3687-7863
Netherlands 00 - 800-3687-7863
New Zealand 00 - 800-3687-7863
0800-4413101
Norway 00 - 800-3687-7863
Singapore 001 - 800-3687-7863
Spain 00 - 800-3687-7863
Sweden 00 - 800-3687-7863 (Telia)
00 - 800-3687-7863 (Tele2)
Switzerland 00 - 800-3687-7863
Taiwan 00 - 800-3687-7863
United Kingdom 00 - 800-3687-7863
0800 121 6078
+44 (0) 118 953 3088