Important changes for OV and EV Code Signing certificate issuance (Effective June 1, 2021)
As of June 1, 2021, Entrust updated its Code Signing Certificate hierarchies and implemented changes to enforce a minimum key size of 3072-bit RSA. These changes accommodate the new CAB Forum guideline which took effect on 1st June 2021. Baseline Requirements for Code Signing Certificates
That means customers can now issue Code Signing Certificates with either 3072 or 4096-bit sizes. In addition to enforcing new minimum key sizes, a new Time Stamp Authority (TSA) has been established at http://timestamp.entrust.net/rfc3161ts2
Customers performing Code Signing operations should update their configuration to begin using this new TSA.
Besides the requirement for the new CAB Forum Code Signing guidelines, Microsoft has also limited the use of 2048-bit RSA root certificates to no later than the year 2030. In addition, new root key size requirements for Code Signing and time-stamping must be 4096-bit RSA.
Outlining the minimum requirements for OV Code Signing certificate issuance. (Effective February 1, 2017)
As of February 1, 2017, Certification Authorities (CA) trusted by Microsoft Windows must issue code signing certificates under the Minimum Requirements for OV Code Signing.
The new requirements are designed to make OV Code Signing (CS) certificates more secure, specifically, higher protection of the private key. As of February 1, 2017, all CS certificates must be issued using a secure method such as a hardware crypto module/HSM FIPS 140-2 level 2 certified:
- USB, PCI and Rackmount HSMs
- Secure cloud-based hosting service (e.g., Azure Key Vault, Amazon Web Services Cloud HSM, Google Cloud HSM)
- Trusted Platform Module (TPM)
- (Non-HSM) USB drive* (note that the use of a non-HSM drive for a Code Signing certificate requires extra protection of the physical drive it is stored upon, including locking the drive in a safe place and only having the drive inserted into your device only when you are signing code)
Key items from the updated requirements:
- Private keys must be stored using a secure method such as a hardware crypto module/HSM FIPS 140-2 level 2 certified.
- An HSM USB Token is included with the purchase of Entrust Code Signing Certificate license.
- Subscribers can also use any third-party HSM or Cloud Service that meets the FIPS 140-2 level 2 requirements.
- The new requirements create a security standard that can allow for 135 month time-stamping certificates, so your OV code signing signature could be valid for more than 10 years.
- Malware researchers or an application software suppliers may request a Certification Authority to revoke a subscriber's OV Code Signing Certificate if proven it has been compromised to sign malicious code.
- If the private key is not secured using the method listed above the Certification Authority must revoke the certificate; a replacement certificate may be issued but the Certification Authority must ensure that the private key is stored using one of the qualified methods.
Microsoft's article relating to these new requirements can be found here.
Entrust is dedicated to implementing Best Practices in the design, implementation and management of digital security, including the issuance of OV Code Signing certificates.
You can see our technote about Code Signing Best Practices here for further information.
If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance:
Hours of Operation:
Sunday 8:00 PM ET to Friday 8:00 PM ET
North America (toll free): 1-866-267-9297
Outside North America: 1-613-270-2680 (or see the list below)
NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.
|Australia||0011 - 800-3687-7863|
|Austria||00 - 800-3687-7863|
|Belgium||00 - 800-3687-7863|
|Denmark||00 - 800-3687-7863|
|Finland||990 - 800-3687-7863 (Telecom Finland)|
00 - 800-3687-7863 (Finnet)
|France||00 - 800-3687-7863|
|Germany||00 - 800-3687-7863|
|Hong Kong||001 - 800-3687-7863 (Voice) |
002 - 800-3687-7863 (Fax)
|Ireland||00 - 800-3687-7863|
|Israel||014 - 800-3687-7863|
|Italy||00 - 800-3687-7863|
|Japan||001 - 800-3687-7863 (KDD) |
004 - 800-3687-7863 (ITJ)
0061 - 800-3687-7863 (IDC)
|Korea||001 - 800-3687-7863 (Korea Telecom) |
002 - 800-3687-7863 (Dacom)
|Malaysia||00 - 800-3687-7863|
|Netherlands||00 - 800-3687-7863|
|New Zealand||00 - 800-3687-7863 |
|Norway||00 - 800-3687-7863|
|Singapore||001 - 800-3687-7863|
|Spain||00 - 800-3687-7863|
|Sweden||00 - 800-3687-7863 (Telia) |
00 - 800-3687-7863 (Tele2)
|Switzerland||00 - 800-3687-7863|
|Taiwan||00 - 800-3687-7863|
|United Kingdom||00 - 800-3687-7863 |
0800 121 6078
+44 (0) 118 953 3088