Skip to main content

Certificate Services Support

User-added image

Important changes for OV and EV Code Signing certificate issuance (Effective June 1, 2021)

As of June 1, 2021, Entrust updated its Code Signing Certificate hierarchies and implemented changes to enforce a minimum key size of 3072-bit RSA. These changes accommodate the new CAB Forum guideline which took effect on 1st June 2021. Baseline Requirements for Code Signing Certificates 

That means customers can now issue Code Signing Certificates with either 3072 or 4096-bit sizes. In addition to enforcing new minimum key sizes, a new Time Stamp Authority (TSA) has been established at
Customers performing Code Signing operations should update their configuration to begin using this new TSA.

Besides the requirement for the new CAB Forum Code Signing guidelines, Microsoft has also limited the use of 2048-bit RSA root certificates to no later than the year 2030. In addition, new root key size requirements for Code Signing and time-stamping must be 4096-bit RSA.

Outlining the minimum requirements for OV Code Signing certificate issuance. (Effective February 1, 2017) 

As of February 1, 2017, Certification Authorities (CA) trusted by Microsoft Windows must issue code signing certificates under the Minimum Requirements for OV Code Signing.

The new requirements are designed to make OV Code Signing (CS) certificates more secure, specifically, higher protection of the private key. As of February 1, 2017, all CS certificates must be issued using a secure method such as a hardware crypto module/HSM FIPS 140-2 level 2 certified:
  • USB, PCI and Rackmount HSMs
  • Secure cloud-based hosting service (e.g., Azure Key Vault, Amazon Web Services Cloud HSM, Google Cloud HSM)
  • Trusted Platform Module (TPM)
  • (Non-HSM) USB drive* (note that the use of a non-HSM drive for a Code Signing certificate requires extra protection of the physical drive it is stored upon, including locking the drive in a safe place and only having the drive inserted into your device only when you are signing code)
A USB Token (HSM) will be included with the purchase of OV Code Signing certificates from Entrust. The list of hardware security modules (HSMs) shown above is listed in order of the most expensive to least expensive HSM solution.

Key items from the updated requirements:
  • Private keys must be stored using a secure method such as a hardware crypto module/HSM FIPS 140-2 level 2 certified.
    • An HSM USB Token is included with the purchase of Entrust Code Signing Certificate license.
    • Subscribers can also use any third-party HSM or Cloud Service that meets the FIPS 140-2 level 2 requirements.
  • The new requirements create a security standard that can allow for 135 month time-stamping certificates, so your OV code signing signature could be valid for more than 10 years.
  • Malware researchers or an application software suppliers may request a Certification Authority  to revoke a subscriber's OV Code Signing Certificate if proven it has been compromised to sign malicious code.
  • If the private key is not secured using the method listed above the Certification Authority must revoke the certificate; a replacement certificate may be issued but the Certification Authority must ensure that the private key is stored using one of the qualified methods.
The complete document that outlines the entire requirements for issuance of OV Code Signing certificates can be found here.

Microsoft's article relating to these new requirements can be found

Entrust is dedicated to implementing Best Practices in the design, implementation and management of digital security, including the issuance of OV Code Signing certificates. 

You can see our technote about Code Signing Best Practices here for further information.

If you have any questions or concerns please contact the Entrust Certificate Services Support
 department for further assistance: 

Hours of Operation: 

Sunday 8:00 PM ETto Friday 8:00 PM ET 
North America (toll free): 1-866-267-9297 
Outside North America: 1-613-270-2680 (or see the list below) 
NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.
Australia0011 - 800-3687-7863
Austria00 - 800-3687-7863 
Belgium00 - 800-3687-7863 
Denmark00 - 800-3687-7863 
Finland990 - 800-3687-7863 (Telecom Finland)
00 - 800-3687-7863 (Finnet) 
France00 - 800-3687-7863 
Germany 00 - 800-3687-7863 
Hong Kong001 - 800-3687-7863 (Voice) 
002 - 800-3687-7863 (Fax) 
Ireland00 - 800-3687-7863 
Israel014 - 800-3687-7863 
Italy00 - 800-3687-7863 
Japan001 - 800-3687-7863 (KDD) 
004 - 800-3687-7863 (ITJ)
0061 - 800-3687-7863 (IDC) 
Korea001 - 800-3687-7863 (Korea Telecom) 
002 - 800-3687-7863 (Dacom) 
Malaysia00 - 800-3687-7863 
Netherlands00 - 800-3687-7863 
New Zealand00 - 800-3687-7863 
Norway00 - 800-3687-7863 
Singapore001 - 800-3687-7863 
Spain00 - 800-3687-7863 
Sweden00 - 800-3687-7863 (Telia) 
00 - 800-3687-7863 (Tele2) 
Switzerland00 - 800-3687-7863 
Taiwan00 - 800-3687-7863 
United Kingdom00 - 800-3687-7863 
0800 121 6078 
+44 (0) 118 953 3088 
Entrust Enters Exclusive Discussions to Acquire Onfido