All Code Signing certificates will be on token from November. Now what?

Aug 5, 2022 | Jindřich Zechmeister

From November this year, the conditions for issuing and using OV Code Signing certificates will change. Their private key will need to be stored on a hardware token. In this article, you will learn what this means for users and what other signing options are available.

What does the change mean for Code Signing certificate users?

All Code Signing certificates issued after 11/15/2022 will be issued and distributed on a token. The issued certificate will therefore be stored on the token and you will receive it by mail. The signer will need this token when signing and will have to enter a password to unlock the token each time they sign.

The change in issuance will be reflected automatically, and after the new certificate is issued, the token will be automatically delivered by a messenger. You will then find the password to unlock it in your customer administration.

The private key to the certificate cannot be exported from the token, so it will not be possible to create a PFX file as before. However, this higher safety of use is paid for by lower comfort of use, which we will return to below.

Extend your certificate for 3 years and postpone the change

For existing customers, we have a tip on how to delay the effects of the change. We recommend that you extend your existing Code Signing certificate (or buy a new one) for a maximum validity period of 3 years by mid-November. This will not solve the problem, but at least you will delay it and you will be able to sign as before for the next 3 years.

When you buy a certificate for several years, you save money because the annual certificate price is reduced. However, it will be important not to lose the certificate with the private key, because in the case of its reissue it would have already been issued on the token.

Are there any tokenless signing options?

Using a token with a certificate is secure, but far from practical. You have to enter a password every time you sign and this prevents the signing from being automated. This is a problem as more and more software development companies move to development using CI/CD principles.

Fortunately, there is a signature option built just for this purpose. It is called Secure Software Manager and is part of the wider DigiCert ONE platform. We can arrange it for our customers and help you get started with Secure Software Manager.

Secure Software Manager uses the hash signing principle, and the signature takes place in the DigiCert cloud, where the certificate with the private key is located. When signing, only the hash (imprint) of the signed file travels to the cloud; after it is returned, the signing utility adds it to the signed application. Communication with the DC cloud takes place using libraries that DigiCert has prepared for all platforms.

Cloud signing is the future. Thanks to this, signing is significantly safer, faster, and the signed files do not have to travel over the Internet. You also have complete control over the signing key pairs and all operations are carefully logged.