Code Signing certificates on a token? No worries

May 22, 2023 | Jindřich Zechmeister

Code Signing certificates can now only be on a token or HSM. It will no longer be possible to save them locally on the computer, for example in the popular PFX file format.

What has changed and since when?

From 16/05 2023, all Code Signing certificates must be issued on secure storage - just like EV Code Signing - which can be a token or HSM. The token must comply with FIPS 140-2 Level 2 or Common Criteria EAL 4+ certification. This change is valid for the entire industry, therefore also for all certification authorities. Everyone must accede to and abide by these rules.

Therefore, all owners and users of Code Signing certificates will have to have their certificate on the token, which was previously only the privilege and advantage of Code Signing EV certificates.

You don't have to worry about the change, signing will remain simple

We want to make the transition to the token as easy as possible, so you can get it from us for 80 USD (75 €) instead of the price offered by DigiCert of 120 USD and regardless of the number of years of validity of the certificate.

The signing method with the token itself practically does not change. You'll just be referencing the token store instead of the PFX file or store. Although the certificate is stored on the token, it is "visible" in the system's certificate store as if it were physically there, thanks to the Safenet application - so signing will not be more complicated.

Below you can see an example of the name of a certificate on a token (signing is done using the signtool tool from the Windows SDK). Instead of a file, you use the /s parameter to refer to the repository: signtool sign /s my /t C:/test.exe

Signing remains simple. If you select a certificate for signing from the list (system dialog), the certificate on the token will also be visible there.

What if I don't want a token?

You may have various reasons for not wanting a certificate on the token. The most common scenario is signing the application by multiple developers in the team, who should have their own certificates, or borrow the token. This is rather impractical, but there are solutions. Let's give at least two examples.

One option is to buy an HSM and securely store the token on that hardware resource. However, this entails a considerable investment, which can be thousands of dollars. A modern way to solve this problem is to sign using a secure certificate authority cloud. Such a service is offered by the DigiCert ONE platform and is called Software Trust Manager.