New conditions for OV code signing certificate use

(3.8.2022, updated on 4.10.) Not from November this year, but from June next year, the conditions for issuing and using OV code signing certificates will change. Their private key will need to be stored on a FIPS 140 Level 2, Common Criteria EAL 4+ compliant hardware device. So, for example, on a token, similar to the case with EV code signing certificates.

The new requirements to store the private key will apply to OV code signing certificates issued from 15.11.2022 01.06.2023 (the deadline has been postponed) and will affect both the ordering and renewal of these certificates, as well as their reissue, installation, and actual use. The conditions for issuing code signing certificates, the so-called Code Signing Baseline Requirements, have been tightened in this regard for security reasons - it will no longer be possible to create a certificate request (CSR) in online tools or browsers and it will not be possible to store keys (private key and certificate) on the user's computer.

• When ordering a new OV code signing certificate or its renewal, it will be necessary to select the type of hardware to store the private key on: you will be offered a token supplied by DigiCert, your own (supported) token, or an HSM.
• The reissued certificate will need to be stored on your own (supported) token, HSM, or on a token supplied by DigiCert.
• To sign applications, it will be necessary to have access to the token or HSM and to know its credentials.