1. Home
  2. Help
  3. Code Signing certificates
  4. Possibilities of saving Code Signing certificate
{"copy":"Copy","expand":"Expand","collapse":"Collapse","copy_success":"Copied!","copy_error":"Copying failed!"}

Possibilities of saving Code Signing certificate

Code Signing certificate must always be stored on a secure device that is a precondition for its trust. Additionally, storing the certificate on a token prevents it from being misused because it is password protected and the private key cannot be exported. Here are the available storage options for Code Signing certificates that our customers can use.

Keylocker

The most secure and modern way to store your certificate in the cloud. After issuance, the code signing certificate is uploaded to the Keylocker service, where you access it remotely and sign using the hash signing method. It’s fast, secure, and you don’t have to worry about securing the certificate or private key yourself. Learn more about the Keylocker service in the article DigiCert KeyLocker (cloud HSM).

When ordering a Code Signing certificate, simply select Keylocker as the storage option. You will then receive an invitation to your DigiCert ONE account, where the issued certificate will be available. Authentication and communication with DigiCert ONE can then be easily configured using a setup wizard. You can continue signing using signtool or another familiar tool, but you’ll also have access to DigiCert’s signing utilities.

Hash signing is not only the most secure but also the fastest method. Only the hash of the file is signed, not the entire file (as signtool does).

Certificate on HW token

The old way to store the Code Signing certificate. CAs currently use a SafeNet 5110 token. This allows other certificates to be stored and effectively protected against theft.

The certificates are stored on the token together with the private keys and the private keys cannot be exported. To work with certificates, the token must be unlocked with a password; after 10 incorrect password entries, the token locks and becomes unusable. Brute-force password guessing attacks are therefore excluded.

The token technical specification can be found at manufacturer's website or in the datasheet.

Token is supported on Windows Server 2008/R2, Windows Server 2012 and 2012 R2, Windows 7, Mac OS, Linux, Windows 8, and Windows 10/11. It connects via a standard USB port (USB type A) and the key storage capacity is 80 KB. Token meets ISO 7816-1 to 4.

Safenet token 5110

Certificate on HSM (Hardware Security Module)

A device called HSM is specialized hardware for storing keys, certificates, or other cryptographic information ( Wikipedia ) . HSMs function as servers and are often rack-mounted and often looks like a rack server.

If your organization has this specialized hardware, it can use it to store Code Signing (and of course other) certificates instead of a token to simplify (or automate) the signing process.

However, purchasing an HSM is not a requirement if you do not own one. The HSM storage option can also be used if you want your Code Signing certificate to be stored in a third-party cloud service, such as Azure Key Vault or a similar solution. This is possible, but the CSR must be generated within that vault.

The HSM Save option is part of an order DigiCert CS EV Certificate . Keep in mind that if you choose this option, CA DigiCert will require you to prove that you own a truly secure and audited device.

Has this article been useful?