Possibilities of saving Code Signing EV certificate

Code Signing EV certificate must always be stored on a secure device that is a precondition for its trust. Additionally, saving token prevents it from being misused because it is password protected and the private key cannot be exported. Introducing the options for storing Code Signing EV certificates that our customers can use.

Certificate on HW token

The most common way to store the Code Signing EV certificate. CAs currently use a SafeNet 5110 token, which you get for free. This allows other certificates to be stored and effectively protected against theft.

The certificates are stored on the token together with the private keys and the private keys cannot be exported. To work with certificates, the token must be unlocked with a password; after 10 incorrect password entries, the token locks and becomes unusable. Brute-force password guessing attacks are therefore excluded.

The token technical specification can be found at manufacturer's website or in the datasheet.

Token is supported on Windows Server 2008/R2, Windows Server 2012 and 2012 R2, Windows 7, Mac OS, Linux, Windows 8, and Windows 10. It connects via a standard USB port (USB type A) and the key memory is 80k. Token meets ISO 7816-1 to 4.

Safenet token 5110

Certificate on HSM (Hardware Security Module)

A device called HSM is specialized hardware for storing keys, certificates, or other cryptographic information ( Wikipedia ) . HSM acts as a server and often looks like a rack server.

If your organization has this specialized hardware, it can use it to store Code Signing (and of course other) certificates instead of a token to simplify (or automate) the signing process.

The HSM Save option is part of an order DigiCert CS EV Certificate . Keep in mind that if you choose this option, CA DigiCert will want to prove that you own a truly secure and audited device.