Necesidad de token o HSM para los certificados de firma de código

Next Steps: OV Code Signing Changes


El día 21 de marzo de 2022, Sectigo nos ha recordado lo que ya comentamos el 05/10/2022 sobre los cambios a la hora de la obtención de certificados de firma de código:

Dear Sectigo Customer,

Last year, the CA Browser (CA/B) Forum announced changes to its regulations for Code Signing certificates and services, requiring all Certificate Authorities to ensure that the Subscriber’s Private Key is generated, stored, and used in a suitable FIPS-compliant hardware. This change from the CA/B Forum aims to improve security and help reduce risk of compromise.

The deadline for implementation of the new regulations is June 1, 2023. In future, Sectigo OV code signing certificates will be either:

  • Installed on a Sectigo token and shipped securely to the customer
  • Available as a download to be installed on the customer’s own HSM. The hardware devices (e.g. tokens, HSMs, etc.) must be FIPS-compliant and support externally verifiable key attestation.

Starting April 24, 2023, you will no longer be able to purchase or issue standard OV Code Signing certificates.

What should you do next?

Issue any already purchased OV Code Signing certificates, or purchase and issue new OV Code Signing certificates with a validity of up to 3 years, prior to April 24, 2023. If you fail to do so, you will have to use your own FIPS-compliant hardware, or pay extra for receiving a Sectigo-issued token.

Así que para retrasar la necesidad de comprar el token a Sectigo o de disponer de un propio HSM, os recomendamos que solicitéis todos los certificados de firma de código necesarios, de aquí a 3 años, antes del 24 de abril.