Industry standards set by the CA/B Forum now require that all Code Signing certificate keys be stored on a FIPS-compliant Hardware Security Module (HSM) or hardware token. This is an industry-wide solution to combat the rise in breaches involving stolen signing keys. Only certificates that meet these requirements will be recognized as trusted on Microsoft Windows and other platforms. As such, we offer a variety of methods for delivering a Code Signing certificate in accordance with the new guidelines.
Depending on the solution provider (Sectigo, GGSSL, DigiCert), we offer a variety of certificate delivery solutions:
This is the simplest option and the one we recommend to most customers. When you place your order, select the appropriate shipping option and your certificate and code signing key will be sent to you on a FIPS-compliant eToken (USB token).
Delivery Options | Delivery Options | Price |
|---|---|---|
Token + International Shipping (non-US) | Option available for all countries except the US | $156.00 |
Token + Shipping (US) | Ground shipping to US addresses | $108.00 |
Token + Expedited Shipping (US) | Express air shipping to US addresses. | $168.00 |
Install on Existing HSM | - | $0.00 |
Once you receive the token, you can connect it to your computer or server and then sign files using your preferred tool (e.g. SignTool.exe, JarSigner, etc.)
For more advanced users, there is also the option of installing it on your own HSM or token. If you already have an HSM or compatible token, you can download and install the certificate on a compatible device. Compatible solutions:
- Luna Network Attached HSM V7.x
- YubiKey 5 FIPS Series.
Only the above list of devices is compatible with the new requirements. If you order a certificate and install it on an incompatible solution, you will not be able to refund the payment for the certificate.
As with Sectigo, DigiCert also offers delivery of the certificate together with a compatible USB token. Shipping and token costs are uniform regardless of location
Delivery Options | Delivery Options Details | Price |
|---|---|---|
Token + Shipping (all countries) | Option available for all countries | $144.00 |
Install on Existing HSM | - | $0.00 |
Use Existing Token | - | $0.00 |
After receiving the token, you can connect it to your computer or server and then sign files using your preferred tool (e.g. SignTool.exe, JarSigner, etc.)
Additionally, DigiCert offers the possibility of installing a code signing certificate on compatible tokens:
- SafeNet 5110 CC,
- SafeNet 5110 FIPS,
- Safenet 5110+ FIPS
Only the above list of devices is compatible with the new requirements. In the case of ordering a certificate and installing it on an incompatible solution – there will be no possibility of refunding the payment for the certificate.
It is also possible to install the certificate on your own HSM module. In this case, it is possible to use a cloud solution or on-prem HSM. If such a solution is selected when ordering, DigiCert will send information via e-mail, provided with the order, asking for confirmation that the HSM used meets the security requirements and compatibility with current requirements. After confirmation, the certificate will be available digitally for download. Compatible solutions:
- Any HSM FIPS 140 Level 2,
- EAL 4+ or similar,
- HSM managed directly by the ordering party or key storage/vault solutions
- as well as cloud HSM solutions, e.g. Azure Key Vault and AWS KMS.