What Code Signing Certificate Delivery Method to Choose?

The latest CA/Browser Forum regulation changes mandate users to install code signing certificates on hardware security modules (physical hardware tokens). Organizations and individuals seeking Organization Validation (OV) or Individual Validation (IV) code signing certificates can purchase pre-configured certificate tokens or order a certificate on their existing hardware devices.

When acquiring a code signing certificate, selecting the suitable delivery method during the purchase is imperative, as you can’t alter this choice later.

What is an electronic token?

An electronic token (e-token) is a small hardware device for secure authentication and data encryption. It’s often utilized in information technology and cybersecurity to provide an additional layer of security. This device generates one-time passwords (OTPs) or cryptographic keys for accessing protected systems, networks, or applications. Individuals and organizations commonly use e-tokens to safeguard sensitive data and prevent unauthorized access.

What Is a Hardware Security Module (HSM)?

A Hardware Security Module (HSM) is a tamper-resistant hardware device that offers cryptographic services, key management, and secure storage of sensitive data, such as cryptographic keys, certificates, and digital signatures. It safeguards critical digital assets, protecting them from unauthorized access.

HSMs are isolated, standalone devices, meaning they are separate from the host system and are less susceptible to software-based attacks on the operating system. Various industries use HSMs, including finance, government, healthcare, and technology, where stringent security requirements are essential.

How HSMs Enhance Code Signing Security?

Hardware Security Modules enhance the security of Code Signing certificates in the following ways:

• Key Protection: HSMs store private keys in a secure hardware environment, making it extremely difficult for attackers to access or steal them. Private keys never leave the HSM, reducing the risk of exposure.
• Secure Signing: The signing process occurs inside the HSM, safeguarding the code signing process from external threats.
• Tamper Resistance: HSMs are tamper-resistant, and any physical attempt to access or manipulate the device typically destroys stored keys, rendering them useless to attackers.
• Multi-Factor Authentication: Many HSMs support multi-factor authentication for administrators, adding an extra layer of security when accessing cryptographic operations.

Code Signing Certificate Delivery Methods

1. Token + Shipping

Recommended for Most Users

The Token + Shipping method allows you to order a pre-configured token directly from the Certificate Authority. The purchase price includes both the hardware token and shipping fees. This option is ideal for most users, offering simplicity and convenience in acquiring and implementing the certificate. Listed below are the token shipping fees:

Sectigo/Comodo

• Token + Expedited Shipping (USA) $147.00 USD
• Token + International Shipping $137.00 USD
• Token + Standard Shipping (USA) $95.00 USD

Digicert and GoGetSSL

• Token + Shipping (USA and International) $126 USD

2. Install on Existing HSM or Token

For Advanced Users

For those who already possess a compatible Hardware Security Module, the “Install on Existing HSM or Token” method is available. You can install the code signing certificate on your hardware device if you’re familiar with the associated software. When ordering Sectigo/Comodo certificates, you must provide an Attestation Bundle for your HSM as a requirement.

This method is specifically recommended for advanced users with expertise in managing third-party hardware, as SSL Dragon and the Certificate Authority can’t offer support for external HSM devices. Supported HSM brands for this method must be certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. The following HSM brands and tokens are supported:

Sectigo/Comodo

• Yubikey 5 FIPS
• LUNA Network Attached HSM, version 7+

DigiCert and GoGetSSL

You can use your own supported token or install the certificate on an existing HSM:

Supported Tokens:

• SafeNet eToken 5110 CC for RSA 4096-bit and ECC P-256-bit or higher key certificates.
• SafeNet eToken 5110 FIPS for ECC P-256 and P-384-bit key certificates.
• SafeNet eToken 5110+ FIPS for RSA 4096-bit and ECC P-256-bit or higher key certificates.

Your own HSM:

• You must have a Common Criteria EAL4+ or FIPS 140-2 level 2 HSM.
• Once you have the HSM, submit a Certificate Signing Request (CSR) along with your certificate request.
• Upon completion, you will receive a copy of your certificate via email.

Adhering to Your Decision

Once you complete your purchase, you can’t change the chosen delivery method. Therefore, carefully consider your requirements and select the most suitable option beforehand. If you need a different delivery method, you can cancel your order through your account dashboard and purchase another certificate with your preferred choice.

Bottom Line

As cyber threats evolve, traditional software-based cryptographic solutions are increasingly vulnerable. HSMs offer a robust defense against sophisticated attacks. By understanding the available options and selecting the appropriate сertificate delivery method, you can ensure a smooth and efficient acquisition of your сode signing certificate, safeguarding your software and digital assets with enhanced security measures.