Code Signing

What are the CA/Browser forum requirements for code signing certificate private keys? Are you prepared?

code signing certificate private keys

Reading Time : 3 minutes

Security is critical in today’s digital world, especially when it comes to the protection of codesigning certificate private keys. Over the years, developers have used code-signing certificates to establish their software applications’ authenticity, integrity, and trustworthiness. However, the private keys associated with the code signing certificate were not adequately protected due to a lack of stringent policies and guidelines.

In this blog, we will delve deep into the recent updates to Baseline Requirements for Code Signing Certificates by the Certificate Authority/Browser (CA/B) Forum, which have to be implemented from 1st June 2023.

What are CA/B Forum updates?

The CA/Browser Forum, a consortium of certificate authorities (CAs) and browser vendors, periodically revises its guidelines and requirements to enhance the security of digital certificates. In a recent update, the forum introduced new recommendations specifically aimed at code-signing certificate private keys. These updates aim to address emerging security threats and strengthen the overall security posture of the code-signing ecosystem.

Starting June 1, 2023, it is mandatory for subscriber private keys associated with code signing certificates to be protected using a Hardware Crypto Module that complies with either FIPS 140-2 Level 2 or Common Criteria EAL 4+ requirements. Subscribers are required to select one of the approved approaches for generating and securing their code signing certificate private keys:

  1. Option 1

    Use a Hardware Crypto Module operated by them that adheres to the prescribed standards.

  2. Option 2

    Employ a cloud-based key generation and protection solution that satisfies the following criteria:

    • Keeps private keys within the secure boundaries of the cloud platform’s hardware crypto module, meeting the specified requirements.
    • Logs all access, operations, and configuration changes related to the resources securing the private key.
  3. Option 3

    Utilize a Signing Service that meets the established baseline requirements.

In addition, CAs shall verify that the subscriber’s private key is generated, stored, and used in a suitable hardware crypto module using one of the following methods:

  1. The CA provides a hardware crypto module with pre-generated key pairs.
  2. The subscriber uses key attestation to verify the private key’s secure generation in a hardware crypto module.
  3. The subscriber employs a prescribed crypto library and suitable hardware crypto module for key pair generation and storage.
  4. The subscriber presents an IT audit report confirming the exclusive use of a suitable hardware crypto module for key pair generation of code signing certificates.
  5. The subscriber provides a report from their cloud-based key protection solution, demonstrating the secure configuration of resources protecting the private key.
  6. The CA relies on a report, signed by an approved auditor, confirming key pair creation in a suitable hardware crypto module, including cloud-based solutions.
  7. The subscriber provides an agreement agreeing to use a Signing Service that meets the requirements.

How can you stay compliant?

To ensure compliance with these updates and enhance the security of their digital certificates, organizations should take the following steps:

  • Review the Requirements

    Thoroughly study the updated recommendations the CA/Browser Forum provided to understand the specific requirements and changes related to code signing certificate private keys.

  • Assess Existing Infrastructure

    Organizations need to review their current infrastructure and identify their methods to generate and protect code signing certificate private keys. This assessment will help identify gaps or areas that must be addressed to comply with the new guidelines.

  • Select a Suitable Approach

    Organizations must choose one of the approved approaches stated in the blog for generating and securing their code signing certificate private keys.

Want to know how can we assist you?

Encryption Consulting’s CodeSign Secure provides organizations with a comprehensive code-signing solution tailored to their unique requirements. By utilizing this solution, organizations can establish a strong code-signing policy that effectively mitigates security risks and ensures the authenticity of their software. Our product streamlines the code-signing process and offers a range of features designed to enhance security.

One key feature of CodeSign Secure is secure key management. It enables organizations to securely store their private keys of the code-signing certificate by integrating with industry-leading Hardware Security Modules (HSMs) that are FIPS certified. This integration eliminates the potential risks associated with stolen, corrupted, or misused keys, as the private keys never leave the HSM during the code signing operation.


In conclusion, the recent updates to the Baseline Requirements for Code Signing Certificates by the CA/Browser Forum emphasize the criticality of protecting code signing certificate private keys. Organizations must adapt to these updates by implementing robust measures, such as using Hardware Crypto Modules that do not only comply with but exceed the requirements of FIPS 140-2 Level 2 or Common Criteria EAL 4+ standards. Organizations can bolster trust, integrity, and authenticity in their software applications by prioritizing the security of code signing certificate private keys.

Free Downloads

Datasheet of Code Signing Solution

Code signing is a process to confirm the authenticity and originality of digital information such as a piece of software code.

secure and flexible code signing solution

About the Author

Yathaarth Swaroop is a Consultant at Encryption Consulting, working with PKIs, HSMs and working as a consultant with high-profile clients.

Let's talk