Numerous breaches and malicious malware attacks have used fraudulent code signing certificates to cause significant damage of the certificate owner’s reputation and business. To prevent this from happening, earlier this month, the CA/B forum’s new Code Signing Baseline Requirements (CSBRs) came into effect, bringing with it changes to how organizations must generate and protect code signing certificate private keys.
In today’s digital world, code signing is an essential part of doing business for virtually any organization that distributes code to their end users. Code signing verifies the identity of the publisher of a specific set of code and attests it has not been modified since it was signed. Certificates delivered along with software that has been signed is a critical way for users to determine whether software originates from a legitimate source before installation. Regardless of the use case or industry an organization operates in, private key security must be utilized for code signing certificates to be trusted and valued. Otherwise, anyone who can access a legitimate certificate owner’s private key can create software that will appear to be signed by that organization.
With the number of high-profile malware attacks making headlines these days, the CA/B Forum passed Ballot CSC-13. The ballot mandates the certificate generation and storage of signing keys to be protected in a certified hardware crypto module, with the goal of increasing the protection of code singing certificate private keys. These new requirements officially came into effect on June 1, 2023, with Ballot CSC-17.
The CA/B Forums New Requirements for Code Signing
The biggest change to CBRs requirements for issuing EV and non-EV code signing certificates is related to private key protection. For example: before the new requirements, the non-EV key pair could be generated in software, which would easily allow the private key to be distributed, leading to risk of compromise. Now, the code signing certificate key pair must be generated and stored in a hardware crypto module that meets or exceeds the requirements of FIPS 140-2 level 2 OR Common Criteria EAL 4+. Generating the key pair in a hardware crypto module where the private key cannot be exported ultimately helps minimize the risk of private key compromise.
New Subscriber Private Key Protection Requirements
To ensure compliance with these new CA/B Forum code signing requirements, certificate authorities (CA) must use one of the following to securely store and generate their keys:
1. Hardware crypto module meeting the specified requirement
2. Cloud‐base key generation and protection solution with the following requirements:
a. Key creation, storage, and usage of private key must remain within the security boundaries of the cloud solution’s hardware crypto module that conforms to the specified requirements
b. Subscription at the level that manages the private key must be configured to log all access, operations, and configuration changes on the resources securing the private key
3. Signing Service which meets the requirements of Section 6.2.7.3
New Subscriber Private Key Verification Requirements
In addition to secure key storage, the CA must verify and ensure the private key is also generated and used in a hardware crypto module via one of the following methods:
- CA ships a hardware crypto module with one or more pre‐generated key pairs
- Subscriber counter‐signs certificate requests that can be verified by using key attestation, indicating that the private key was generated in a non‐exportable way using a hardware crypto module
- Subscriber uses a CA prescribed crypto library and a suitable hardware crypto module combination
- Subscriber provides an internal or external IT audit indicating that it is only using a suitable hardware crypto module to generate key pairs
- Subscriber provides a suitable report from the cloud‐based key protection solution subscription and resources configuration protecting the private key in a suitable hardware crypto module
- CA relies on a report signed by an auditor who has IT and security training or is a CISA and witnesses the key pair creation in a suitable hardware crypto module solution including a cloud‐based key generation and protection solution
- Subscriber provides an agreement that they use a Signing Service meeting the CSBRs of Section 6.2.7.3.
How Thales can Help with Compliance
Thales provides Hardware Security Modules (HSMs) that can help comply with the with the new CA/B Forum code signing requirements. Thales Luna HSMS securely generate, store, and manage the keys used in code signing applications within the secure confines of the HSM. Keys and signing material never leave the intrusion-resistant, tamper-evident FIPS 140-2 Level 3 and Common Criteria EAL 4+ certified hardware device. Luna HSMs also provide strict access control to the use of code signing keys (which must be kept inside the HSM to perform the code signature), as well as generate a secure audit log.
Luna HSMs offer flexible deployment options, including on-premises, as-a-service, in the cloud or across multiple environments to create a hybrid HSM solution, and Thales remains among an elite group of providers offering a cloud service with a FIPS-validated hardware root of trust.
For more than 25 years, Thales has been the market leader with innovative, high-assurance, FIPS 140-2 Level 3-validated Luna HSMs to meet evolving risk and compliance needs. Governments and the most trusted brands in the world rely on Luna HSMs as their foundation of digital trust when preparing for post-quantum crypto solutions, code signing, protecting SSL certificates, and other use cases where confidentiality, integrity, and availability are paramount.
About the CA/B Forum
The CA/Browser Forum is a group made up of primarily Certificate Authorities (CA) and Internet browsers vendors who voluntarily come together with the mission of developing guidelines and requirements around the issuance and management of X.509 v.3 digital certificates that enable secure connections between users and websites. The group adopted the first of its "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates” in 2011. These requirements were designed to provide minimum-security standards for all browser-trusted SSL/TLS certificates.
The new CA/B Forum requirements are intended to fight against an increasingly common problem of stolen code signing keys being used to sign and distribute malware. Don’t leave your organization non-compliant and ensure keys are generated and stored in robust, tamper-evident FIPS 140-2 Level 3 certified Luna HSMs.
Additional Resources
- Joint Webinar with SignPath: Meeting New Code Signing Requirements
- On-demand Joint Webinar with DigiCert: Complying with the new CA/B Forum Code Signing Requirements