Today, we’re excited to share some important updates regarding our code signing certificate process on the Sectigo portal. Due to the latest regulations introduced by the CAB Forum, Sectigo have enhanced their procedures to ensure the utmost protection for your code signing certificates. These changes are designed to minimise the risk of misuse and safeguard your certificates from falling into the wrong hands. These updates, implemented in May 2023, are part of Sectigo’s ongoing commitment to digital security. Stay tuned as we delve into the recent changes that have been made.
Previously, you could download your certificate directly from the Sectigo portal. However, under the new process, your certificates will now be securely installed on a hardware security module (HSM) and then shipped to you. To facilitate this, Sectigo have offered two different profiles when creating your enrollment forms.
1. GEANT OV Code Signing (Shipping Certificate on FIPS USB Token):
Under this method, Sectigo ship out a token, allowing you to download the certificate. However, you need to be aware that due to the practicality of configuring and shipping from the United States, there might be delays associated with this option.
2. GEANT OV Code Signing (Key Attestation):
In this approach, the code signing certificate is available to download, enabling you to install it directly onto your own FIPS-compliant HSM. For this option, your hardware devices must support external key attestation. Currently, we offer support for the following hardware devices:
- Thales/Safenet Luna and netHSM devices
- Yubico FIPS Yubikeys (for ECC keys only)
If you opt for Yubico devices, you can conveniently purchase them from various platforms such as Amazon, ensuring they belong to the FIPS series for compatibility.
Please visit our documentation page which provides more information on how to request a code signing certificate from start to finish.
Yubikeys?
You can purchase Yubikeys from most places (Amazon etc), however these need to be in the FIPS series. These can be ordered from America (from Sectigo); however, these will incur delays due to shipping/custom charges. Sectigo therefore recommend you purchase your own, especially if you are under a strict time constraint.
We recognise that these modifications may spark inquiries and uncertainties, rest assured, we are here to help and support you. If you have any concerns or require further clarification, please do not hesitate to get in touch with our dedicated support team at certificates@jisc.ac.uk.