FairSSL - Vi gør SSL NEMT

Code Sign OV Physical Security Deadline 1. June 2023 (23. Abril 2023)

28 October 2022
image of ai engineers working (for a ai healthcare company)

Last Updated: 9 March 2023

Code Sign Certificates Require Physical Security from June 1, 2023

GlobalSign and Sectigo have reported that last chance for issuance without physical key security is April 23, 2023.
Deadline for switch to physical security has previously been moved from November 15, 2022 unto June 1, 2023.

Background to the change

CodeDesign certificates are issued with two levels of validation:

  • Organization Validation (OV)
  • Extended Validation (EV)

EV Certificates have:

  • Higher requirements for business validation
  • Increased trust in Microsoft SmartScreen download filter
  • Requirement for physical security of the private key via:
    • USB Crypto Key
    • Network-HSM
    • FIPS 140-2 Level 2 or Common Criteria EAL 4+ standard

Overlooked detail of OV certificates

Although OV certificates do not have the same requirements as EVs, the key must still be secured — but the responsibility lies with the user.
Many ignore this, and OV certificates are often used without key security, making them vulnerable to copying and theft.

Microsoft Proposals and Timeline

  • May 5, 2022: Microsoft proposes that physical key security should also apply to OV certificates
  • November 15, 2022: Original deadline
  • September 27, 2022: Microsoft suggests postponing to June 1, 2023on the grounds that there should be at least one year's notice
  • The proposal is adopted

Implications for users

From June 1, 2023 it will no longer be possible to issue OV CodeDesign certificates without physical key securing.

This means, among other things:

  • When renewing, one must wait for the delivery of the USB Crypto Dongle (e.g. Thales SafeNet 5110 cc)
  • Risk of shortage of crypto entities
  • Most devices support only 2048-bit RSA, while 3072-bit RSA is now required
  • Automatic signing processes (CI/CD pipelines) can break
  • Requirements for cloud-based solutions such as Azure KeyVault (Premium) or AWS KMS

What happens to existing certificates?

  • OV CodeDesign Certificates Issued before 1 June 2023 will continue to work until expiration (up to 3 years)
  • They can die not reissued without physical key locking

FairSSL Recommends

  • Issue a 3-year certificate by May 2023 if you want to avoid physical key securing
  • Contact us if you have an active certificate with a long validity — we can help
  • Use TPM chip or cloud solutions for key security, regardless of requirements
  • Renew early — USB crypto devices will be included in the price from June 1, 2023, which may affect the price

CA-Specific Deadlines

  • GlobalSign:
    Last day for issuance without physical security: April 23, 2023
    From April 24, 2023 USB crypto dongle or certified HSM required
  • DigiCert:
    Removes the possibility of issuance without physical security: May 16, 2023
    Certificates must be issued no later than May 30, 2023
  • Sectigo:
    Recommend ordering with USB crypto device from May 15, 2023
    Certificates issued after 30 May 2023 without physical security will be revocado and must be reissued

Del på sociale medier