Applies to:
This will impact anyone creating new or renewing existing standard (non-EV) Code Signing certificate environments using DigiCert as the Certificate Authority (CA).
This will NOT impact anyone only creating new or renewing existing EV Code Signing certificate environments using DigiCert.
What is being changed?
As DigiCert previously announced to customers that in order to comply with industry standards beginning May 16, 2023, private keys used for requesting and renewing standard (non-EV) Code Signing certificates are required to be stored on hardware certified3as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. DigiCert has made changes to the CertCentral UI and Services API to support this.
Venafi is releasing TPP patches with minor changes to accommodate the DigiCert Services API changes.
This change will require users who have not already done so to change preferences in the CertCentral UI or, preferably, upgrade their TPP server to a patch version with the DigiCert CA integration changes.
Furthermore, Digicert announced starting May 30th, the process for requesting or renewing a certificate will require an email-based assertion that a proper HSM is in use for each request. No additional changes are needed to your TPP installation when this goes into effect.
What actions do I need to take?
If they haven’t already done so, the DigiCert admin should immediately do the following:
-
Log in to CertCentral
-
Go to Settings > Preferences (in the left main menu), click on Advanced to expand the content, and scroll down to “Code signing and EV Code signing certificate settings”
-
Set “Provisioning option selected by default when more than one method is available / For Code Signing certificate” to “Install on an HSM”.
The TPP CodeSign Administrator or Project Owners should immediately do the following:
-
For each environment using the DigiCert CA with standard (non-EV) Code Signing certificates, ensure that:
-
The environment Storage Location is set to a previously-created HSM certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent.
-
The environment Server Platform is set to any FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent platform (e.g. “Other FIPS 140 - 2 Level 2 Device”).
-
As soon as possible, the TPP admin should do the following:
-
Upgrade the TPP servers with the latest TPP patch for their TPP server version.
What will happen if I haven’t made the changes on DigiCert CertCentral?
If you have not already made the DigiCert CertCentral changes, any new TPP Code Signing certificate environment (or existing environment with an expired certificate to be renewed) using DigiCert standard (non-EV) Code Signing certificates will not become available for signing operations - Key Users will not see it appear as available when using the client or client API. The CodeSign Administrator or Project Owner will see an error icon in the TPP environments page and will see an error banner displayed in the environment detail page - “Certificate not issued yet. A CSR is not allowed for this product”:
What will happen if we are not using an HSM to store the private keys used for standard (non-EV) Code Signing certificates?
DigiCert will use its e-mail process to verify that you are using an HSM before issuing any standard (non-EV) Code Signing certificates - you will be unable to get any certificates issued until you have this in place.
After the TPP patch has been installed, attempting to renew an existing environment with standard (non-EV) Code Signing certificates that is not configured to use an HSM will be prevented. The CodeSign Administrator or Project Owner will see an error icon in the TPP Environments page and will see an error banner displayed in the Environment detail page with the message - “Certificate not issued yet. The Code Signing product required the Private Key to be generated and stored on an HSM.”:
Also, if you have not configured an HSM storage location for your Code Signing certificate environment templates, you will be unable to select the DigiCert Code Signing certificate products (non-EV or EV).
See information on configuring TPP to use an HSM for Code Signing private key storage at: Setting up CodeSign Protect to use HSM keys
What changes are being made in the TPP patch releases?
The existing TPP DigiCert integration for standard (non-EV) Code Signing certificates does not specify a provisioning method when making requests. As a result, the default provisioning method set in DigiCert CertCentral will be applied to any requests.
The TPP patch releases include the following changes:
-
The “email” provisioning method will now be specified when making requests for standard (non-EV) Code Signing certificates.
-
If you have not configured an HSM storage location for your Code Signing certificate environment templates you will be unable to select the DigiCert Code Signing certificate products (now both non-EV or EV).
Comments