picture of tbs certificates
picture of tbs certificates
Our products range

20170201 - Key storage recommended for Code Signing certificates

As of February 1st, 2017 Symantec recommends to store your Code Signing certificates' private key on an external storage unit in order to reduce the risk or stolen, misplaced or compromised code-signing private keys.

For which products?

Any Thawte and Symantec Code Signing certificate new order or renewal.

What kind of token?

3 options:

  • A Trusted Platform Module (TPM) that generates and secures a key pair and that can document the Subscriber’s private key protection through a TPM key attestation.

  • A hardware crypto module with a unit design form factor certified as conforming to at least FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent.

  • If neither of the above two mentioned options are feasible, the alternative method is to choose another type of hardware storage token with a unit design form factor of SD Card or USB token (not necessarily certified as conformant with FIPS 140 Level 2 or Common Criteria EAL 4+). In the case of this solution you should ensure to keep the token physically separate from the device that hosts the code signing function until a signing session is begun.

Symantec adds:

At no stage should you leave code-signing private keys unsecured in a web browser or share code-signing private-keys with a third party (known or unknown) as to do so will dramatically increase the risk of bad actors having the capability to compromise your code-signing service and thus enhances the likelihood of the distribution of malware signed by your organization.