Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
| Delivery Option | Shipping Details |
|---|---|
| USB Token + Shipping (US) | Ground shipping to addresses within the United States. |
| USB Token + Expedited Shipping (US) | Air express shipping to addresses within the United States. |
| USB Token + International Shipping (non-US) | Choose this option if your shipping address is not in the United States. |
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
If you already own a compliant token or HSM, you can choose this option to download and install the certificate onto your supported device: