Versions Compared

Old Version 136

changes.mady.by.user Kent Engström

Saved on

compared with

New Version Current

changes.mady.by.user Kent Engström

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: code signing

...

Since spring 2023, both kinds of code signing certificates (OV and EV) needs to have the key generated on and confined to a hardware token (before this, "soft" OV code signing certificates were possible, were you generated the key on a normal computer).

See the GEANT FAQ for general information.We will update this section when the first Sunet TCS member has ordered an OV code signing certificate and gone through the process with usCode Signing parts in GEANT FAQ for general information. From the array of options described there, we think most Sunet TCS members would choose:

  • Buying a Yubico FIPS Yubikey yourselves (not from Sectigo) and using it to generate a key (which stays on the device) and a CSR + key attestation (which proves to Sectigo that the key was generated by the device) that is used in the SCM interface to order the certificate at no extra charge. This gives you an OV code signing certificate (which is fine if that is what you need, but if you need EV code signing, it will not suffice) using an ECC key (which is fine if that works for your application, but not if you need RSA).
  • Buying an EV code signing certificate on a hardware token from Sectigo using the URL and discount code provided in the GEANT FAQ above. You will not be using SCM for this (you order from Sectigo's "normal" webstore; TCS just provides the discount code) so the extended validation will be done specifically for this purchase. Sunet TCS members using this option have received certificates based on RSA keys.

Notifications

Under Settings → Email Notifications you can add and edit what notifications the system will send you when certain conditions are met. Use the Add button to have a look at the various Notification Types that are available.

...

Do we really need all those certificates in the chain?

No. You Your webserver or similar should be fine with only sending the GEANT-branded sub-CA certificate (CN = GEANT OV RSA CA 4 or similar) configured as a chain certificate in your together with the server certificate. That The GEANT sub-CA certificate is signed by a version of CN= USERTrust RSA Certification Authority that is present in modern browser/OS trust stores and similar.(this version is self-signed, and does not rely on CN = AAA Certificate Services).

If you need the good version of CN= USERTrust RSA Certification Authority  to import in some software (for example newer versions of VMware that does not like the CN = AAA Certificate Services root),  you can find it via the link on Sectigo's documentation page Sectigo Chain Hierarchy and Intermediate Roots

Where can we check if our server sends the correct chain?

...