Essentials of the New Code Signing Minimum Requirements Guidelines

The Certificate Authority Security Council (CASC) recently released a new set of standards for code signing minimum requirements. Incredibly, this is the first time standardized code signing certificate guidelines have been issued.

Microsoft is already on board with adopting the new guidelines, which are designed to increase security and make software platforms more trustworthy. The software provider stated that all Certificate Authorities (CAs) issuing code signing certificates for Windows platforms had to meet the minimum requirements as of February 1st of this year.

What are the new minimum requirements and how will businesses that use code signing certificates be affected? Here’s what you need to know.


What are the new minimum requirements for code signing?

There are several key components of the new code signing minimum requirements that you should be aware of, and all are intended to increase security and reduce the threat of malware. The first, and perhaps most important requirements are related to private keys, which are frequently used in malicious activities when they become compromised and the owner’s identity is stolen.

Businesses will now be required to store their keys in secure hardware that is kept on the premises, or they can utilize a secure cloud-based service specifically for cloud-based code signing certificates. The other requirements focus more on standards to be upheld by CAs.

Specifically, CAs will now be responsible for investigating and/or revoking any certificates if application software suppliers (like Microsoft) or malware researchers request revocation based on suspicious activity by software users (including suspicious code or malware). In addition, the code signing minimum requirements mandate that CAs provide a time-stamping authority (TSA) to denote the amount of time software suppliers should regard code signatures as valid.


Why were these requirements created?

The main goal behind the creation of code signing minimum requirements was to set standards for authentication across the board. In the past, companies denied code signing certificates by one CA could simply apply with a different CA and potentially be approved. The new standards create a more secure environment, not only for end users, but also for application software suppliers, and also the companies that hold the certificates.

Additionally, the CASC aims to ensure better access to information so that companies understand the importance of certificates and how they function to protect users. This, in turn, can help them to make informed decisions that benefit all parties involved and provide the highest level of protection against malware attacks.


How does this affect my internal processes?

As long as you update to meet the new standards for code signing minimum requirements, the effects should be entirely positive. Once you update and takes steps to securely store keys on-site, you’ll enjoy both greater protection from identity theft and the ability to continue working with Microsoft and other application software suppliers.

You probably have many questions about the practical aspects of implementation and the specific benefits you’ll gain by coming into compliance with code signing minimum requirements. SSL Authority has the answers you’re seeking and the updated products you need to carry on business as usual. Do not hesitate to contact us now for further information.


Visit to secure your site with premium web protection. We make it easy.