EV Code Signing Token

Unknown Publisher Warning
Unknown Publisher Warning

To prevent security warning messages as shown above during the installation process of my CISSP test engine, WUSON Practice Field (WPF), I placed an EV Code Signing Certificate order to Sectigo on July 23 and received the EV Code Signing Token today, Aug. 12. It takes 20 days to fulfill the order. It may take longer if no complaints about their performance and services are made. The validation work, not including token delivery time, should be completed in one week as a normal situation.

SafeNet Authentication Client

The token model is SafeNet eToken 5110 CC (940), compliant with CC EAL5+ / PP QSCD. Installing the SafeNet Authentication Client is required before using the token.

Poor Documentation

Sectigo sent a password notification email to me as follows. Because they don’t provide ANY instructions or documents in the email, I have no idea how to use the “Your Password” and “Revocation Password.”

Sectigo Token Password Notification
Sectigo Token Password Notification

It takes me much time to read the SafeNet user guide and only to find out the “Your Password” is the token password mentioned in the user guide. Concerning the “Revocation Password,” the following is the reply from Sectigo, but what should I do when my private key is compromised?

Concern about Private Key

I had no idea how Sectigo generated the key pair and the certificate for customers and wrote them to the token and was concerned Sectigo might save a copy of the private key and control it.

After communicating with their support team, they clarified my concern. The SafeNet eToken 5110 CC (940), compliant with CC EAL5, supports hardware-generated key pairs. The private key of the key pair is generated in the token directly and is not exportable. The token is a typical something-you-have authentication factor; the token password adds the something-you-know factor and shapes a multi-factor authentication.

Concern about China

Certificate vendors in the western world typically follow law and order and provide adequate security and assurance. However, my order is routed to and validated by a Chinese team in Sectigo. I am deeply concerned about this because I don’t trust China-owned, controlled, or affiliated certificate vendors, e.g., StartCom,.at all. We should keep an eye on China’s move on M&A projects of certificate authorities to prevent the StartCom faults or even fraud from recurring.

Code Signing Challenges

Even though the EV Code Signing certificate works fine to sign the Microsoft ClickOnce manifests, it’s still quite challenging to configure Visual Studio to sign the assembly.

UPS Package
UPS Package
SafeNet eToken 5110 CC (940)
SafeNet eToken 5110 CC (940)
SafeNet Authentication Client
SafeNet Authentication Client
Token Info
Token Info
Preinstalled EV Code Signing Private Key
Preinstalled EV Code Signing Private Key
Dual Signature on Setup.exe using EV Code Signing Certificate
Dual Signature on Setup.exe using EV Code Signing Certificate
WUSON Practice Field (WPF)
WUSON Practice Field (WPF)

References

Leave a Reply