Code Signing Certificates from Sectigo / InCommon

A knowledge base article about Code Signing Certificates from Sectigo / InCommon provided by the UC Berkeley IT Service Hub - Knowledge Portal

Code signing certificates may be requested from Sectigo / InCommon.  The process differs if you are already a departmental certificate manger or an individual requesting a single certificate.

Prerequisites

Delivery Method

Before requesting a code signing certificate please be aware that InCommon only supports the the option where you generate a CSR using a hardware security module (HSM).  InCommon does not support Sectigo's option where the key is generated and sent via physical media. You may purchase a code signing certificate on physical media.

Sectigo supports a limited number of FIPS-compliant HSMs that you can use to generate your own private key and certificate signing request (CSR).

Supported HSMs:

Currently the only supported HSMs are:

[1] YubiKey 5 FIPS Series

Key Attestation:

The CA/Browser (CAB) now requires that Key Attestation be performed to ensure that your private key has been generated in a suitable HCM. 

Certificate Requests

For Departmental Certificate Managers

  1. Send an email to calnet-admin@berkeley.edu requesting that the code signing enrollment form be delegated to your department.
  2. Please follow the steps 1 and 2 in InstantSSL KnowledgeBase to generate key pair, CSR, and key attestation certificate.  Stop at step 3.

    Note:  Instructions for generating the properly formatted attestation file for OSX are missing.  You can run the following to generate the file:

    cat attestation.crt yubikey_intermediateCA.crt > attestation.pem
    cat attestation.pem | base64 > attestation.b64


  3. Log into the Certificate Manager.
  4. Navigate to Certificates > Code Signing Certificates
  5. Select the option to send an invitation.
  6. Enter your email address, or the email address of a SPA.  Validate that you see your department / org under the Account field.
  7. Click Send.  You will receive an email asking you to follow a link to complete email verification.  You will then be directed to the certificate enrollment form.
  8. Your department should already be filled in.
  9. Complete the Code Signing Enrollment form referring to the following table:
    Field Description
    Certificate email Your email address or a SPA
    First name Your first name
    Last name Your last name
    CSR PEM format CSR. PEM header/footer lines are required.
    Key Attestation Contents of attestation.b64 or attestation.pem file from previous steps for your platform.
    HSM type Luna or YubiKey

For Individuals

  1. Send a ticket to calnet-admin@berkeley.edu requesting a code signing certificate invitation.
  2. Once your ticket is processed you will receive a link from Sectigo. IMPORTANT: Open the link by right-clicking and selecting to open the link in a private/incognito browser window.
  3. Complete the Code Signing Enrollment form referring to the following table:

    Field Description
    Certificate email Your email address or a SPA
    First name Your first name
    Last name Your last name
    CSR PEM format CSR. PEM header/footer lines are required.
    Key Attestation Contents of attestation.b64 file from previous steps. File must be Base64 encoded. PEM header/footer lines must NOT be included.
    HSM type Luna or YubiKey