I am currently in the process of ordering a new EV certificate.
What kind of local-device do I need, If I use the HSM option for code-signing?
Is the kind of “YubiKey 5 FIPS Series” thing a proper device? (GlobalSign Support-Team doesn’t seem to able give me a proper answer). I am currently using the safenet e-token which I got from GlobalSign.
(I’m currently not talking about server-based solution, like an azure based solution)
If you can help me with this, I would be very grateful
I use GlobalSign and they sent me a hardware USB dongle to connect to my local signing machine. If you prefer to use a 3rd party dongle, I’m not sure how to do that.
Now, if you order certificate you have two options (besides the normal and the EV option), you can order with HSM or the traditional e-token from safenet (without HSM)
But regardless if you order the non HSM option with EV you have to select this option in order to proceed.
“I will use a FIPS140-2 device to generate Private Key for my Normal Code Signing or EV Code Signing certificate.”
I have asked the support which devices I should use, but I get no answer, instead I am redirected to the sales team, who also do not answer.
I have used the Global sign USB dongle to sign my windows device driver for Microsoft WHQL.
The dongle is detected as standard smartcard and with the help from Safenet client the normal signing process in windows was no problem.
Before signing it make sense to transfer the certificate with the Safenet client to local certificat store.
When the MS sign program is running, a dialog popups and you must enter the password from dongle.
So I mean , the best and shortes way, use the dongle from Global sign. By the way - the dongle work in Linux too. It is a smart card and Safenet has a client for Linux.
I had a phone call with GlobalSign, my understanding is, that calling the FIPS 140-2 a device is misleading. It is rather a standard, and the client software that is used to access the dongle qualifies as FIPS 140-2 compliant device.
FWIW, I got the dongle here running with no additional hardware required.
