Primarily driven by the Certificate Authority Browser Forum (CA/B Forum), which sets industry standards for digital certificates, the maximum validity period for a Code Signing Certificate will be shortened from 39 months (approximately 3 years) to 460 days (around 14 months). Take effect on June 15^th, 2025.

Why the changes?

Improved Security: Shorter certificate lifespans reduce the risk of private key compromise and misuse.

Encouraging Best Practices: Developers are prompted to adopt modern cryptographic standards and more secure key management practices.

Alignment with Industry Trends: Google announced plans to reduce the maximum validity period for publicly trusted TLS/SSL certificates from 398 days to 90 days.

What’s the impact?

Existing Certificates: All current code signing certificates that have 39 months validity will remain valid until the expiration date. For any renewal after June 15^th 2025, will need to comply with the new validity.

New and Renewed Certificates: For Global Sign code signing certificates, from February 28^th 2025, any newly issued code signing certificates will be subjected to a maximum validity of 460 days.

Certificates Reissuances: Any code signing certificates with 2 or 3 years validity issued on or before February 28^th 2025, can be reissued with their existing validity until the 30^th May 2025. After that, reissuances will be subject to the new validity of 460 days.

Impact on Developers and Organizations

1, More Frequent Certificate Renewals Developers and organizations must renew their code signing certificates more frequently, which may require additional planning and resources.

2, Key Management Use Hardware Security Modules (HSMs) or other secure key storage solutions to protect private keys. Rotate keys regularly to comply with industry best practices.

3, Automation Consider using automated tools to manage certificate issuance, renewal, and deployment processes, reducing the administrative burden.

4, Cost Implications More frequent renewals may lead to increased costs over time, so organizations should budget accordingly.

What Should You Do?

Check Certificate Expiry Dates: If your code signing certificate was issued before the effective dates mentioned above, it may still have a longer validity period (e.g., 3 years). Plan for its renewal before it expires.

Prepare for Shorter Validity Periods: For certificates issued after the effective dates, ensure your processes are aligned with the new 460-day validity period.

Stay Informed: Keep up with updates from your Certificate Authority (CA) and the CA/Browser Forum to stay compliant with industry standards.

To Be Prepared

The reduction in the validation period for code signing certificates is a proactive measure to enhance software security and protect users from malicious conduct. While it may require adjustments to your workflows, the long-term benefits of improved security and trustworthiness far outweigh the initial challenges.

Last but not least: Code Signing Certificates Issuance Requirements

In accordance with the latest baseline requirements set by the CA/Browser Forum, as of June 1, 2023, the private keys of newly issued OV (Organization Validation) code signing certificates must be generated and stored on secure hardware devices that meet or exceed FIPS 140-2 level or Common Criteria EAL4+ standards.

Please refer to the following link of NicSRS knowledge base to help you better understand Code Signing certificates.

https://www.nicsrs.com/blog/new-issuance-requirements-for-ov-code-signing-certificates-how-will-cas-comply

If you have further questions or need assistance with managing your code signing certificates, consult our team for prompt support.