I contacted sectigo and they said this (last week)
We send out a Yubikey USB token with each Code Signing certificate.
But some resellers have said they send out Safenet - but the responses I have so far have been vague or ambiguous. When it comes to renewal and you want to use your existing token, Sectigo say if you use your own hardware
you must have one of the following devices:
• Yubikey 5 FIPS
• LUNA Network Attached HSM, version 7+
I ended up purchasing an 3yr OV certificate (EV seems like a waste to me) from GoGetSSL.com which was substantially cheaper (USD$730 including $120 shipping - better come wrapped in a vault!) than anywhere else - turns out they are owned by digicert and once you order you they create an account for you on Digicert and the request process is done on the digicert site.
Fingers crossed now that the correct token kind arives - once I get past the validation stage!
Our Digicert token arrived today. Basically a blue USB device, looks like a memory stick, and has a blue light on the top
Started the DigiCertHardwareCertificateInstaller, after installing the driver.
Tells you a token has been found, checked the ‘Re-initialize my token box’
After the token password it prompts for an ‘Administrator’ password, or ‘use factory default’. Didn’t seem to be able to set an administrator password, said ‘Your Token password is incorrect’, so went back and started again accepting the factory default. Then everything completed as expected.
Nothing appeared to be any different on the computer, i.e. no USB drives or anything.
Firing up DigiCertUtil and the new certificate was available for use.
After you sign the first file it prompts for the token password before signing, it only prompts once per session.
Still waiting for Digicert to actually do something on their end - I have not had any calls or verifcation requests or any communication from them. The order still says pending validation - they don’t seem to be in any hurry considering how much money they charge for this gold plated service.
Second time using their chat, managed to get them to call me - aparently waiting on their anti-malware team to check if I am a distributor of malware - anyway seems like that may have progressed things a little.
It feels a bit like trying to deal with bigpond on the phone in the early 2000’s
much chat and 2 calls later, I got past the security theatre part and aparently the certificate has been issued - now just have to wait for it to arrive.
Just to close off this topic, my OV cert/token arrived from Digicert today. It’s a Safenet eToken 5110+ FIPS token - phew - I was able to sign files from FinalBuilder as I outlined before in my blog post.
