I recently acquired a code signing certificate for my employer, but I am not the InstallShield developer who will sign the binaries before distribution. I know I can export the certificate along with its private key, but where do I store it so the InstallShield developer can install it on his machine? Should I remove it from my machine once I give it to the person doing the signing? Where do I store the master copy? Obviously, source control is not the best place, unless I lock down that directory in SVN.
Share
Enforce Security Policies for Private Keys
Remember: a private key in conjunction with released signed binaries is your company’s identity. Policies for handling such keys can’t be strict enough.
Enforce that YOU are the only persion in your company who will be capable (and responsible) of signing executables.
If this is not an option then let all PKI-involved employees sign an explicit non-disclosure agreement with a high fine – a much higher sense of responsibility should be the result.
Key Transfers
Storage of the Master Copy
Store the master copy redundant on at least 3 drives at different geographical locations where you have exclusive access to. Also think about encrypting the copies with strong encryption algorithms like AES-256 (in a 7z file for example).