Site icon SSL.com

Bring Your Own Auditor (BYOA) Guide for Code Signing and Document Signing Certificates

SSL.com allows customers who are requesting Code Signing or Adobe Approved Trust List (AATL) Document Signing certificates to use an independent qualified auditor of their choice to attest that the customer’s private key was generated and is stored securely in a compliant Hardware Security Module (HSM). This process is known as “Bring Your Own Auditor” (BYOA).

With BYOA, the customer provides SSL.com with:

This guide details the BYOA process, auditor requirements, key ceremony guidelines, and provides a form letter template for the auditor attestation.

Auditor Requirements and Approval

To perform the BYOA attestation, the independent auditor must be pre-approved by SSL.com. SSL.com evaluates auditors based on the following criteria:

If a customer’s preferred auditor is not already approved, the auditor can submit their qualifications to SSL.com for review against these criteria. SSL.com maintains a public list of pre-approved auditors for customers’ reference.

Key Generation Ceremony Guidelines

For the BYOA process, the auditor must witness the Key Generation Ceremony and confirm the following in their signed attestation letter:

SSL.com provides guidance on ceremony preparations, a detailed ceremony script, and the auditor attestation letter template to ensure all requirements are met.

Subscriber Obligations

As part of the BYOA process, SSL.com must obtain a contractual representation from the Subscriber that they will use one of the following methods to generate and protect their Code Signing Certificate private keys in a hardware crypto module with a design certified to at least FIPS 140-2 Level 2:

Auditor Attestation Letter Template

SSL.com provides a template for the auditor’s attestation letter detailing the key points that must be addressed. The template is available for download here.

The auditor attestation letter must be signed by the auditor performing the ceremony witness. Submissions without signatures or from auditors not approved by SSL.com will be rejected.

In addition to the attestation letter, the auditor must complete the BYOA Form Letter, which can be downloaded here.

Conclusion

The BYOA process allows SSL.com customers to utilize an auditor of their choice for key generation attestation, providing more flexibility compared to CA-managed attestation, while still upholding the security standards required for Code Signing and Document Signing certificates through rigorous auditor vetting and ceremony criteria.

Customers interested in BYOA for their Code Signing or Document Signing certificate needs should ensure their selected auditor meets SSL.com’s qualification criteria and is approved before proceeding. SSL.com’s validation team is available to answer any questions and provide guidance throughout the BYOA preparation and execution process.

For more information or to initiate the BYOA process, please contact SSL.com support at support@ssl.com.

Exit mobile version