Vincent Parrett 763 Posted August 25, 2023 I ended up purchasing an 3yr OV certificate (EV seems like a waste to me) from GoGetSSL.com which was substantially cheaper (USD$730 including $120 shipping - better come wrapped in a vault!) than anywhere else - turns out they are owned by digicert and once you order you they create an account for you on Digicert and the request process is done on the digicert site. Share this post Link to post
Vincent Parrett 763 Posted September 4, 2023 Received my new OV token from Digicert today - it is a SafeNet 5110+ FIPS token (thankfully) and I am able to automate signing with it 😅 I spent some time messing with a self signed certificate on a yubikey token over the last week, but cannot for the life of me figure out how to get it to sign without prompting for a password. This was just an experiment with the yubikey (which I already had for other purposes). 2 Share this post Link to post
rdtsc 0 Posted December 22, 2023 Quote FYI - Safenet good (can automate), YubiKey bad (password prompts cannot be avoided). I'm suprised to see this sentiment. My impressions go into the opposite direction. Stackoverflow posts about SafeNet tokens range from auto-typing the password into the GUI via AutoIt to undocumented parameters gained from reverse engineering the driver. Coupled with proprietary software not directly available from the vendor. All in all this sounds terrible. On the other hand the YubiKey libraries are open-source and automated signing via PKCS#11/PIV is easy. I've recently implemented this via Windows' SignerSignEx3 -> Callback to sign the computed hash -> Sign via OpenSSL + PKCS#11 provider + PKCS#11 YubiKey library and the pin can be provided as a provider option. I did this with OpenSSL primarily so that I could move the actual signing (as opposed to Authenticode hash computation) to a different machine running Linux. One disadvantage of the YubiKey is that it doesn't support RSA keys with >2048 bits; not enough for code signing anymore so you have to use ECDSA. There are certain signature schemes that don't support ECDSA (like NuGet). Share this post Link to post