PKI Proxy and Code Signing Best Practices

PKI Proxy allows you to remotely sign code, documents, and drivers using your own keys via a secure API. PKI Proxy is an intermediary between the signing application and the certificate store and does not issue, maintain, or export certificates. PKI Proxy is designed to be secure, but meeting the best practice recommendations in the PKI Consortium's "Code Signing Whitepaper" are primarily the responsibility of the customer.

Minimize access to private keysAccess to keys via PKI Proxy is an allowlist that is maintained by customers. PKI Proxy only accesses the shared private keys when necessary and never exports the keys in plain or encrypted form.
Protect private keys with cryptographic hardware productsPKI Proxy can access certificate stores, USB tokens, or HSMs. It is up to the customer to select their preferred technology with this recommendation and current certificate requirements in mind.
Time-stamp codeTime stamps are controlled by the code-signing application; PKI Proxy is agnostic of this operation.
Understand the difference between test-signing and release-signingPKI Proxy enables administrators to establish hard boundaries between the test and release certificates, whether by hosting the certificates on different systems or using dedicated user credentials for each.
Authenticate code to be signedThe end user determines what is being signed. PKI Proxy does log evidence of all signing operations for incident-response purposes.
Virus scan code before signingThis is entirely up to the customer. Please note that these recommendations were released in 2016 and since then other types of malicious code injections have emerged. We recommend using a code scanning tool with coverage for more than viruses.
Do not over-use any one keyPKI Proxy will let the user share any number of the certificates to any number of configured KeyId/KeySecret pairs. Customers should decide whether to delineate logins and certificates by developer, by environment, or a combination of factors.

We appreciate your feedback.  If you have any questions, comments, or suggestions about this article please contact our support team at