Fortanix and Sectigo partnership helps enterprises uplevel software supply chain security

Oct. 22, 2024
The new collaboration automates the issuance of code signing certificates, enabling enterprises to accelerate, scale, and secure rapid development processes.

Fortanix, Inc. today announced a new partnership with Sectigo, enabling enterprises to secure their software supply chain by automating the issuance of code-signing certificates. The partnership gives enterprises a fast, scalable solution to automate and control their urgent and ballooning need to create, track, and attest private key security without slowing down developer workflows.

Businesses rely on securing their CI/CD pipelines with public key infrastructure (PKI) and certificates to certify the integrity and origin at each stage of development—code signing. This process is necessary to ensure a high level of security, but its time-consuming nature often disrupts developer workflows and stifles innovation. The Fortanix and Sectigo partnership addresses this by enabling enterprises to automate and scale the security of their digital supply chains with purpose-built platforms that meet modern business needs.

Specifically, Sectigo now accepts Fortanix key provenance attestations with a code signing request (CSR), proving that private keys are created and stored in a hardware security module (HSM), a requirement from the Certificate Authority/Browser Forum as of 2023.

“Fortanix, like Sectigo, has built its services for automation, which is the only way for enterprises to truly scale and secure their CI/CD pipelines,” said Anand Kashyap, CEO and co-founder of Fortanix. “Security and speed are two elements that help separate dev teams from the competition, and this partnership delivers both.”

“We're thrilled to work with Fortanix and help modern enterprises scale their secure code signing and bring operations to the next level,” said Nick France, chief technology officer at Sectigo. “Enabling the Sectigo Certificate Manager to cryptographically verify that joint customers use a FIPS-validated hardware security module for their private keys is a game-changer that impacts the entire software development lifecycle.”

Benefits of this new partnership include:

  • Verifiable trust. Certificates issued by an authority such as Sectigo can be validated through digital signatures, which can only be trusted if the associated private key is deemed to be stored as securely as possible.
  • Enhanced peace of mind. Meets CA/Browser Forum mandates that certificate requestors generate, store, and use private keys with a FIPS 140-2 Level 3 validated HSM, which must be able to cryptographically attest that the private key indeed is hosted on such secure hardware.
  • A purpose-built platform. The Fortanix unified data security platform was built from the ground up to secure and manage enterprises’ most valuable secrets with Confidential Computing technology. Adding Sectigo Certificate Manager platform capabilities automates the attestation verification and certificate issuance process.

For more information on the Fortanix-Sectigo partnership, visit https://www.fortanix.com/partners.