{"id":1039,"date":"2023-06-07T12:21:04","date_gmt":"2023-06-07T12:21:04","guid":{"rendered":"https:\/\/certerassl.com\/blog\/?p=1039"},"modified":"2023-10-12T10:55:05","modified_gmt":"2023-10-12T10:55:05","slug":"create-code-signing-certificate-using-key-storage-provider","status":"publish","type":"post","link":"https:\/\/certera.com\/blog\/create-code-signing-certificate-using-key-storage-provider\/","title":{"rendered":"Create Code Signing Certificate using the Key Storage Provider"},"content":{"rendered":"\n

The following procedure will demonstrate how to generate a Code Signing Certificate request using a key generated and stored in the YubiHSM 2 using the Key Storage Provider (KSP). You can use the Microsoft “signtool tool” to digitally certify Windows binaries with this code signing certificate.<\/p>\n\n\n\n

Let’s take a closer look at the foundational concepts covered in this article before we start the procedure.<\/p>\n\n\n\n

Code Signing Certificate:<\/h2>\n\n\n\n

Software developers securely and digitally sign software programs, drivers, executables, and apps using Code Signing. This assures end users that an unauthorized party has not tampered with or compromised the code they obtain.<\/p>\n\n\n\n

A Code Signing Certificate<\/a> provides a digital signature to a piece of software, verifying its authenticity and enabling the detection of any modifications made to the code. A software publisher certificate or a Code Signing Certificate enables the security of the software and prevents unauthorized access.<\/p>\n\n\n\n

YubiHSM 2:<\/h2>\n\n\n\n

YubiHSM 2 FIPS is a cryptographic hardware security module designed for server usage. It finds extensive usage in creating, protecting, and maintaining cryptographic keys that secure sensitive information, identities, and applications. It not only minimizes risk but also ensures compliance with regulations.<\/p>\n\n\n\n

With High quality, Rapid Integration, and Easy Management, the YubiHSM SDK 2.0 is currently available as open source; organizations can quickly and simply add support for the secure HSM to a variety of platforms and systems for both present and future use cases where robust security is essential more than ever.<\/p>\n\n\n\n

Key Storage Provider (KSP):<\/h2>\n\n\n\n

Key Storage Providers (KSP) enable to storage and retrieval of keys. For instance, if you would like to generate a new private key for your certificate authority (CA) and add the Microsoft Active Directory Certificate Services (AD CS) role to your Windows server, you could select the KSP that manages key storage.<\/p>\n\n\n\n

A wide variety of storage options, including hardware-based storage devices, cloud-based storage, and software-based solutions, are frequently provided by key storage providers. To further secure the private keys, they might additionally provide extra security measures like multi-factor authentication and encryption.<\/p>\n\n\n\n

Steps to create a Code Signing Certificate using the Key Storage Provider<\/h2>\n\n\n\n

In this illustration, we’ll make use of the command-line certreq utility<\/strong>. If you want a UI experience, you can access all the methods described here using the Certificate Manager (certmgr.msc<\/strong>) MMC snap-in.<\/p>\n\n\n\n

Configure the Key Storage Provider<\/h3>\n\n\n\n

Generally, the KSP will make use of slot 1’s factory authentication key. First Configure the KSP with the required key ID and password if usage of a different authentication key is requested or the factory authentication key is no longer valid.<\/p>\n\n\n\n

It should be noted that the specified authentication key has at least one of the capacities that follow: generate-asymmetric-key, sign-pkcs, & delegated capability sign-pkcs. Add the exportable under-wrap delegated capability if you would like the created key to be exportable.<\/p>\n\n\n\n

Example of Authentication Key<\/h3>\n\n\n\n

Generate a new authentication key that can produce exportable asymmetric keys using KSP.<\/p>\n\n\n\n

yubihsm> put authkey 0 0 \"GenerateKey\" 1 generate-asymmetric-key,sign-pkcs sign-pkcs,exportable-under-wrap password\nStored Authentication key 0x0e32<\/code><\/pre>\n\n\n\n
Generate the Certificate Request Configuration file<\/h2>\n\n\n\n
To define your request, you must provide a.inf<\/strong> file as input to the certreq<\/strong> utility.<\/p>\n\n\n\n
Generate a certificate request file.<\/h3>\n\n\n\n
Pass the certificate request configuration file to certreq as the input file argument after you’ve finished creating it, for example:<\/p>\n\n\n\n
certreq -new sign.inf sign.req<\/code><\/pre>\n\n\n\n
Sign\/authenticate the Certificate Request<\/h3>\n\n\n\n
The certificate request in the previous instance was written to sign.req. Grab the file & submit your CA with its contents for signature. Once the file has been signed, install the certificate in the personal store by opening it (for example, sign.crt).<\/p>\n\n\n\n
Sign utilizing Signtool<\/h3>\n\n\n\n
Make use of the following command to sign your binary after opening a prompt with signtool in the path.<\/p>\n\n\n\n
> signtool sign <binary name><\/code><\/pre>\n\n\n\n
It can be required to determine your code signing certificate with hash if you have many certificates available. If this happens, the signtool will display valid certificates list. Just restart the sign tool using the certificate’s sha1 hash:<\/p>\n\n\n\n
> signtool sign \/sha1 <certificate hash> <binary name><\/code><\/pre>\n\n\n\n
It might be necessary to manually hook the certificate to the private key while importing the certificate for the very first time on a new machine. As Windows doesn’t instantly create a connection between the key and the certificate since they are not stored together.<\/p>\n\n\n\n
Make use of certutil utility offered by Windows to connect the YubiHSM private key to the certificate after importing it into your personal store.<\/p>\n\n\n\n
> certutil -repairstore my <certificate hash><\/code><\/pre>\n\n\n\n
Troubleshooting<\/h2>\n\n\n\n