- Newest
- Most votes
- Most comments
You can utilize our documentation here on how you can use SignTool to create Authenticode signatures for your applications. When you generate the CSR, the keys for your certificate will be generated within the CloudHSM and will be non-exportable. This meets the requirements for code signing certificates.
Present this CSR to your CA of choosing, and once they sign this you will have a valid Authenticode certificate for your applications. The keys will remain inside CloudHSM and SignTool will utilize the CNG/KSP library for CloudHSM to offload the signing function to CloudHSM.
On June 1, 2023, Microsoft will require that all code signing certificates be generated and stored on a Hardware Security Module (HSM) or a cloud-based HSM. This change is being made to improve the security of code signing and to prevent code signing certificates from being stolen or misused.
AWS has not specifically worked with any AuthentiCode certificate vendors to address this change, but it does offer a number of services that can be used to comply with the new requirements. One possible solution is to use AWS CloudHSM, which is a service that provides secure and auditable storage of cryptographic keys on hardware HSMs that are managed and operated by AWS. Another solution is to use AWS Key Management Service (KMS) to generate and manage code signing keys remotely.
Remote key attestation is a method that allows a remote service to verify the integrity and authenticity of a key stored on an HSM. AWS Key Management Service (KMS) supports remote key attestation, which can be used to verify the integrity of a code signing key stored on an HSM.
Thanks for the response, but it doesn't answer my question for how CA (not self-signed) HSM Authenticode certs can be added to CloudHSM? The documentation I've read shows how to import a "regular" non-HSM Authenticode cert, not how to add HSM. We need to use commercial CA certs not self-signed. Can you point me to the AWS documentation that covers this use case?
Relevant content
- asked a year ago
- asked 8 months ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated 10 days ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated a year ago
We do exactly what you are describing. We use a mix of CloudHSM, KMS, and Azure Key Vault to store code signing keys for different BUs, but they all satisfy the FIPS compliance requirement of the June 1st CA/B Forum HSM mandate for code signing. We use a proxy in front of the HSMs so that the interface is always the same, and then use cryptographic service providers (e.g., KSP for Windows, JCE for Java, PKCS11/GPG for Linux, CTK for macOS, etc.) that talk to the proxy. We primarily use DigiCert as our CA and they issue us EV Code Signing certificates with this approach. They have not required us to provide remote key attestation (at least as of yet).