Can I use AWS cloudHSM to sign applications on servers outside of the AWS network?


Greetings AWS:rePost community,

We are currently using file-based code signing certificates for our large Windows applications (several GB in size). Due to new CA/B forum requirements, we now need to move to an HSM-based signing solution.

We are exploring the use of AWS CloudHSM, but have some clarifying questions:

  • Do we need to move our entire application build and signing process to an EC2 instance to use CloudHSM, or can we access CloudHSM remotely over the network from our on-premises servers?
  • If remote access is possible, does CloudHSM allow secure network connections from non-AWS servers so that we don't have to immediately rebuild our workflow on EC2?

The primary concern is workflow speed. By keeping the build process on our current servers, we avoid large file transfer delays to AWS. But we need HSM-level security for the new code signing certificates.

If anyone has experience using CloudHSM for remote signing without migrating the entire application, your guidance would be greatly appreciated! Please let me know the most efficient way to deploy CloudHSM for high-volume code signing.

Thanks in advance for your insights

asked 3 months ago245 views
1 Answer


Those 3 questions coming from CloudHSM FAQs will mostly answer all your questions:

Go directly to the page at if you're interested by the hyperlinks underlying the text below.

Q: Does my application need to reside in the same VPC as the CloudHSM Cluster?

No, but the server or instance on which your application and the HSM client are 
running must have network (IP) reachability to all HSMs in the cluster. You can 
establish network connectivity from your application to the HSM in many ways, 
including operating your application in the same VPC, with VPC peering, with a 
VPN connection, or with Direct Connect. Please see the VPC Peering Guide and 
VPC User Guide for more details.

Q: Does CloudHSM work with on-premises HSMs?

Yes. While CloudHSM does not interoperate directly with on-premises HSMs, 
you can securely transfer exportable keys between CloudHSM and most commercial 
HSMs using one of several supported RSA key wrap methods.   

Q: How can my application use CloudHSM?

We have integrated and tested CloudHSM with a number of third-party software 
solutions such as Oracle Database 11g and 12c and Web servers including Apache and 
Nginx for SSL offload. Please see the CloudHSM User Guide for more information.

If you are developing your own custom application, your application can use the 
standard APIs supported by CloudHSM, including PKCS#11 and Java JCA/JCE (Java 
Cryptography Architecture/Java Cryptography Extensions), or Microsoft CAPI/CNG. 
Please refer to the CloudHSM User Guide for code samples and help with getting started.

If you are moving an existing workload from CloudHSM Classic or on-premises HSMs
 to CloudHSM, our CloudHSM migration guide provides information on how to plan 
and execute your migration.



profile pictureAWS
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions