CloudHSM linking with DigiCert Authenticode certs after June 2023 requirement for HSMs

0

On June 1, 2023 code signing certs are supposed to all use HSMs or cloud HSMs - https://lists.cabforum.org/pipermail/cscwg-public/2022-September/000891.html?om_ext_cid=dc_email_7014z000001hx1XAAQ_11078&mth=January%2C%202022

This means the existing instructions for importing non-HSM certs will stop working. Has AWS worked with any of the AuthentiCode cert vendors to deal with this? One article I've found mentions "remote key attestation" as a way to handle the cert installation but searching re:Post didn't find any results.

We do server-based signing of thousands of files every month using EC2 servers and lambdas, so we need a way to continue signing that is cloud-based not a physical HSM.

Edit: this is for distribution to customers outside of our company, so we need instructions for adding commercial Authenticode HSM certs from DigiCert. etc. into CloudHSM not self-signed certs.

  • We do exactly what you are describing. We use a mix of CloudHSM, KMS, and Azure Key Vault to store code signing keys for different BUs, but they all satisfy the FIPS compliance requirement of the June 1st CA/B Forum HSM mandate for code signing. We use a proxy in front of the HSMs so that the interface is always the same, and then use cryptographic service providers (e.g., KSP for Windows, JCE for Java, PKCS11/GPG for Linux, CTK for macOS, etc.) that talk to the proxy. We primarily use DigiCert as our CA and they issue us EV Code Signing certificates with this approach. They have not required us to provide remote key attestation (at least as of yet).

asked a year ago1607 views
2 Answers
1

You can utilize our documentation here on how you can use SignTool to create Authenticode signatures for your applications. When you generate the CSR, the keys for your certificate will be generated within the CloudHSM and will be non-exportable. This meets the requirements for code signing certificates.

Present this CSR to your CA of choosing, and once they sign this you will have a valid Authenticode certificate for your applications. The keys will remain inside CloudHSM and SignTool will utilize the CNG/KSP library for CloudHSM to offload the signing function to CloudHSM.

AWS
EXPERT
answered 9 months ago
0

On June 1, 2023, Microsoft will require that all code signing certificates be generated and stored on a Hardware Security Module (HSM) or a cloud-based HSM. This change is being made to improve the security of code signing and to prevent code signing certificates from being stolen or misused.

AWS has not specifically worked with any AuthentiCode certificate vendors to address this change, but it does offer a number of services that can be used to comply with the new requirements. One possible solution is to use AWS CloudHSM, which is a service that provides secure and auditable storage of cryptographic keys on hardware HSMs that are managed and operated by AWS. Another solution is to use AWS Key Management Service (KMS) to generate and manage code signing keys remotely.

Remote key attestation is a method that allows a remote service to verify the integrity and authenticity of a key stored on an HSM. AWS Key Management Service (KMS) supports remote key attestation, which can be used to verify the integrity of a code signing key stored on an HSM.

profile picture
answered a year ago
  • Thanks for the response, but it doesn't answer my question for how CA (not self-signed) HSM Authenticode certs can be added to CloudHSM? The documentation I've read shows how to import a "regular" non-HSM Authenticode cert, not how to add HSM. We need to use commercial CA certs not self-signed. Can you point me to the AWS documentation that covers this use case?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions