Configure CloudHSM SDK on a local machine

To configure AWS CloudHSM SDK on your Windows development machine for code signing with SignTool, you'll need to follow these steps:

1. Install the AWS CloudHSM Client SDK on your Windows development machine.

2. Configure the CloudHSM CLI by specifying the location of your customer CA certificate:

& "C:\Program Files\Amazon\CloudHSM\bin\configure-cli.exe" --hsm-ca-cert <customerCA certificate file>

This certificate should be the self-signed certificate used to initialize your CloudHSM cluster.

3. Create a key pair in AWS CloudHSM and generate the corresponding certificate. You can use the Windows Certreq application for this, which supports the Key Storage Provider (KSP) standards and works with the AWS CloudHSM KSP that was installed as part of the client installation.

4. After obtaining the signed certificate from your Certificate Authority, export it to a file (e.g., as a DER encoded binary X.509 file).

5. Import the certificate into your Windows Personal Certificate Store by running:

certreq.exe -accept signedCertificate.cer

You can verify it exists by running certlm.msc and viewing the Personal Certificates.

6. Associate the AWS CloudHSM key with the certificate using the import_key.exe utility (included in CloudHSM version 3.0 and higher). This step is crucial for importing the key's metadata into the local certificate store and associating it with your certificate.

7. Once the association is complete, you should be able to use Microsoft SignTool with your CloudHSM-backed certificate by referencing the SHA-1 hash of your certificate.

This configuration allows your code signing certificate to see its private key stored in the CloudHSM cluster, enabling secure signing operations where the private key never leaves the HSM.
Sources
Signing executables with Microsoft SignTool.exe using AWS CloudHSM-backed certificates | AWS Security Blog
AWS CloudHSM Client SDK 5 configuration examples - AWS CloudHSM
Associate an AWS CloudHSM key with a certificate - AWS CloudHSM