Using CloudHSM with Authenticode cert from VPN-connected desktop not EC2?


DigiCert is dropping support for older code signing using a local PEM file: "Starting on November 15, 2022, at 00:00 UTC, industry standards will require private keys for OV code signing certificates to be stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent."

This explains how to use CloudHSM with a Windows Server EC2 instance -

But what about our developers who need to use SignTool and InstallShield for code-signing on their local desktops? Can they connect to the CloudHSM cluster using a VPN into a VPC? Would they use AWS KMS? A follow up blog or any pointers would be very helpful

  • You can do it without having the client (i.e., the one performing the signing operation) having network access to the HSM. We do this via a signing proxy that sits in front of the HSM and performs authn/authz and then offloads signing to the HSM. We run signing tools (e.g., signtool, jarsigner, rpmsign, cosign, etc.) from our client machine, the cryptographic service provider then offloads that to the proxy, then the proxy offloads to the HSM. It is basically just web services behind the scenes and the approach uses client-side hashing to ensure that the data sent over the network is minimal so performance isn't impacted.

asked 2 years ago497 views
1 Answer


I would like to mention that yes, it's possible to use a CloudHSM cluster remotely.

However, there are four prerequisites that must be satisfied:

  1. Network connectivity between the client instances (in this case, the local desktops) and the CloudHSM cluster. This could be accomplished by using VPN connections, Direct Connect connections, etc.

  2. Copy of the customerCA.crt [1] certificate to the client instances.

  3. Creation of a Crypto-User for the desktop computers.

  4. Installation of the CloudHSM package. For your scenario, this could be the issue. If you are using, for example, Windows 10 or Windows 11 in the desktops, we don't have any CloudHSM package for theses operating systems. You can try to use the package for Windows Server 2016/2019. [2]

Please note that for such custom solution queries, we have the dedicated AWS Solutions Architect team which addresses the architecture and design level queries. I would suggest you reaching out directly to our Sales team as they can help you to get in touch with our Solutions Architect (SA) team.

You can request for a member of the sales (Business Development) team to contact you using any of the following methods:

>> Via form:
>> Via Live Chat:
>> Phone support:   +1 (833) 662-9873 - 6:30am - 4:00pm (Pacific) Monday - Friday.




profile pictureAWS
answered 2 years ago
  • Thanks that's helpful. Our existing Authenticode cert doesn't expire until summer 2023 so for now we've decided to wait for other people to have this problem and hopefully post solutions. I expect Amazon will be getting more requests for desktop cloudHSM support as we get closer to DigiCert and others requiring HSM for their new and renewal certificates.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions