Certificate authorities have recently raised key storage standards for code signing certificates, requiring that the private key of a certificate be stored either on a physical USB token or on a compliant hardware security module (HSM). Starting June 1, 2023, all code signing certificates will no longer be issued as downloadable pfx files. This change is in line with the CA/Browser Forum’s new requirements for key storage to improve the security of code signing keys. The previous rule allowed for the issuance of Organization Validation (OV) and Individual Validation (IV) code signing certificates in the form of downloadable files.
Since the new requirements only allow the use of encrypted USB tokens or cloud-based FIPS-compliant hardware devices to store the certificate and private key, it is expected that theft and misuse of code signing keys by attackers will be significantly reduced. While the use of USB tokens creates integration issues with modern CI/CD pipelines, and using a physical HSM in an office environment can be difficult, there is an effective alternative.
Google Cloud offers a practical solution: rent a single key slot on their HSM service. This approach is not only cost-effective, but also complies with the latest FIPS 140-2 Level 2 compliance standards, eliminating the need to manage physical devices. In this article, we’ll show you how to configure this middleware solution.
Understanding the code signing process with cloud HSM
To understand the essence of the code signing procedure using a cloud-based hardware security module (HSM), let’s look at its components:
- Code signing certificate: A digital certificate issued by a trusted certificate authority (CA) that software developers use to digitally sign their software, scripts, and executables. This certificate serves as a digital signature that verifies the identity of the developer or publisher and guarantees that the code has not been modified or compromised since it was signed.
- Google Cloud: Offers services that support secure software development and deployment, including infrastructure for securely generating and managing cryptographic keys used in the code signing process.
- Google Cloud HSM for key protection: A robust hardware security module hosted in the Google Cloud infrastructure designed to protect your private key from unauthorized access.
- Signing tool: Software or utility designed to digitally sign programs and applications. Such a digital signature guarantees the end user that the software has not been modified or compromised since it was signed by the developer or publisher.
- Time Stamping Authority (TSA ): A trusted third-party service, usually operated by your certificate authority (CA), tasked with proving that a code was signed within the validity period of the digital certificate used to sign it, even if the certificate expires or is revoked.
Sign up for a Google cloud account
The first step in setting up is to create an account on the Google Cloud Platform. After your account is active, you need to create a new project and enable Billing. To proceed with the setup, you need to provide your payment information.
Generate a key pair, CSR and attestation statement
Before issuing code signing or document signing certificates entrusted to Adobe, you must verify that the customer’s private signing key was generated on and is securely stored on a FIPS 140-2 Level 2 (or higher) certified device. This device ensures that the key cannot be removed, and verification of this protection is called attestation. Google Cloud HSM, which uses devices manufactured by Marvell (formerly Cavium), is capable of generating signed attestation statements for cryptographic keys. For instructions on how to create a key pair and certify, please refer to Google’s Cloud Key Management documentation:
Open the key management interface.
Go to the Security section and then to Key Management. When you click on Manage Keys, the platform will redirect you to the Google Cloud Marketplace and ask you to enable the KMS API. You have to turn it on and go through the same path again, i.e. Security >> Key management.
Generate the Key Ring and the HSM key.
In the Key Management interface, click on the “CREATE KEY RING” option. After that, you will be prompted to configure the key fob settings, including the name, location type, and region.
Recommended settings when creating a key
| Protection Level | HSM |
| Key Material | HSM-generated key |
| Key Purpose | Asymmetrical sign |
| Algorithm | 4096 bit RSA – PKCS#1 v1.5 padding – SHA256 Digest |
Get confirmation of certification
External auditors and certification authorities sometimes require a certification file, so you should always download it from the Google Cloud HSM platform. Check the certification first, and then only download it.
New Key Ring >>> Version tab >>> Actions (three dots icon) >>> Verify Attestation and then Download Attestation
Create a code signing request (CSR)
It’s time to generate a CSR, as this is an important condition for obtaining an EV code signing certificate. When you submit this CSR to a certification authority or provider, they will issue you a digital certificate to sign applications, drivers, and firmware.
You can use “openssl” to generate CSRs. Use the command below to generate a CSR.
openssl req -new -subj '/E={yourEmail}/CN={companyName}/O={companyName}/' -sha256 -engine pkcs11
-keyform engine -key pkcs11:object={keyName}Note: Please replace the above required values with your own. Since your private key is stored in the cloud HSM, you should use the Google Cloud API to allow openssl to access the key.
After you have prepared the key pair, CSR and attestation attestation, send them to us for verification and ordering the certificate.
Order a code signing certificate
All code signing certificates can be purchased from tuthost for 1 to 3 years with discounts for longer validity periods, and with the convenience of going through the verification process only once for longer validity certificates.
