Certificate Authorities like SSL.com have recently heightened the key storage standards for Code Signing Certificates, now mandating the storage of the certificate’s private key either on a physical USB token or on a compliant Hardware Security Module (HSM).
As of June 1, 2023, all SSL.com code signing certificates have ceased being issued as downloadable pfx files. This change is in compliance with the Certificate Authority/Browser (CA/B) Forum’s new key storage requirements to increase security for code signing keys. The previous rule allowed Organization Validation (OV) and Individual Validation (IV) code signing certificates to be issued as downloadable files. Since the new requirements only allow the use of encrypted USB tokens or cloud-based FIPS compliant hardware appliances to store the certificate and private key, it is expected that instances of code signing keys being stolen and misused by malicious actors will be greatly reduced.
While the use of USB tokens presents challenges in integrating with modern CI/CD pipelines and managing a physical HSM at the office can be cumbersome, there exists an efficient alternative. Google Cloud offers a practical solution: renting a single key slot on their HSM service. This approach is not only cost-effective but also aligns with the latest FIPS 140-2 Level 2 compliance standards, all while eliminating the need for physical device management. This article will guide you through the setup process of this middle-ground solution.
SSL.com’s EV Code Signing Certificates are trusted worldwide to digitally sign software code with secure digital signatures.
Understanding the Code Signing Process with a Cloud-Based HSM
To grasp the essence of the code signing procedure utilizing a cloud-based Hardware Security Module (HSM), it is useful to examine the components:
- Code Signing Certificate: A digital certificate issued by a trusted Certificate Authority (CA) that software developers use to digitally sign their software, scripts, and executables. This certificate serves as a digital signature that verifies the identity of the developer or publisher and ensures that the code has not been altered or compromised since it was originally signed.
- Google Cloud: Offers services that support secure software development and deployment, including infrastructure for securely generating and managing cryptographic keys used in the code signing process.
- Google Cloud HSM for Key Protection: A robust Hardware Security Module housed within Google Cloud’s infrastructure, dedicated to securing your private key against unauthorized access.
- Signing Tool: A software application or utility designed to digitally sign software programs and applications. This digital signature assures the end-user that the software has not been altered or compromised since it was signed by the developer or publisher.
- Time Stamping Authority (TSA): a trusted third-party service, typically managed by your Certificate Authority (CA), that is tasked with proving that the code was signed during the validity period of the digital certificate used for signing, even if the certificate later expires or gets revoked.
Registering a Google Cloud Account
The first step in configuring your setup involves establishing an account with Google Cloud Platform. Once your account is active, it’s necessary to create a new project and enable Billing. Providing your payment information is necessary to be able to proceed with the setup.
Generate your key pair, CSR, and attestation statement
Before issuing code signing or Adobe-trusted document signing certificates, SSL.com requires confirmation that the customer’s private signing key was generated on and is securely contained within a device certified by FIPS 140-2 Level 2 (or higher). This device ensures the key cannot be extracted, and verifying this protection is referred to as attestation.
Google’s Cloud HSM, utilizing Marvell (previously Cavium) manufactured devices, is capable of generating signed attestation statements for cryptographic keys. SSL.com can validate these statements prior to issuing document signing or code signing certificates. For guidance on generating your key pair and attestation statement, please consult Google’s Cloud Key Management documentation:
Once you have your key pair, CSR, and attestation statement ready, submit them to SSL.com for verification and certificate issuance. The open-source tool by GitHub user mattes for creating a CSR and signing it using a private key from Google Cloud HSM can be particularly useful.
SSL.com charges a fee of $500.00 USD for Google Cloud HSM attestation. Additionally, we provide various pricing levels for certificates used on cloud HSM platforms, depending on the annual maximum signing operations. For detailed pricing information, refer to our Cloud HSM Pricing Tiers guide.
Attestations can be performed using the BYOA (Bring Your Own Auditor) method when an HSM owner opts for key generation attestation without SSL.com’s services. This method is applicable for any Key Generation Ceremony (KGC) of a compliant HSM, even those not covered by SSL.com’s attestation. BYOA demands meticulous preparation to avoid the risk of key rejection. Such issues necessitate repeating the ceremony, incurring additional costs and delays. To prevent these problems, SSL.com’s customer support and validation specialists proactively guide customers before the KGC.
Order your Code Signing Certificate
All SSL.com code signing certificates can be purchased with 1-3 year durations with discounts for longer durations as well as the convenience of only having to undergo a validation process once for longer duration certificates.
The following linked article details how to order a code signing certificate and navigate these options: Ordering Process for Code and Document Signing Certificates.
For custom solutions, high-volume discounts, external HSM options, official quotes or for any other guidance please contact sales@ssl.com
Undergo the Vetting Process to obtain your Certificate
Aside from generating your key pair, CSR, and attestation statement, SSL.com requires particular documents and registration information before you can attain a code signing certificate. The following linked article details the vetting process: Validation Process for Document Signing, Code Signing, and EV Code Signing Certificates.
SSL.com’s EV Code Signing Certificates are trusted worldwide to digitally sign software code with secure digital signatures.