SSL.com currently supports AWS CloudHSM, Azure Dedicated HSM, and Google Cloud HSM for issuance of Adobe-trusted document signing certificates and EV code signing certificates. All of these cloud HSM services provide FIPS 140-2 Level 3 validated HSM hardware for generating and storing encryption keys. This guide provides an overview of key generation, attestation, and certificate ordering for these cloud HSM platforms, and includes pricing information for certificates installed on cloud HSMs.
Before SSL.com can sign and issue EV code signing or Adobe-trusted document signing certificates, we must first obtain proof that the customer’s private signing key has been generated by and is securely stored on a FIPS 140-2 Level 2 (or greater) certified device, from which it cannot be exported. The act of proving that a private key meets these requirements is known as attestation. The exact procedures for private key attestation vary between devices and cloud computing platforms.
Amazon Web Services (AWS) CloudHSM
Amazon Web Services (AWS) CloudHSM service does not currently provide any means by which SSL.com can automate attestation of keys generated on the HSM. For this reason, we require a remotely-witnessed key pair generation ceremony before we can issue document signing and EV code signing certificates for installation on AWS CloudHSM. This remote-witnessing procedure will incur an extra charge for time spent by SSL.com staff on the ceremony.
During the ceremony, SSL.com staff will observe the generation of one or more cryptographic key pairs with non-exportable private keys on a CloudHSM instance via videoconferencing software. Following the ceremony, the customer may submit a certificate signing request (CSR) for signing and issuance by SSL.com. Please refer to Amazon’s AWS CloudHSM Documentation for CSR generation instructions.
SSL.com’s fee for key generation ceremonies on AWS CloudHSM is $1200.00 USD.
Microsoft Azure Dedicated HSM
Microsoft’s Azure Dedicated HSM service uses the SafeNet Luna Network HSM 7 Model A790 HSM. The Luna cmu
command-line tool can be used to generate a cryptographic key pair and certificate signing request (CSR) for document signing or EV code signing, along with information required by SSL.com for attestation. Please refer to Thales’ Certificate Management Utility (CMU) documentation for full instructions on working with the cmu
utility.
When generating your key pair with the cmu generatekeypair utility, be certain to make sure that the private key is not extractable (the default setting is non-extractable). You should generate your CSR with the cmu requestcertificate command.
After generating your key pair and CSR, request a public key confirmation (PKC) file for the new keys with the cmu getpkc command. This file can be used by SSL.com to confirm that the key pair was generated on compliant hardware and the private key is not exportable.
After generating your key pair, CSR, and PKC file, you can submit the CSR and PKC to SSL.com for validation and signing.
SSL.com’s fee for Azure Dedicated HSM PKC confirmation is $500.00 USD.
If a certified security officer does not exist in the organization, there are external attestation service providers that can be engaged to do so. Here is one example: https://spearit.net/services/remote-key-attestation
Google Cloud HSM
Google’s Cloud HSM service uses devices manufactured by Marvell (formerly Cavium), which can produce signed attestation statements for cryptographic keys that SSL.com can verify before issuing document signing or EV code signing certificates. Please refer to Google’s Cloud Key Management documentation when generating your key pair and attestation statement:
After generating your key pair, CSR, and attestation statement, you can submit them to SSL.com for validation and signing. GitHub user mattes has provided an open-source utility for creating a CSR and signing it with a private key from Google Cloud HSM.
SSL.com’s fee for Google Cloud HSM attestation is $500.00 USD.
Bring Your Own Auditor (BYOA)
BYOA is a valid alternative for clients, but it requires thorough preparation, otherwise, there is a significant risk of rejection for the generated key. This could happen if the device used is not compliant, or the auditor is not qualified, or the auditor’s report does not cover the requirements of the process. In such a case, the ceremony and its witnessing have to be repeated, resulting in added costs and delays for the client.
To avoid such scenarios, SSL.com’s customer support and/or validation specialists communicate with the customer before the KGC to provide guidance and ensure the following:
- The auditor is approved according to the criteria described below
- The ceremony preparations requirements as wells as the ceremony script are clear and followed thoroughly, so as the KGC environment is well prepared
- Any restrictions and/or BYOA-specific terms and conditions are clear and accepted by the customer
Cloud HSM Pricing Tiers
For certificates installed on cloud HSM platforms, SSL.com offers the following pricing tiers, based on the maximum number of signings per year.
Tier | Price | Signings Per Year |
Free Tier | Base Certificate Price | 1,000 |
Tier 1 | Base Price + $180.00 | 2,000 |
Tier 2 | Base Price + $300.00 | 5,000 |
Tier 3 | Base Price + $500.00 | 10,000 |
Tier 4 | Contact Sales | > 10,000 |
Cloud HSM Service Request Form
If you would like to order digital certificates for installation on a supported cloud HSM platform (AWS CloudHSM or Azure Dedicated HSM), please fill out and submit the form below. After we receive your request, a member of SSL.com’s staff will contact you with more details about the ordering and attestation process.
Other Cloud HSM Platforms
SSL.com is currently developing and testing procedures for issuance of document signing certificates on a wide range of HSM services and hardware. If you would like to express interest in ordering certificates for a platform we do not yet support and receive updates on the HSMs we support, please fill out our HSM Inquiry Form.
Need more resources for your SSL.com account? Check out these pages: