fbpx

Signing executables with HSM-backed certificates using several Windows instances

Customers use program code signing certificates to indication software, documents, along with other certificates. Signing is really a cryptographic device that lets customers verify that the program code hasn’t been changed and that the program, documents or additional certificates could be trusted.

This blog post demonstrates how to configure your applications so that you can work with a key pair already on your own hardware security module (HSM) to create signatures using any Windows instance. Many customers make use of multiple Amazon Elastic Compute Cloud (Amazon EC2) instances to signal workloads utilizing the same crucial pair. You need to configure these situations to employ a pre-existing key set from the HSM. In this website post, I demonstrate how to develop a essential container on a fresh Windows instance from a preexisting key pair in AWS CloudHSM, and update the certificate shop to associate the imported certificate with the brand new container newly. I also demonstrate how to work with a common software to indication executables with this particular key pair.

Every certificate is of a key pair, with a private key and a public key. It is possible to only have faith in a signature when you can make sure that the personal key offers remained confidential and will be utilized only by who owns the certificate. You accomplish that objective by generating the main element set on an HSM and securely storing the personal essential on the HSM. Business certificate authority (CA) or public important infrastructure (PKI) programs are configured to utilize this private type in the HSM every time they need to utilize the corresponding certificate to signal. This configuration is normally handled transparently between your program and the HSM on the Home windows instance the application is operating on. The procedure gets difficult when you want to utilize multiple Windows situations to sign utilizing the same key set. This is also true if your present EC2 instance that works as a Home windows Server CA, that you used to problem the HSM-backed certificate, will be deleted and a back-up is experienced by you of the HSM-backed certificate.

Before we enter the details, you should know in regards to a library called the main element storage provider (KSP). Home windows systems make use of KSP libraries for connecting apps to an HSM. For every HSM brand name, such as for example CloudHSM, you will need a corresponding KSP to perform functions that involve cryptographic keys stored on that HSM. From your own application, choose the KSP that corresponds with the HSM you wish to use to shop (or make use of) your keys. All KSPs associate keys on the HSM with metadata in the Microsoft ecosystem making use of crucial containers. Essential containers map the metadata in certificates with metadata on the HSM, that allows the application to handle keys. The set of certificates designed for Microsoft utilities to signal with is within a faith store. To use exactly the same key set across multiple Windows situations, you must copy the main element containers to each instance-or develop a new essential container from a preexisting key set in each instance-and import the corresponding certificate in to the trust store for every instance.

Prerequisites

The solution in this article assumes that you’ve completed the steps in Signing executables with Microsoft SignTool.exe using AWS CloudHSM-backed certificates. You ought to have your HSM-backed certificate using one Windows instance already.

Before you implement the perfect solution is, you must:

  1. Install the AWS CloudHSM client about the brand new instance and make certain that you can connect to HSM inside your CloudHSM cluster.
  2. Confirm the CloudHSM KSP and CNG providers installation on your own new instance.
  3. Established the login credentials for the HSM on your own program. Set credentials through Home windows Credentials Manager. I would recommend that you reboot your example after establishing the credentials.

Note: The login credentials identify the crypto user (CU) in the HSM which has access to the main element pair in CloudHSM.

Architectural overview

Amount 1: Architectural overview

Number 1: Architectural overview

This diagram shows a virtual private cloud (VPC) which has an EC2 instance running Windows Server 2016 that resides on private subnet 1. This example will operate the CloudHSM customer software and can use your HSM-supported certificate with an integral pair currently on your own HSM to indication executable files. The example can be accessed by way of a VPN connection. It shall likewise have security groupings that enable RDP accessibility for the on-premises network. Personal subnet 2 hosts the elastic network user interface for the CloudHSM cluster, that includes a single HSM.

Out of scope

The focus of the blog post is how exactly to use an HSM-backed certificate with an integral pair already on your own HSM to sign executable files from any Home windows instance using Microsoft SignTool.exe. This post isn’t designed to represent any guidelines for implementing program code signing or Amazon EC2. To learn more, start to see the NIST cybersecurity whitepaper Security Considerations for Program code Signing and Best practices for Amazon EC2, respectively.

Deploy the remedy

To deploy the answer, you utilize certutil, import_important, and SignTool. Certutil is really a Microsoft tool that can help you test your system for accessible certificates and crucial containers. Import_key-a tool supplied by CloudHSM-generates an area key container for an integral set that’s on your own HSM. To full the procedure, use SignTool-a Microsoft device that enables Windows customers to digitally sign data files, and verifies signatures in timestamps and files documents.

You will need the next:

Certificates or key materialsPurpose.cerRoot certificate.cerHSM-backed signing certificate.cerHSM-backed signing certificate inside base64 format
Open public key deal with of the signing certificate
Personal key deal with of the signing certificate

Import the HSM-supported certificate and its own RootCA chain certificate in to the new instance

Before you use third-party tools such as for example SignTool to create signatures utilizing the HSM-backed certificate, the signing should be moved by you certificate file to the non-public certificate store in the brand new Windows instance.

To achieve that, you duplicate the HSM-backed certificate your app uses for signing procedures and its own root certificate chain from the initial instance to the brand new Windows instance.

In the event that you issued your signing certificate by way of a personal CA (like in my own example), you need to deploy a duplicate of the main CA certificate and any intermediate certificates from the personal CA to any techniques you would like to use to verify the integrity of one’s signed file.

To import the HSM-backed root and certificate certificate

  1. Sign into the Windows Server which has the personal CA that you used to concern your signing certificate. After that, run the next certutil command to export the main CA to a fresh file. Replace with a title that you could remember easily.
    C:UsersAdministratorDesktop>certutil -ca.cert .cer
    
    CA cert[0]: 3 -- Valid
    CA cert[0]:
    
    -----BEGIN CERTIFICATE-----
    MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC
    VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6
    b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd
    BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN
    MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD
    VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z
    b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt
    YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ
    21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T
    rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE
    Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4
    nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb
    FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb
    NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE=
    -----END CERTIFICATE-----
            
    CertUtil: -ca.cert command successfully completed.
    
    C:UsersAdministratorDesktop>
    
  2. Duplicate the .cer document to your brand-new Windows instance and work the following certutil control. This moves the main certificate from the document in to the Trusted Root Accreditation Authorities store in Home windows. It is possible to verify that it is present by running certlm.msc and looking at the Trusted Root Qualification Authorities certificates.
    C:UsersAdministratorDesktop>certutil -addstore "Root" .cer
    
    Root "Trusted Root Certification Authorities"
    Signature matches Public Key
    Certificate "MYRootCA" put into store.
    CertUtil: -addstore order completed successfully.
    
  3. Duplicate the HSM-backed signing certificate from the initial instance to the brand new one, and operate the following certutil control. This moves the certificate from the document in to the Personal certificate shop in Windows.
    C:UsersAdministratorDesktop>certutil -addstore "My" .cer
    
    My "Personal"
    Certificate "www.mydomain.com" put into store.
    CertUtil: -addstore order completed successfully.
    
  4. Verify that the certificate is present in your individual certificate store by working the following certutil control. The next sample output from certutil exhibits the serial number. Observe the certificate serial quantity to use later.
    C:UsersAdministratorDesktop>certutil -shop my
    
    my "Personal"
    ================ Certificate 0 ================
    Serial Number: 
    Issuer: CN=MYRootCA
     NotBefore: 2/5/2020 1:38 PM
     NotAfter: 2/5/2021 1:48 PM
    Subject: CN=www.mydomain.com, OU=Certificate Administration, O=Information Technologies, L=Houston, S=Texas, C=US
    Non-root Certificate
    Cert Hash(sha1): 5aaef93e7e972b1187363d880cfa3f71507c2e24
    No key provider information
    Cannot discover the certificate and private key for decryption.
    CertUtil: -store order completed successfully.
    

Retrieve the main element handles of the RSA essential set on the HSM

In this task, you retrieve the main element handles of the prevailing open public and private key set on your own CloudHSM to be able to use that essential pair to produce a essential container on the brand new Windows instance.

One way to obtain the crucial handles of a preexisting key pair in the CloudHSM is by using the modulus value. Because the certificate and its own public and personal keys all will need to have the same modulus worth and you also have the signing certification already, you look at its modulus value utilizing the OpenSSL tool. After that, you utilize the findKey command in essential_mgmt_util to find the general public and private important handles about the HSM utilizing the worth of the certificate modulus.

To retrieve the main element handles

  1. Download the OpenSSL for Windows installation package.

    Note: In my own example, We downloaded Gain64OpenSSL-1_1_1d.exe.

  2. Right-click in the downloaded document and choose Run as administrator.
  3. Follow the installation directions, accepting all default configurations. Then choose Install.
    1. If the error information “The Win64 Open up SSL Installation Project set up provides detected that the next critical element is missing…”-shown inside Figure 2-appears, you should install Microsoft Visual C++ Redistributables to perform this procedure.

      Figure 2: OpenSSL set up error message

      Figure 2: OpenSSL set up error message

    2. Choose Yes to download and install the mandatory Microsoft Visual C++ bundle on your own system.
    3. Operate the OpenSSL installer and adhere to the installation guidelines again, accepting all default configurations. Then choose Install.
  4. Choose Finish once the installation is complete.
    With the installation complete, OpenSSL for Windows are available as OpenSSL.exe in C:Program FilesOpenSSL-Win64bin. Open up the program because the administrator always.
  5. On the brand new CloudHSM client example, copy your certificate to C:Plan FilesOpenSSL-Win64bin and operate the command certutil -encode .cer .cer to export the certificate making use of base64 .cer format. This exports the certificate to a document with the real name you type in place of .
    C:Program FilesOpenSSL-Win64binside>certutil -encode .cer 

    .cer Input Length = 1066 Output Length = 1526 CertUtil: -encode control completed successfully.

  6. Run the order openssl x509 -noout -modulus -in .cer to see the certificate modulus.
    C:Program FilesOpenSSL-Win64binside>openssl x509 -noout -modulus -inside .cer
    
    Modulus=9D1D625C041F7FAF076780E486CA2DB2FB846982E88804030F9C84F6CF553925C287934C18B92606EE9A4438F80E47961D7B2CD28213EADE2078BE1A921E6D164CC07F99DA42CF6DD1767A6392FC4BC2B19592474782E1B8574F4A46A93626CD2A8D56405EA7DFCED8DA7042F6FC6D3716CC1649174E93C66F0A9EC7EEFEC9661D43FD2BC8E2E261C06A619E4AF3B5E13190215F72EE5BDE2090818031F8AAD0AA7E934894DC54DF5F1E7577645137637F400E10B9ECDC0870C78C99E8027A86807CD719AA05931D1A4326A5ED1C3687C8EA8E54DF62BFD1851A92473348C98973DEF850B8A88A443A56E93B997F3286A1DC274E6A8DD187D8C59BAB32A6919F
    
  7. Save the certificate modulus within a text file called modulus.txt.
  8. Operate the essential_mgmt_util control line tool, and sign in because the CU, as referred to in Getting Started with key_mgmt_util. Replace and with the account of the CU.
    Command: loginHSM -u CU -s  -p 
    
            Cfm3LoginHSM returned: 0x00 : HSM Return: SUCCESS
    
            Cluster Error Status
            Node id 13 and err state 0x00000000 : HSM Return: SUCCESS
            Node id 14 and err state 0x00000000 : HSM Return: SUCCESS
    
  9. Run the next findKey command to get the public key deal with which has exactly the same RSA modulus that you generated formerly. Enter the road to the modulus.txt document that you created inside step 7. Observe the public key deal with that’s returned to be able to make use of it in the next steps.
    Command: findKey -c 2 -m C:UsersAdministratorDesktopmodulus.txt
    
            Final number of keys present: 1
    
            Amount of matching keys from begin index 0::0
    
            Handles of coordinating keys:
            
    
            Cluster Error Status
            Node id 13 and err state 0x00000000 : HSM Return: SUCCESS
            Node id 14 and err state 0x00000000 : HSM Return: SUCCESS
    
            Cfm3FindKey returned: 0x00 : HSM Return: SUCCESS
    
  10. Run the next findKey command to get the private key deal with which has exactly the same RSA modulus that you generated earlier. Enter the road to the modulus.txt document that you created inside step 7. Observe the private key deal with that’s returned to enable you to make use of it in the next steps.
    Command: findKey -c 3 -m C:UsersAdministratorDesktopmodulus.txt
    
            Final number of keys present: 1
    
            Amount of matching keys from begin index 0::0
    
            Handles of complementing keys:
            
    
            Cluster Error Status
            Node id 13 and err state 0x00000000 : HSM Return: SUCCESS
            Node id 14 and err state 0x00000000 : HSM Return: SUCCESS
    
            Cfm3FindKey returned: 0x00 : HSM Return: SUCCESS
    

Create a new essential container for the prevailing public and private essential pair within the CloudHSM

To use exactly the same key set across new Home windows instances, you need to copy over the essential containers to each instance, or develop a new essential container from a preexisting key pair inside the main element storage provider of every instance. In this task, you develop a new essential container to hold the general public essential of the certification and its own corresponding private essential metadata. To produce a new important container from a preexisting public and private crucial set in the HSM, very first ensure that you start the CloudHSM client daemon. Then, utilize the import_essential.exe utility, that is contained in CloudHSM version 3.0 and later.

To develop a new key container

  1. Run the next import_essential.exe command, replacing and with the general public and private crucial handles you developed in the previous treatment. This creates the HSM essential pair in a fresh essential container in the main element storage provider.
    C:Program FilesAmazonCloudHSM>import_essential.exe -from HSM -privateKeyHandle  -publicKeyHandle 
    
    Represented 1 keypairs within Cavium Key Storage Service provider.
    

    Note: If you obtain the error message n3fips_password isn’t set, ensure that you place the login credentials for the HSM on your own system.

  2. You can verify the brand new essential container by working the following certutil command to list the main element containers in your essential storage provider (KSP). Observe the main element container name to utilize in the next steps.
    C:Program FilesAmazonCloudHSM>certutil -crucial -csp "Cavium Key Storage company"
    
    Cavium Key Storage supplier:
      
      RSA
    
    
    CertUtil: -key order completed successfully.
    

Update the certificate shop

Today you have everything set up: the imported certificate within the Personal certificate shop of the brand new Windows instance and the main element container that represents the main element pair within CloudHSM. In this task, you associate the certificate to the main element container a note was created by you of earlier.

To revise the certificate shop

  1. Create the file named fix.txt as shown right after.

    Take note: You must utilize the key container title of one’s certificate that you have in the last step because the input for the repair.txt file.

    [Properties]
    11 = "" ; Add friendly title property
    2 = "text" ; Add Key Provider Details property
    _continue_="Container=&"
    _continue_="Provider=Cavium Essential Storage Provider&"
    _continue_="Flags=0&"
    _continue_="KeySpec=2"
    
  2. Make sure the CloudHSM client daemon continues to be running. Then, utilize the certutil verb -repairstore to up-date the certificate serial quantity that you took take note of earlier, as proven in the next command. The next sample shows the output and command. Start to see the Microsoft documentation for information regarding the – repairstore verb.
    certutil -repairstore my  repair.txt
    
    C:UsersAdministratorDesktop>certutil -repairstore my  repair.txt
    
    my "Personal"
    ================ Certificate 0 ================
    Serial Number: 
    Issuer: CN=MYRootCA
     NotBefore: 2/5/2020 1:38 PM
     NotAfter: 2/5/2021 1:48 PM
    Subject: CN=www.mydomain.com, OU=Certificate Administration, O=Information Technologies, L=Houston, S=Texas, C=US
    Non-root Certificate
    Cert Hash(sha1): 5aaef93e7e972b1187363d880cfa3f71507c2e24
    CertUtil: -repairstore control completed successfully.
    
  3. Run the next certutil order to verify your certificate has already been linked to the new essential container successfully.
    C:UsersAdministratorDesktop>certutil -shop my
    
    my "Personal"
    ================ Certificate 0 ================
    Serial Number: 
    Issuer: CN=MYRootCA
     NotBefore: 2/5/2020 1:38 PM
     NotAfter: 2/5/2021 1:48 PM
    Subject: CN=www.mydomain.com, OU=Certificate Administration, O=Information Technologies, L=Houston, S=Texas, C=US
    Non-root Certificate
    Cert Hash(sha1): 5aaef93e7e972b1187363d880cfa3f71507c2e24
      Key Container = CNGRSAPriv-3145768-3407903-26dd1d
      Provider = Cavium Key Storage space Provider
    Private key isn't exportable
    Encryption test passed
    CertUtil: -store control completed successfully.
    

Now this certificate may be used by you and its own corresponding private essential with any kind of third-party signing tool about Windows.

Use the certificate with Microsoft SignTool

You have everything set up now, the certificate may be used by one to sign a file utilizing the Microsoft SignTool.

To utilize the certificate

  1. Obtain the thumbprint of one’s certificate. To get this done, right-click PowerShell and choose Work as administrator. Enter the next command:

    PS C:>Get-ChildItem -route cert:LocalMachineMy
    

    If successful, you need to see output like the following.

    PSParentPath: Microsoft.PowerShell.SecurityCertificate::LocalMachineMy
    
    Thumbprint                                Subject
    ----------                                -------
       CN=www.mydomain.com, OU=Certificate Administration, O=Information Technology, L=Ho...
    
  2. Duplicate the thumbprint. It really is needed by one to perform the specific signing operation on the file.
  3. Download and install among the following variations of the Microsoft Home windows SDK on your own Windows EC2 instance:Microsoft Home windows 10 SDK
    Microsoft Windows 8.1 SDK
    Microsoft Windows 7 SDK
    The latest applicable Home windows SDK package for the operating system install. For example, for Microsoft Home windows 2012 R2 or variations later, you need to install the Microsoft Home windows 10 SDK.
  4. To open the SignTool application, demand application directory within PowerShell. Normally, this is:
    C:Program Files (x86)Windows Productsbinsigntool.exe
    
  5. When you’ve located the directory, indication your file by jogging the following command. Be sure you replace and with your personal values. could be any executable file inside your directory.
    PS C:>.signtool.exe signal /v /fd sha256 /sha1  /sm /as C:UsersAdministratorDesktop
    

    You should visit a message just like the following:

    Done Adding Additional Store
    Successfully signed: C:UsersAdministratorDesktop
    
    Amount of files successfully Signed: 1
    Amount of warnings: 0
    Amount of errors: 0
    
  6. (Optional) To verify the signature in the file, you may use SignTool.exe with the verify choice utilizing the following command.
    PS C:>.signtool.exe verify /v /pa C:UsersAdministratorsDesktop
    

    If successful, you need to see output like the following.

    Number of files successfully Verified: 1
    

Conclusion

In this article, I walked you through the procedure of utilizing an HSM-backed certificate on a fresh Windows instance for signing functions. The import_key was utilized by you.exe utility to produce a new important container from a preexisting private/public key set in CloudHSM. After that, you up-to-date the certificate shop to associate your certificate with the main element container. Lastly, you saw how exactly to use the HSM-supported certificate with the brand new crucial container to indication executable data files. As you keep up to utilize this solution, it’s vital that you keep Microsoft Home windows SDK, CloudHSM client software, and any installed software up-to-date.

When you have feedback concerning this post, submit remarks in the Comments section below. Should you have questions concerning this post, start a brand-new thread on the AWS CloudHSM forum or contact AWS Support.

Want a lot more AWS Security how-to articles, news, and show announcements? Stick to us on Twitter.

%d bloggers like this: