Signing executables with HSM-backed certificates using several Windows instances
Customers use program code signing certificates to indication software, documents, along with other certificates. Signing is really a cryptographic device that lets customers verify that the program code hasn’t been changed and that the program, documents or additional certificates could be trusted.
This blog post demonstrates how to configure your applications so that you can work with a key pair already on your own hardware security module (HSM) to create signatures using any Windows instance. Many customers make use of multiple Amazon Elastic Compute Cloud (Amazon EC2) instances to signal workloads utilizing the same crucial pair. You need to configure these situations to employ a pre-existing key set from the HSM. In this website post, I demonstrate how to develop a essential container on a fresh Windows instance from a preexisting key pair in AWS CloudHSM, and update the certificate shop to associate the imported certificate with the brand new container newly. I also demonstrate how to work with a common software to indication executables with this particular key pair.
Every certificate is of a key pair, with a private key and a public key. It is possible to only have faith in a signature when you can make sure that the personal key offers remained confidential and will be utilized only by who owns the certificate. You accomplish that objective by generating the main element set on an HSM and securely storing the personal essential on the HSM. Business certificate authority (CA) or public important infrastructure (PKI) programs are configured to utilize this private type in the HSM every time they need to utilize the corresponding certificate to signal. This configuration is normally handled transparently between your program and the HSM on the Home windows instance the application is operating on. The procedure gets difficult when you want to utilize multiple Windows situations to sign utilizing the same key set. This is also true if your present EC2 instance that works as a Home windows Server CA, that you used to problem the HSM-backed certificate, will be deleted and a back-up is experienced by you of the HSM-backed certificate.
Before we enter the details, you should know in regards to a library called the main element storage provider (KSP). Home windows systems make use of KSP libraries for connecting apps to an HSM. For every HSM brand name, such as for example CloudHSM, you will need a corresponding KSP to perform functions that involve cryptographic keys stored on that HSM. From your own application, choose the KSP that corresponds with the HSM you wish to use to shop (or make use of) your keys. All KSPs associate keys on the HSM with metadata in the Microsoft ecosystem making use of crucial containers. Essential containers map the metadata in certificates with metadata on the HSM, that allows the application to handle keys. The set of certificates designed for Microsoft utilities to signal with is within a faith store. To use exactly the same key set across multiple Windows situations, you must copy the main element containers to each instance-or develop a new essential container from a preexisting key set in each instance-and import the corresponding certificate in to the trust store for every instance.
The solution in this article assumes that you’ve completed the steps in Signing executables with Microsoft SignTool.exe using AWS CloudHSM-backed certificates. You ought to have your HSM-backed certificate using one Windows instance already.
Before you implement the perfect solution is, you must:
- Install the AWS CloudHSM client about the brand new instance and make certain that you can connect to HSM inside your CloudHSM cluster.
- Confirm the CloudHSM KSP and CNG providers installation on your own new instance.
- Established the login credentials for the HSM on your own program. Set credentials through Home windows Credentials Manager. I would recommend that you reboot your example after establishing the credentials.
Note: The login credentials identify the crypto user (CU) in the HSM which has access to the main element pair in CloudHSM.
This diagram shows a virtual private cloud (VPC) which has an EC2 instance running Windows Server 2016 that resides on private subnet 1. This example will operate the CloudHSM customer software and can use your HSM-supported certificate with an integral pair currently on your own HSM to indication executable files. The example can be accessed by way of a VPN connection. It shall likewise have security groupings that enable RDP accessibility for the on-premises network. Personal subnet 2 hosts the elastic network user interface for the CloudHSM cluster, that includes a single HSM.
Out of scope
The focus of the blog post is how exactly to use an HSM-backed certificate with an integral pair already on your own HSM to sign executable files from any Home windows instance using Microsoft SignTool.exe. This post isn’t designed to represent any guidelines for implementing program code signing or Amazon EC2. To learn more, start to see the NIST cybersecurity whitepaper Security Considerations for Program code Signing and Best practices for Amazon EC2, respectively.
Deploy the remedy
To deploy the answer, you utilize certutil, import_important, and SignTool. Certutil is really a Microsoft tool that can help you test your system for accessible certificates and crucial containers. Import_key-a tool supplied by CloudHSM-generates an area key container for an integral set that’s on your own HSM. To full the procedure, use SignTool-a Microsoft device that enables Windows customers to digitally sign data files, and verifies signatures in timestamps and files documents.
You will need the next:
Certificates or key materialsPurpose.cerRoot certificate.cerHSM-backed signing certificate.cerHSM-backed signing certificate inside base64 format
Open public key deal with of the signing certificate
Personal key deal with of the signing certificate
Import the HSM-supported certificate and its own RootCA chain certificate in to the new instance
Before you use third-party tools such as for example SignTool to create signatures utilizing the HSM-backed certificate, the signing should be moved by you certificate file to the non-public certificate store in the brand new Windows instance.
To achieve that, you duplicate the HSM-backed certificate your app uses for signing procedures and its own root certificate chain from the initial instance to the brand new Windows instance.
In the event that you issued your signing certificate by way of a personal CA (like in my own example), you need to deploy a duplicate of the main CA certificate and any intermediate certificates from the personal CA to any techniques you would like to use to verify the integrity of one’s signed file.
To import the HSM-backed root and certificate certificate
- Sign into the Windows Server which has the personal CA that you used to concern your signing certificate. After that, run the next certutil command to export the main CA to a fresh file. Replace with a title that you could remember easily.
- Duplicate the .cer document to your brand-new Windows instance and work the following certutil control. This moves the main certificate from the document in to the Trusted Root Accreditation Authorities store in Home windows. It is possible to verify that it is present by running certlm.msc and looking at the Trusted Root Qualification Authorities certificates.
- Duplicate the HSM-backed signing certificate from the initial instance to the brand new one, and operate the following certutil control. This moves the certificate from the document in to the Personal certificate shop in Windows.
- Verify that the certificate is present in your individual certificate store by working the following certutil control. The next sample output from certutil exhibits the serial number. Observe the certificate serial quantity to use later.
Retrieve the main element handles of the RSA essential set on the HSM
In this task, you retrieve the main element handles of the prevailing open public and private key set on your own CloudHSM to be able to use that essential pair to produce a essential container on the brand new Windows instance.
One way to obtain the crucial handles of a preexisting key pair in the CloudHSM is by using the modulus value. Because the certificate and its own public and personal keys all will need to have the same modulus worth and you also have the signing certification already, you look at its modulus value utilizing the OpenSSL tool. After that, you utilize the findKey command in essential_mgmt_util to find the general public and private important handles about the HSM utilizing the worth of the certificate modulus.
To retrieve the main element handles
- Download the OpenSSL for Windows installation package.
Note: In my own example, We downloaded Gain64OpenSSL-1_1_1d.exe.
- Right-click in the downloaded document and choose Run as administrator.
- Follow the installation directions, accepting all default configurations. Then choose Install.
- If the error information “The Win64 Open up SSL Installation Project set up provides detected that the next critical element is missing…”-shown inside Figure 2-appears, you should install Microsoft Visual C++ Redistributables to perform this procedure.
- Choose Yes to download and install the mandatory Microsoft Visual C++ bundle on your own system.
- Operate the OpenSSL installer and adhere to the installation guidelines again, accepting all default configurations. Then choose Install.
- Choose Finish once the installation is complete.
With the installation complete, OpenSSL for Windows are available as OpenSSL.exe in C:Program FilesOpenSSL-Win64bin. Open up the program because the administrator always.
- On the brand new CloudHSM client example, copy your certificate to C:Plan FilesOpenSSL-Win64bin and operate the command certutil -encode .cer .cer to export the certificate making use of base64 .cer format. This exports the certificate to a document with the real name you type in place of .
.cer Input Length = 1066 Output Length = 1526 CertUtil: -encode control completed successfully.
- Run the order openssl x509 -noout -modulus -in .cer to see the certificate modulus.
- Save the certificate modulus within a text file called modulus.txt.
- Operate the essential_mgmt_util control line tool, and sign in because the CU, as referred to in Getting Started with key_mgmt_util. Replace and with the account of the CU.
- Run the next findKey command to get the public key deal with which has exactly the same RSA modulus that you generated formerly. Enter the road to the modulus.txt document that you created inside step 7. Observe the public key deal with that’s returned to be able to make use of it in the next steps.
- Run the next findKey command to get the private key deal with which has exactly the same RSA modulus that you generated earlier. Enter the road to the modulus.txt document that you created inside step 7. Observe the private key deal with that’s returned to enable you to make use of it in the next steps.
Create a new essential container for the prevailing public and private essential pair within the CloudHSM
To use exactly the same key set across new Home windows instances, you need to copy over the essential containers to each instance, or develop a new essential container from a preexisting key pair inside the main element storage provider of every instance. In this task, you develop a new essential container to hold the general public essential of the certification and its own corresponding private essential metadata. To produce a new important container from a preexisting public and private crucial set in the HSM, very first ensure that you start the CloudHSM client daemon. Then, utilize the import_essential.exe utility, that is contained in CloudHSM version 3.0 and later.
To develop a new key container
- Run the next import_essential.exe command, replacing and with the general public and private crucial handles you developed in the previous treatment. This creates the HSM essential pair in a fresh essential container in the main element storage provider.
Note: If you obtain the error message n3fips_password isn’t set, ensure that you place the login credentials for the HSM on your own system.
- You can verify the brand new essential container by working the following certutil command to list the main element containers in your essential storage provider (KSP). Observe the main element container name to utilize in the next steps.
Update the certificate shop
Today you have everything set up: the imported certificate within the Personal certificate shop of the brand new Windows instance and the main element container that represents the main element pair within CloudHSM. In this task, you associate the certificate to the main element container a note was created by you of earlier.
To revise the certificate shop
- Create the file named fix.txt as shown right after.
Take note: You must utilize the key container title of one’s certificate that you have in the last step because the input for the repair.txt file.
- Make sure the CloudHSM client daemon continues to be running. Then, utilize the certutil verb -repairstore to up-date the certificate serial quantity that you took take note of earlier, as proven in the next command. The next sample shows the output and command. Start to see the Microsoft documentation for information regarding the – repairstore verb.
- Run the next certutil order to verify your certificate has already been linked to the new essential container successfully.
Now this certificate may be used by you and its own corresponding private essential with any kind of third-party signing tool about Windows.
Use the certificate with Microsoft SignTool
You have everything set up now, the certificate may be used by one to sign a file utilizing the Microsoft SignTool.
To utilize the certificate
- Obtain the thumbprint of one’s certificate. To get this done, right-click PowerShell and choose Work as administrator. Enter the next command:
If successful, you need to see output like the following.
- Duplicate the thumbprint. It really is needed by one to perform the specific signing operation on the file.
- Download and install among the following variations of the Microsoft Home windows SDK on your own Windows EC2 instance:Microsoft Home windows 10 SDK
Microsoft Windows 8.1 SDK
Microsoft Windows 7 SDK
The latest applicable Home windows SDK package for the operating system install. For example, for Microsoft Home windows 2012 R2 or variations later, you need to install the Microsoft Home windows 10 SDK.
- To open the SignTool application, demand application directory within PowerShell. Normally, this is:
- When you’ve located the directory, indication your file by jogging the following command. Be sure you replace and with your personal values. could be any executable file inside your directory.
You should visit a message just like the following:
- (Optional) To verify the signature in the file, you may use SignTool.exe with the verify choice utilizing the following command.
If successful, you need to see output like the following.
In this article, I walked you through the procedure of utilizing an HSM-backed certificate on a fresh Windows instance for signing functions. The import_key was utilized by you.exe utility to produce a new important container from a preexisting private/public key set in CloudHSM. After that, you up-to-date the certificate shop to associate your certificate with the main element container. Lastly, you saw how exactly to use the HSM-supported certificate with the brand new crucial container to indication executable data files. As you keep up to utilize this solution, it’s vital that you keep Microsoft Home windows SDK, CloudHSM client software, and any installed software up-to-date.
When you have feedback concerning this post, submit remarks in the Comments section below. Should you have questions concerning this post, start a brand-new thread on the AWS CloudHSM forum or contact AWS Support.
Want a lot more AWS Security how-to articles, news, and show announcements? Stick to us on Twitter.