1.0 Introduction
This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Sectigo for code signing.
It also contains the information that a user requires to:
Prepare the build server or code-signing workstation
Configure Fortanix DSM for Sectigo CA code-signing integration
Generate or import the private key and certificate
Fortanix DSM has a state-of-the-art code signing solution with the following capabilities:
FIPS 140-2 level 3 assurance for private key protection.
Support for all types of asymmetric keys, signing, and hashing algorithms used in code signing. It also supports signing just the hash.
Code signing in large enterprises often requires verification of metadata associated with the data being signed, as well as access controls for key usage. These checks can be securely performed using plugins in Fortanix DSM.
Code signing keys are highly sensitive, and their use should be tightly controlled. Fortanix DSM provides elaborate quorum-based policies to be configured for these keys, which require approval from M of N administrators before the signing operation is performed. Approvals can be obtained asynchronously and in a distributed manner.
Strict role-based access control, quorum-based approval workflows, automation, and detailed audit logs for all code signing operations.
Full support for REST APIs, KMIP, PKCS#11, JCE, Microsoft CAPI, and CNG for seamless integration with existing DevOps toolchains.
Code signing is future-proof in Fortanix DSM. Post-quantum algorithms, such as LMS, are already supported and can be used for code signing.
2.0 Preparing the Build Server/Code-Signing Workstation
The Server or Workstation that will be running the SignTool must have the following:
Fortanix DSM CNG/EKM provider is installed on the system. Download the latest version from here.
Once installed, validate that the provider has been correctly registered using the command:
certutil -csplist
Figure 1: Code signing solution
SignTool is required and is included with the Windows 10 SDK. Download the latest version from here.
3.0 Configure Fortanix DSM
A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:
3.1 Signing Up
To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.
For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.
3.2 Creating an Account
Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.
.png?sv=2022-11-02&spr=https&st=2025-06-08T04%3A15%3A22Z&se=2025-06-08T04%3A33%3A22Z&sr=c&sp=r&sig=CvgLrbaqeb4accWnxI7IBtpasjmqBjLGPTjFj%2BAQp1w%3D)
Figure 2: Logging in
For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.
3.3 Creating a Group
Perform the following steps to create a group in the Fortanix DSM:
In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.
Figure 3: Add groups
On the Adding new group page, do the following:
Title: Enter a name for your group.
Description (optional): Enter a short description of the group.
Click SAVE to create the new group.
The new group is added to the Fortanix DSM successfully.
3.4 Creating an Application
Perform the following steps to create an application (app) in the Fortanix DSM:
In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.
Figure 4: Add application
On the Adding new app page, do the following:
App name: Enter the name for your application.
ADD DESCRIPTION (optional): Enter a short description of the application.
Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.
Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.
Click SAVE to add the new application.
The new application is added to the Fortanix DSM successfully.
3.5 Copying the API Key
Perform the following steps to copy the API key from the Fortanix DSM:
In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 3.4: Creating an Application to go to the detailed view of the app.
On the INFO tab, click VIEW API KEY DETAILS.
From the API Key Details dialog box, copy the API Key of the app to use it later.
4.0 Fortanix KMS CNG Provider
Perform the following steps to configure the Fortanix DSM CNG on the build server or code-signing workstation.
The provider requires the following configuration parameters:
Fortanix DSM Endpoint
Fortanix DSM API Key
Run the following commands to store the configuration values in the Windows registry:
NOTE
You may optionally use the user registry instead of HKLM (
HKEY_LOCAL_MACHINE
) if preferred.C:\Program Files\Fortanix\KmsClient>FortanixKMSClientConfig.exe machine --api-endpoint https://amer.smartkey.io C:\Program Files\Fortanix\KmsClient>FortanixKMSClientConfig.exe machine --api-key ZGZiNzc0OGMtYmM0Mi00NGYzLTgxNTEtNTYyMzMxOTAxMmVjOkZDSjAxVS1nRHJHc0lYd1FaanZ4dktid0U2ei16M0VneTBGRWtzQnJfYUNwY3RRcUhXalhQcHZqeDZzRzB4ZzNkRmkzb0x2ZVMtcm9uSlJRVFlpRXFB
Run the following command to verify that the Fortanix KMS CNG Provider can communicate with Fortanix DSM successfully:
certutil -csp “Fortanix KSM CNG Provider” -key
Figure 5: Confirm the communication
5.0 Create the Private Key and Certificate
To prevent unauthorized or malicious code signing, always secure private keys and associated certificates. Fortanix DSM enables you to generate keys securely and manage certificates with cryptographic best practices.
This section outlines how to:
Generate a private key securely within Fortanix DSM.
Create a Certificate Signing Request (CSR) using
certreq.exe
.Submit the CSR to a Certificate Authority (CA) such as Sectigo.
Import the signed certificate into Fortanix DSM.
5.1 Generating a Private Key
This method uses the Fortanix DSM user interface (UI) and the Windows-native certreq.exe
tool to build a secure certificate signing workflow using the Fortanix KMS CNG provider.
Perform the following steps to create a security object (private key) using Fortanix DSM:
In the DSM left navigation panel, click the Security Objects menu item, and then click the + button to create a new security object.
Figure 6: Adding security object
On the Add new Security Object page, do the following:
Security Object Name: Enter the name of your security object.
Group: Select the group as created in Section 3.3: Creating a Group.
Select GENERATE.
In the Choose a type section, select the RSA key type.
In the Key Size section, select the size of the key in bits.
In the Key operations permitted section, select the Verify and Sign operations to define the actions that can be performed with the cryptographic keys.
Click GENERATE to create the new security object.
Figure 7: Generate private key
The new security object is added to the Fortanix DSM successfully.
Alternatively, you can run the following PowerShell commands to create a security object:
$cngProviderName = "Fortanix KMS CNG Provider"
$cngAlgorithmName = "RSA"
$cngKeySize = <size-of-RSA-Key> # Recommended key size for column master keys
$cngKeyName = "<name-of-security-object>" # Name identifying your key in the KSP
$cngProvider = New-Object System.Security.Cryptography.CngProvider($cngProviderName)
$cngKeyParameter = [System.Security.Cryptography.CngKeyCreationParameters]::new()
$cngKeyParameter.Provider = $cngProvider
$cngKeyParameter.KeyCreationOptions = [System.Security.Cryptography.CngKeyCreationOptions]::MachineKey
$keySizeProperty = New-Object System.Security.Cryptography.CngProperty("Length", [System.BitConverter]::GetBytes($cngKeySize), [System.Security.Cryptography.CngPropertyOptions]::None)
$cngKeyParameter.Parameters.Add($keySizeProperty)
$cngAlgorithm = New-Object System.Security.Cryptography.CngAlgorithm($cngAlgorithmName)
$cngKey = [System.Security.Cryptography.CngKey]::Create($cngAlgorithm, $cngKeyName, $cngKeyParameter)
Once the command completes, Fortanix DSM automatically registers the key, and it becomes visible in the Fortanix DSM UI under Security Objects.
5.2 Generating a CSR Using certreq.exe
Perform the following steps to generate a CSR using the Fortanix-backed private key and the Windows built-in certreq.exe
tool:
In a temporary directory, create a new file named
request.inf
.Append the following configuration to the file, and update the placeholders as needed:
[NewRequest] Subject = "CN=sectigo_private_key, OU=nishank, O=Fortanix, C=US" KeyContainer = "sectigo_private_key" ProviderName = "Fortanix KMS CNG Provider" UseExistingKeySet = true [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.3
Where,
KeyContainer
refer to the name of the Fortanix DSM private key.ProviderName
refer to the name shown in the Fortanix CNG provider installation.
Run the following command generate the CSR:
certreq.exe -new request.inf request.csr
This command creates a file named
request.csr
in the same directory.Send the generated
request.csr
file to a trusted Certificate Authority (CA) to obtain a signed certificate.The following is an example of the beginning and end of a generated CSR:
-----BEGIN NEW CERTIFICATE REQUEST----- MIIEiTCCAvECAQAwUDELMAkGA1UEBhMCVVMxETAPBgNVBAoMCEZvcnRhbml4MRAw DgYDVQQLDAduaXNoYW5rMRwwGgYDVQQDDBNzZWN0aWdvX3ByaXZhdGVfa2V5MIIB ojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAq5lA0CUztBzLWV0kkgH/qk94 CcOKZODm1LC8b3NF/pZuEWtUd1sryQVuOVbK3upiuthyMnsUNrADM+YwUf0iuxUb e4EKJM4at5rUjE2nq7hzuWmR7LVDzCFniOwtxTOjAL7kViMKPlayzMkzJ/Lswx4k ei4zGnxjpoUR0wBIMEIFL+FyHyDLlBWXfQ4/9H+BDOvC2KY+FUg8Co+cwUkPUkqV VzT7n9IChA/tMgzwaRjcERjt6lcrtaWWnSdWreWCoH0iWfHheej//+wU6gNJMoNh Hsn3yKAiIGmcmCqYeU/o92uzLQfLuNqCrXlMk2zdiyOL66wonoyANyhU2z/3HzHG kaA0ETR01Kl3K+D4y9ovJCbagWbVX56SqQkPM2i2tT9MLRcMa24ao8MZJQ+GOIVh or/4gvvVt+Dll/mCKWhxq3SgG9Xoaog2M3yP8A5UhzPlzmYWmq/XueZtSykRF0do WoDI6RnSTCrT9ETDH3zhNjMIgRU1R0RS7ZISWMzVAgMBAAGggfMwHAYKKwYBBAGCNw0CAzEOFgwxMC4wLjE5MDQ0LjIwQgYJKwYBBAGCNxUUMTUwMwIBCQwPTEFQVE9QLVJCSlFJMzgwDBRBenVyZUFEXE5pc2hhbmtWYWlzaAwHY2VydHJlcTBDBgkqhkiG9w0BCQ4xNjA0MBMGA1UdJQQMMAoGCCsGAQUFBwMDMB0GA1UdDgQWBBQJhe3z15cbLap0W1VSJSPoeUq46DBKBgorBgEEAYI3DQICMTwwOgIBAB4yAEYAbwByAHQAYQBuAGkAeAAgAEsATQBTACAAQwBOAEcAIABQAHIAbwB2AGkAZABlAHIDAQAwDQYJKoZIhvcNAQELBQADggGBAAMOVhOHvhpeLOblRtVhra0apYb/ACt4w1598RdzJn34yuajRt+F7eSweQ+msylnUZkzNeDYAtD4tXerLnM0A11Xv9L1oQjghpng0ZDzSCvk94DRunzVfjFxDSv6pgJ9VzxljAm0rkCB/x6vF6t9wd5PaEm0odAnxCZYEvCEYQfIoyft HxLk6gqN5k5fIPMtkt2kjOy55DKS83FbIe1LeCapI+0SADQLV6jNHjd5PEJfiBPb Nq9bMM88DwOfWino/s+5RZKmDdcETOf78VrkszKvckMYp/CMnHuVrM3GpOpuBQQMl4FcqToddNPlNnecRh0oA7Ecxaqa+xBj3DGGG4jGonMsW5qMYjMk3aI6SwWgiFuHfXk5EmN+RyK+lW/b5Ogy1VKW4ERLdhjWtMqCVqsv3s9inUtx7Jc9Wb1ynR2j4Qzz 21AOVGgJgjp3R1gbuudl8M6CGE+ekGO+BZwpcDQAsV4Tu5j+53yPgnFunGgTDYfS zoakzNCyRjpbBn3BAw== -----END NEW CERTIFICATE REQUEST-----
5.3 Requesting and Importing Signed Certificate
Perform the following steps to request and import the signed certificate from Sectigo into Fortanix DSM:
Purchase a Code Signing Certificate from Sectigo and log in to the Sectigo Client Dashboard.
Figure 8: Sectigo client dashboard
Click the Active product to request the certificate.
Figure 9: Request certificate
Paste the contents of the
request.csr
file created in Step 4 of Section 5.2: Generating a CSR Using certreq.exe into the CSR submission field and complete the request.Figure 10: Submit certificate request
Once the CA returns the signed certificate, log in to Fortanix DSM UI and create a security object using IMPORT feature. Upload the signed certificate file in
.cer
or.crt
format.Figure 11: Import signed certificate
Keep a copy of the certificate on the server that will use
SignTool.exe
.NOTE
The certificate can be exported again from Fortanix DSM if needed.
6.0 Code-Signing Integration (Directly from Workstation)
This section outlines the steps to sign code using a key managed by Fortanix DSM through a remote CNG provider, directly from a developer workstation.
Perform the following steps:
Before initiating the signing operation, verify that the file has no existing digital signatures.
Figure 12: Verify signature
Open a command prompt and ensure you are using the appropriate signtool.exe version based on your system architecture (for example, x64, x86).
Figure 13: Locate SignTool
Verify that the private key intended for signing is accessible in the CNG provider registered to Fortanix DSM.
Figure 14: Verify the key
Use the SignTool command with the appropriate parameters to sign your file. It uses the following parameters to successfully run the SignTool:
CSP: The CNG provider you wish to use for the sign operation.
KC: Key Container (also known as an alias) that will be used for the sign operation.
File: Certificate generated from the Private Key stored in Fortanix DSM.
Code to sign.
Figure 15: Sign the code
If the signing certificate is already present in the certificate store, you may omit the CSP and KC options:
Figure 16: Omit the CSP and KC
Once the signing operation is successful, Fortanix DSM will log an audit event indicating that the private key was used for a signing operation.
7.0 Frequently Asked Questions
How do I validate the supported algorithms and modes using Fortanix KMS CNG Provider?
You can view all of the supported methods, algorithms, and modes with Fortanix DSM using the CNG provider by running a
csptest
:Figure 17: Validate supported algorithms