Using Fortanix Data Security Manager with Sectigo CA for Secure Certificate Generation

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Sectigo for code signing.

It also contains the information that a user requires to:

• Prepare the build server or code-signing workstation

• Configure Fortanix DSM for Sectigo CA code-signing integration

• Generate or import the private key and certificate

Fortanix DSM has a state-of-the-art code signing solution with the following capabilities:

1. FIPS 140-2 level 3 assurance for private key protection.

2. Support for all types of asymmetric keys, signing, and hashing algorithms used in code signing. It also supports signing just the hash.

3. Code signing in large enterprises often requires verification of metadata associated with the data being signed, as well as access controls for key usage. These checks can be securely performed using plugins in Fortanix DSM.

4. Code signing keys are highly sensitive, and their use should be tightly controlled. Fortanix DSM provides elaborate quorum-based policies to be configured for these keys, which require approval from M of N administrators before the signing operation is performed. Approvals can be obtained asynchronously and in a distributed manner.

5. Strict role-based access control, quorum-based approval workflows, automation, and detailed audit logs for all code signing operations.

6. Full support for REST APIs, KMIP, PKCS#11, JCE, Microsoft CAPI, and CNG for seamless integration with existing DevOps toolchains.

7. Code signing is future-proof in Fortanix DSM. Post-quantum algorithms, such as LMS, are already supported and can be used for code signing.

2.0 Preparing the Build Server/Code-Signing Workstation

The Server or Workstation that will be running the SignTool must have the following:

• Fortanix DSM CNG/EKM provider is installed on the system. Download the latest version from here.

  Once installed, validate that the provider has been correctly registered using the command: certutil -csplist

  

• SignTool is required and is included with the Windows 10 SDK. Download the latest version from here.

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

3.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

3.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 3.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click VIEW API KEY DETAILS.

3. From the API Key Details dialog box, copy the API Key of the app to use it later.

4.0 Fortanix KMS CNG Provider

Perform the following steps to configure the Fortanix DSM CNG on the build server or code-signing workstation.

The provider requires the following configuration parameters:

• Fortanix DSM Endpoint

• Fortanix DSM API Key

1. Run the following commands to store the configuration values in the Windows registry:

   NOTE

   You may optionally use the user registry instead of HKLM (HKEY_LOCAL_MACHINE) if preferred.

   C:\Program Files\Fortanix\KmsClient>FortanixKMSClientConfig.exe machine --api-endpoint https://amer.smartkey.io
   
   C:\Program Files\Fortanix\KmsClient>FortanixKMSClientConfig.exe machine --api-key ZGZiNzc0OGMtYmM0Mi00NGYzLTgxNTEtNTYyMzMxOTAxMmVjOkZDSjAxVS1nRHJHc0lYd1FaanZ4dktid0U2ei16M0VneTBGRWtzQnJfYUNwY3RRcUhXalhQcHZqeDZzRzB4ZzNkRmkzb0x2ZVMtcm9uSlJRVFlpRXFB

2. Run the following command to verify that the Fortanix KMS CNG Provider can communicate with Fortanix DSM successfully:

   certutil -csp “Fortanix KSM CNG Provider” -key

   

5.0 Create the Private Key and Certificate

To prevent unauthorized or malicious code signing, always secure private keys and associated certificates. Fortanix DSM enables you to generate keys securely and manage certificates with cryptographic best practices.

This section outlines how to:

• Generate a private key securely within Fortanix DSM.

• Create a Certificate Signing Request (CSR) using certreq.exe.

• Submit the CSR to a Certificate Authority (CA) such as Sectigo.

• Import the signed certificate into Fortanix DSM.

5.1 Generating a Private Key

This method uses the Fortanix DSM user interface (UI) and the Windows-native certreq.exe tool to build a secure certificate signing workflow using the Fortanix KMS CNG provider.

Perform the following steps to create a security object (private key) using Fortanix DSM:

1. In the DSM left navigation panel, click the Security Objects menu item, and then click the + button to create a new security object.

   

2. On the Add new Security Object page, do the following:

   1. Security Object Name: Enter the name of your security object.

   2. Group: Select the group as created in Section 3.3: Creating a Group.

   3. Select GENERATE.

   4. In the Choose a type section, select the RSA key type.

   5. In the Key Size section, select the size of the key in bits.

   6. In the Key operations permitted section, select the Verify and Sign operations to define the actions that can be performed with the cryptographic keys.

3. Click GENERATE to create the new security object.

   

Alternatively, you can run the following PowerShell commands to create a security object: 

$cngProviderName = "Fortanix KMS CNG Provider"
$cngAlgorithmName = "RSA"
$cngKeySize = <size-of-RSA-Key> # Recommended key size for column master keys
$cngKeyName = "<name-of-security-object>" # Name identifying your key in the KSP
$cngProvider = New-Object System.Security.Cryptography.CngProvider($cngProviderName)

$cngKeyParameter = [System.Security.Cryptography.CngKeyCreationParameters]::new()
$cngKeyParameter.Provider = $cngProvider
$cngKeyParameter.KeyCreationOptions = [System.Security.Cryptography.CngKeyCreationOptions]::MachineKey

$keySizeProperty = New-Object System.Security.Cryptography.CngProperty("Length", [System.BitConverter]::GetBytes($cngKeySize), [System.Security.Cryptography.CngPropertyOptions]::None)
$cngKeyParameter.Parameters.Add($keySizeProperty)

$cngAlgorithm = New-Object System.Security.Cryptography.CngAlgorithm($cngAlgorithmName)
$cngKey = [System.Security.Cryptography.CngKey]::Create($cngAlgorithm, $cngKeyName, $cngKeyParameter)

Once the command completes, Fortanix DSM automatically registers the key, and it becomes visible in the Fortanix DSM UI under Security Objects.

5.2 Generating a CSR Using certreq.exe

Perform the following steps to generate a CSR using the Fortanix-backed private key and the Windows built-in certreq.exe tool:

1. In a temporary directory, create a new file named request.inf.

2. Append the following configuration to the file, and update the placeholders as needed:

   [NewRequest]
   
   Subject = "CN=sectigo_private_key, OU=nishank, O=Fortanix, C=US"
   KeyContainer = "sectigo_private_key"
   ProviderName = "Fortanix KMS CNG Provider"
   UseExistingKeySet = true
   
   [EnhancedKeyUsageExtension]
   OID=1.3.6.1.5.5.7.3.3

   Where,

   • KeyContainer refer to the name of the Fortanix DSM private key.

   • ProviderName refer to the name shown in the Fortanix CNG provider installation.

3. Run the following command generate the CSR:

   certreq.exe -new request.inf request.csr

   This command creates a file named request.csr in the same directory.

4. Send the generated request.csr file to a trusted Certificate Authority (CA) to obtain a signed certificate.

   The following is an example of the beginning and end of a generated CSR:

   -----BEGIN NEW CERTIFICATE REQUEST-----
   MIIEiTCCAvECAQAwUDELMAkGA1UEBhMCVVMxETAPBgNVBAoMCEZvcnRhbml4MRAw
   DgYDVQQLDAduaXNoYW5rMRwwGgYDVQQDDBNzZWN0aWdvX3ByaXZhdGVfa2V5MIIB
   ojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAq5lA0CUztBzLWV0kkgH/qk94
   CcOKZODm1LC8b3NF/pZuEWtUd1sryQVuOVbK3upiuthyMnsUNrADM+YwUf0iuxUb
   e4EKJM4at5rUjE2nq7hzuWmR7LVDzCFniOwtxTOjAL7kViMKPlayzMkzJ/Lswx4k
   ei4zGnxjpoUR0wBIMEIFL+FyHyDLlBWXfQ4/9H+BDOvC2KY+FUg8Co+cwUkPUkqV
   VzT7n9IChA/tMgzwaRjcERjt6lcrtaWWnSdWreWCoH0iWfHheej//+wU6gNJMoNh
   Hsn3yKAiIGmcmCqYeU/o92uzLQfLuNqCrXlMk2zdiyOL66wonoyANyhU2z/3HzHG
   kaA0ETR01Kl3K+D4y9ovJCbagWbVX56SqQkPM2i2tT9MLRcMa24ao8MZJQ+GOIVh
   or/4gvvVt+Dll/mCKWhxq3SgG9Xoaog2M3yP8A5UhzPlzmYWmq/XueZtSykRF0do
   WoDI6RnSTCrT9ETDH3zhNjMIgRU1R0RS7ZISWMzVAgMBAAGggfMwHAYKKwYBBAGCNw0CAzEOFgwxMC4wLjE5MDQ0LjIwQgYJKwYBBAGCNxUUMTUwMwIBCQwPTEFQVE9QLVJCSlFJMzgwDBRBenVyZUFEXE5pc2hhbmtWYWlzaAwHY2VydHJlcTBDBgkqhkiG9w0BCQ4xNjA0MBMGA1UdJQQMMAoGCCsGAQUFBwMDMB0GA1UdDgQWBBQJhe3z15cbLap0W1VSJSPoeUq46DBKBgorBgEEAYI3DQICMTwwOgIBAB4yAEYAbwByAHQAYQBuAGkAeAAgAEsATQBTACAAQwBOAEcAIABQAHIAbwB2AGkAZABlAHIDAQAwDQYJKoZIhvcNAQELBQADggGBAAMOVhOHvhpeLOblRtVhra0apYb/ACt4w1598RdzJn34yuajRt+F7eSweQ+msylnUZkzNeDYAtD4tXerLnM0A11Xv9L1oQjghpng0ZDzSCvk94DRunzVfjFxDSv6pgJ9VzxljAm0rkCB/x6vF6t9wd5PaEm0odAnxCZYEvCEYQfIoyft
   HxLk6gqN5k5fIPMtkt2kjOy55DKS83FbIe1LeCapI+0SADQLV6jNHjd5PEJfiBPb
   Nq9bMM88DwOfWino/s+5RZKmDdcETOf78VrkszKvckMYp/CMnHuVrM3GpOpuBQQMl4FcqToddNPlNnecRh0oA7Ecxaqa+xBj3DGGG4jGonMsW5qMYjMk3aI6SwWgiFuHfXk5EmN+RyK+lW/b5Ogy1VKW4ERLdhjWtMqCVqsv3s9inUtx7Jc9Wb1ynR2j4Qzz
   21AOVGgJgjp3R1gbuudl8M6CGE+ekGO+BZwpcDQAsV4Tu5j+53yPgnFunGgTDYfS
   zoakzNCyRjpbBn3BAw==
   -----END NEW CERTIFICATE REQUEST-----

5.3 Requesting and Importing Signed Certificate

Perform the following steps to request and import the signed certificate from Sectigo into Fortanix DSM:

1. Purchase a Code Signing Certificate from Sectigo and log in to the Sectigo Client Dashboard.

   

2. Click the Active product to request the certificate.

   

3. Paste the contents of the request.csr file created in Step 4 of Section 5.2: Generating a CSR Using certreq.exe into the CSR submission field and complete the request.

   

4. Once the CA returns the signed certificate, log in to Fortanix DSM UI and create a security object using IMPORT feature. Upload the signed certificate file in .cer or .crt format.

   

5. Keep a copy of the certificate on the server that will use SignTool.exe.

   NOTE

   The certificate can be exported again from Fortanix DSM if needed.

6.0 Code-Signing Integration (Directly from Workstation)

This section outlines the steps to sign code using a key managed by Fortanix DSM through a remote CNG provider, directly from a developer workstation.

Perform the following steps:

1. Before initiating the signing operation, verify that the file has no existing digital signatures.

   

2. Open a command prompt and ensure you are using the appropriate signtool.exe version based on your system architecture (for example, x64, x86).

   

3. Verify that the private key intended for signing is accessible in the CNG provider registered to Fortanix DSM.

   

4. Use the SignTool command with the appropriate parameters to sign your file. It uses the following parameters to successfully run the SignTool:

   • CSP: The CNG provider you wish to use for the sign operation.

   • KC: Key Container (also known as an alias) that will be used for the sign operation.

   • File: Certificate generated from the Private Key stored in Fortanix DSM.

   • Code to sign.

   

   If the signing certificate is already present in the certificate store, you may omit the CSP and KC options:

   

5. Once the signing operation is successful, Fortanix DSM will log an audit event indicating that the private key was used for a signing operation.

7.0 Frequently Asked Questions

1. How do I validate the supported algorithms and modes using Fortanix KMS CNG Provider?

• You can view all of the supported methods, algorithms, and modes with Fortanix DSM using the CNG provider by running a csptest: