Using Fortanix Data Security Manager with Sectigo CA for Secure Certificate Generation

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Sectigo for code signing.

It also contains the information that a user requires to:

• Prepare the Build Server / Code-Signing Workstation

• Configure Fortanix Data Security Manager for Sectigo CA Code-Signing integration

• Generate/Import Private Key and Certificate

Fortanix DSM has state-of-the-art code signing solution that offers the following capabilities:

1. FIPS 140-2 level 3 assurance for private key protection.

2. Supports all types of asymmetric keys, signing, and hashing algorithms used for code signing. It also supports signing just the hash.

3. Code signing in large enterprises often requires verification of metadata associated with the data being signed as well as access control around the use of keys. These checks can easily be performed in a secure environment using plugins in Fortanix DSM.

4. Code signing keys are very sensitive, and their use should be tightly controlled. Fortanix DSM provides elaborate quorum-based policies to be configured for these keys which require approval from M of N administrators before the signing operation is performed. These approvals can be obtained in an asynchronous and distributed fashion.

5. Strict role-based-access-control, quorum-based approval workflows, automation, and audit logs for all code signing operations.

6. Support of 100% for REST APIs, KMIP, PKCS11, JCE, Microsoft CAPI, and CNG for easy integration with your existing DevOps tooling.

7. Code signing is future proof in Fortanix DSM. Post-quantum algorithms, such as LMS, are already supported and can be used for code signing.

2.0 Preparing the Build Server/Code-Signing Workstation

The Server/Workstation that will be running the SignTool must have the following installed:

• Fortanix DSM CNG Provider:

  • Link: Fortanix CNG EKM

  • Once installed, validate that the provider has been correctly registered.  

    

• SignTool:

  • SignTool is now part of Windows SDK and is required.

  • Link: Windows 10 SDK 

3.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

3.1 Signing Up

To get started with the Fortanix Data Security Manager (DSM) cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

3.2 Creating an Account

Access the <Your_DSM_Service_URL> on the web browser and enter your credentials to log in to the Fortanix DSM.

3.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. Click the Groups menu item in the DSM left navigation panel and click the + button on the Groups page to add a new group.

   

2. On the Adding new group page, enter the following details:

   • Title: Enter a title for your group.

   • Description (optional): Enter a short description for the group.

3. Click the SAVE button to create the new group.

The new group has been added to the Fortanix DSM successfully.

3.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the + button on the Apps page to add a new app.

   

2. On the Adding new app page, enter the following details:

   • App name: Enter the name of your application.

   • Interface (optional): Select the REST API option as interface type from the drop down menu.

   • ADD DESCRIPTION (optional): Enter a short description for the application.

   • Authentication method: Select the default API Key as the method of authentication from the drop down menu. For more information on these authentication methods, refer to User's Guide: Authentication documentation.

   • Assigning the new app to groups: Select the group created in Section 3.3: Creating a Group from the list.

3. Click the SAVE button to add the new application. 

The new application has been added to the Fortanix DSM successfully.

3.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. Click the Apps menu item in the DSM left navigation panel and click the app created in Section 3.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click the VIEW API KEY DETAILS button.

3. From the API Key Details dialog box, copy the API Key of the app to be used later.

4.0 Fortanix KMS CNG Provider

Perform the following steps:

1. On the Build Server/Code-Signing Workstation, Fortanix DSM CNG Provider requires couple of configuration variables, which will be stored in the registry.

   • Fortanix DSM Endpoint

   • Fortanix DSM API Key

   The following two commands will store the correct values in the registry (you may also choose a user to store the entries in your user registry instead of HKLM (HKEY_LOCAL_MACHINE).

   C:\Program Files\Fortanix\KmsClient>FortanixKMSClientConfig.exe machine --api-endpoint https://amer.smartkey.io

   C:\Program Files\Fortanix\KmsClient>FortanixKMSClientConfig.exe machine --api-key ZGZiNzc0OGMtYmM0Mi00NGYzLTgxNTEtNTYyMzMxOTAxMmVjOkZDSjAxVS1nRHJHc0lYd1FaanZ4dktid0U2ei16M0VneTBGRWtzQnJfYUNwY3RRcUhXalhQcHZqeDZzRzB4ZzNkRmkzb0x2ZVMtcm9uSlJRVFlpRXFB

2. Confirm Fortanix KMS CNG Provider can communicate properly with Fortanix DSM.  

   

5.0 Generate or Import the Private Key and Certificate

Securing the Private Keys and Certificates are the most critical tasks to ensure codes cannot be maliciously signed by offending parties. Fortanix supports generating/importing and securing the appropriate security objects:

• Generate the Private Key using Fortanix DSM user interface (UI), create a Certificate Sign Request from SignTool, and then import the Certificate into Fortanix DSM once signed by Sectigo (trusted Certificate Authority).

5.1 Generate Private Key on Fortanix DSM/Generate CSE through certreq.exe

This method will generate the Private Key and Certificate sign request from Fortanix DSM and certreq.exe. Upon receiving a signed certificate from the trusted Certificate Authority, the certificate can then be imported into Fortanix DSM.

1. Create a new Security-object that will be the Private Key and assign to the appropriate group (sample security object – sectigo_private_key):  

   

   OR you can also generate the key using PowerShell:

   $cngProviderName = "Fortanix KMS CNG Provider"
   $cngAlgorithmName = "RSA"
   $cngKeySize = <size-of-RSA-Key> # Recommended key size for column master keys
   $cngKeyName = "<name-of-security-object>" # Name identifying your key in the KSP
   $cngProvider = New-Object System.Security.Cryptography.CngProvider($cngProviderName)
   
   $cngKeyParameter = [System.Security.Cryptography.CngKeyCreationParameters]::new()
   $cngKeyParameter.Provider = $cngProvider
   $cngKeyParameter.KeyCreationOptions = [System.Security.Cryptography.CngKeyCreationOptions]::MachineKey
   
   $keySizeProperty = New-Object System.Security.Cryptography.CngProperty("Length", [System.BitConverter]::GetBytes($cngKeySize), [System.Security.Cryptography.CngPropertyOptions]::None)
   $cngKeyParameter.Parameters.Add($keySizeProperty)
   
   $cngAlgorithm = New-Object System.Security.Cryptography.CngAlgorithm($cngAlgorithmName)
   $cngKey = [System.Security.Cryptography.CngKey]::Create($cngAlgorithm, $cngKeyName, $cngKeyParameter)

   After the PowerShell command runs, you will notice that the key has been created in the Fortanix DSM UI.

2. Generate the Certificate Sign Request using the private key using the CERTREQ.EXE:

   1. Create a new file called request.inf in a temporary directory.

   2. Replace the following content into the file:

      1. KeyContainer: Name of the security object created previously/Private Key.

      2. ProviderName: Based on the provider name when installing the Fortanix CNG Provider.

      [NewRequest]
      
      Subject = "CN=sectigo_private_key, OU=nishank, O=Fortanix, C=US"
      KeyContainer = "sectigo_private_key"
      ProviderName = "Fortanix KMS CNG Provider"
      UseExistingKeySet = true
      
      [EnhancedKeyUsageExtension]
      OID=1.3.6.1.5.5.7.3.3

   3. Type the following command to generate the Certificate Sign Request.  

   4. This command will now generate a request.csr Certificate Sign Request file and should be sent to the trusted Certificate Authority to receive a signed Certificate.
      Sample file:

      -----BEGIN NEW CERTIFICATE REQUEST-----
      MIIEiTCCAvECAQAwUDELMAkGA1UEBhMCVVMxETAPBgNVBAoMCEZvcnRhbml4MRAw
      DgYDVQQLDAduaXNoYW5rMRwwGgYDVQQDDBNzZWN0aWdvX3ByaXZhdGVfa2V5MIIB
      ojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAq5lA0CUztBzLWV0kkgH/qk94
      CcOKZODm1LC8b3NF/pZuEWtUd1sryQVuOVbK3upiuthyMnsUNrADM+YwUf0iuxUb
      e4EKJM4at5rUjE2nq7hzuWmR7LVDzCFniOwtxTOjAL7kViMKPlayzMkzJ/Lswx4k
      ei4zGnxjpoUR0wBIMEIFL+FyHyDLlBWXfQ4/9H+BDOvC2KY+FUg8Co+cwUkPUkqV
      VzT7n9IChA/tMgzwaRjcERjt6lcrtaWWnSdWreWCoH0iWfHheej//+wU6gNJMoNh
      Hsn3yKAiIGmcmCqYeU/o92uzLQfLuNqCrXlMk2zdiyOL66wonoyANyhU2z/3HzHG
      kaA0ETR01Kl3K+D4y9ovJCbagWbVX56SqQkPM2i2tT9MLRcMa24ao8MZJQ+GOIVh
      or/4gvvVt+Dll/mCKWhxq3SgG9Xoaog2M3yP8A5UhzPlzmYWmq/XueZtSykRF0do
      WoDI6RnSTCrT9ETDH3zhNjMIgRU1R0RS7ZISWMzVAgMBAAGggfMwHAYKKwYBBAGCNw0CAzEOFgwxMC4wLjE5MDQ0LjIwQgYJKwYBBAGCNxUUMTUwMwIBCQwPTEFQVE9QLVJCSlFJMzgwDBRBenVyZUFEXE5pc2hhbmtWYWlzaAwHY2VydHJlcTBDBgkqhkiG9w0BCQ4xNjA0MBMGA1UdJQQMMAoGCCsGAQUFBwMDMB0GA1UdDgQWBBQJhe3z15cbLap0W1VSJSPoeUq46DBKBgorBgEEAYI3DQICMTwwOgIBAB4yAEYAbwByAHQAYQBuAGkAeAAgAEsATQBTACAAQwBOAEcAIABQAHIAbwB2AGkAZABlAHIDAQAwDQYJKoZIhvcNAQELBQADggGBAAMOVhOHvhpeLOblRtVhra0apYb/ACt4w1598RdzJn34yuajRt+F7eSweQ+msylnUZkzNeDYAtD4tXerLnM0A11Xv9L1oQjghpng0ZDzSCvk94DRunzVfjFxDSv6pgJ9VzxljAm0rkCB/x6vF6t9wd5PaEm0odAnxCZYEvCEYQfIoyft
      HxLk6gqN5k5fIPMtkt2kjOy55DKS83FbIe1LeCapI+0SADQLV6jNHjd5PEJfiBPb
      Nq9bMM88DwOfWino/s+5RZKmDdcETOf78VrkszKvckMYp/CMnHuVrM3GpOpuBQQMl4FcqToddNPlNnecRh0oA7Ecxaqa+xBj3DGGG4jGonMsW5qMYjMk3aI6SwWgiFuHfXk5EmN+RyK+lW/b5Ogy1VKW4ERLdhjWtMqCVqsv3s9inUtx7Jc9Wb1ynR2j4Qzz
      21AOVGgJgjp3R1gbuudl8M6CGE+ekGO+BZwpcDQAsV4Tu5j+53yPgnFunGgTDYfS
      zoakzNCyRjpbBn3BAw==
      -----END NEW CERTIFICATE REQUEST-----

3. Purchase a Code Signing Certificate from Sectigo and log in to your Sectigo Client Dashboard.  

   

4. Click your “Active” product and request your certificate.  

   

5. Copy-paste the request.CSR file which was created in Step 2(d) above and submit the certificate request.  

   

6. Once the signed Certificate is received, you can import the certificate into Fortanix DSM.  

   

7. Keep a copy of the certificate on the server where the SignTool will be run from (the certificate can be exported from Fortanix DSM at any time).

6.0 Code-Signing Integration (Directly from Workstation)

1. Verify no other signatures are present on the file that will be signed.  

   

2. Open a command prompt. Locate the file SignTool that is appropriate for your code (for example: x64, x86, and so on).  

   

3. Verify that the key you wish to use to sign the code is available in the remote CNG provider.  

   

4. The following command will sign the code specified in the SignTool and require the following parameters at a minimum to successfully run the SignTool:

   • CSP: The CNG provider you wish to use for the sign operation.

   • KC: Key Container (also known as an alias) that will be used for the sign operation.

   • File: Certificate generated from the Private Key stored in Fortanix DSM.

   • Code to sign.

   

   If using a certificate already stored in the certstore, you may also omit the CSP and KC parameters:  

   

5. Once the file has been signed, Fortanix DSM will log an event within the audit log to signify the private key was used to sign the code.

7.0 Frequently Asked Questions

1. How do I validate the supported algorithms and modes using Fortanix KMS CNG Provider?

• You can view all of the supported methods, algorithms, and modes with Fortanix DSM using the CNG provider by running a csptest: