This article describes how to integrate Fortanix Data Security Manager (DSM) with Sectigo for code signing.
Fortanix DSM has state-of-the-art code signing solution that offers the following capabilities:
- FIPS 140-2 level 3 assurance for private key protection.
- Supports all types of asymmetric keys, signing, and hashing algorithms used for code signing. It also supports signing just the hash.
- Code signing in large enterprises often requires verification of metadata associated with the data being signed as well as access control around the use of keys. These checks can easily be performed in a secure environment using plugins in Fortanix DSM.
- Code signing keys are very sensitive, and their use should be tightly controlled. Fortanix DSM provides elaborate quorum-based policies to be configured for these keys which require approval from M of N administrators before the signing operation is performed. These approvals can be obtained in an asynchronous and distributed fashion.
- Strict role-based-access-control, quorum-based approval workflows, automation, and audit logs for all code signing operations.
- Support of 100% for REST APIs, KMIP, PKCS11, JCE, Microsoft CAPI, and CNG for easy integration with your existing DevOps tooling.
- Code signing is future proof in Fortanix DSM. Post-quantum algorithms, such as LMS, are already supported and can be used for code signing.
Preparing the Build Server/Code-Signing Workstation
The Server/Workstation that will be running the SignTool must have the following installed:
- Fortanix DSM CNG Provider:
- Link: https://support.fortanix.com/hc/en-us/articles/360018084132-CNG-EKM
- Once installed, validate that the provider has been correctly registered.
Figure 1: Code signing solution
- SignTool is now part of Windows SDK and is required.
- Link: https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk/
Fortanix Data Security Manager Configuration
Fortanix DSM will require appropriate groups and apps to be pre-created before the integration begins.
- Create an appropriate group that will be managing the security objects within the account.
Figure 2: Create group
- Create a new app in Fortanix DSM that will provide an API Key that will be used to authenticate when communicating using CNG provider (take note of the API Key).
Figure 3: Create app and copy API key
- On the Build Server/Code-Signing Workstation, Fortanix DSM CNG Provider requires couple of configuration variables, which will be stored in the registry.
- Fortanix DSM Endpoint
- Fortanix DSM API Key
C:\Program Files\Fortanix\KmsClient>FortanixKMSClientConfig.exe machine --api-endpoint https://amer.smartkey.io
C:\Program Files\Fortanix\KmsClient>FortanixKMSClientConfig.exe machine --api-key ZGZiNzc0OGMtYmM0Mi00NGYzLTgxNTEtNTYyMzMxOTAxMmVjOkZDSjAxVS1nRHJHc0lYd1FaanZ4dktid0U2ei16M0VneTBGRWtzQnJfYUNwY3RRcUhXalhQcHZqeDZzRzB4ZzNkRmkzb0x2ZVMtcm9uSlJRVFlpRXFB
- Confirm Fortanix KMS CNG Provider can communicate properly with Fortanix DSM.
Figure 4: Confirm the communication
Generate or Import the Private Key and Certificate
Securing the Private Keys and Certificates are the most critical tasks to ensure codes cannot be maliciously signed by offending parties. Fortanix supports generating/importing and securing the appropriate security objects:
- Generate the Private Key using Fortanix DSM UI, create a Certificate Sign Request from SignTool, and then import the Certificate into Fortanix DSM once signed by Sectigo (trusted Certificate Authority).
Generate Private Key on Fortanix Data Security Manager/ Generate CSE Through
This method will generate the Private Key and Certificate sign request from Fortanix DSM and
certreq.exe. Upon receiving a signed certificate from the trusted Certificate Authority, the certificate can then be imported into Fortanix DSM.
- Create a new security object that will be the Private Key and assign to the appropriate group (in this example, we will call the security object – sectigo_private_key):
Figure 5: Create new security object
OR you can also generate the key using PowerShell:
$cngProviderName = "Fortanix KMS CNG Provider" $cngAlgorithmName = "RSA" $cngKeySize = <size-of-RSA-Key> # Recommended key size for column master keys $cngKeyName = "<name-of-security-object>" # Name identifying your key in the KSP $cngProvider = New-Object System.Security.Cryptography.CngProvider($cngProviderName) $cngKeyParameter = [System.Security.Cryptography.CngKeyCreationParameters]::new() $cngKeyParameter.Provider = $cngProvider $cngKeyParameter.KeyCreationOptions = [System.Security.Cryptography.CngKeyCreationOptions]::MachineKey $keySizeProperty = New-Object System.Security.Cryptography.CngProperty("Length", [System.BitConverter]::GetBytes($cngKeySize), [System.Security.Cryptography.CngPropertyOptions]::None) $cngKeyParameter.Parameters.Add($keySizeProperty) $cngAlgorithm = New-Object System.Security.Cryptography.CngAlgorithm($cngAlgorithmName) $cngKey = [System.Security.Cryptography.CngKey]::Create($cngAlgorithm, $cngKeyName, $cngKeyParameter)
- Generate the Certificate Sign Request using the private key using the
- Create a new file called
request.infin a temporary directory.
- Replace the following content into the file:
KeyContainer: Name of the security object created previously/Private Key.
ProviderName: Based on the provider name when installing the Fortanix CNG Provider.
Subject = "CN=sectigo_private_key, OU=nishank, O=Fortanix, C=US"
KeyContainer = "sectigo_private_key"
ProviderName = "Fortanix KMS CNG Provider"
UseExistingKeySet = true
- Type the following command to generate the Certificate Sign Request.
- This command will now generate a
request.csrCertificate Sign Request file and should be sent to the trusted Certificate Authority to receive a signed Certificate.
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----
- Create a new file called
- Purchase a Code Signing Certificate from Sectigo and log in to your Sectigo Client Dashboard.
Figure 6: Sectigo client dashboard
- Click your “Active” product and request your certificate.
Figure 7: Request certificate
- Copy-paste the
request.CSRfile which was created in Step 2(d) above and submit the certificate request.
Figure 8: Submit certificate request
- Once the signed Certificate is received, you can import the certificate into Fortanix DSM.
Figure 9: Import signed certificate
- Keep a copy of the certificate on the server where the SignTool will be run from (the certificate can be exported from Fortanix DSM at any time).
Code-Signing Integration (Directly from Workstation)
- Verify no other signatures are present on the file that will be signed.
Figure 10: Verify signature
- Open a command prompt. Locate the file SignTool that is appropriate for your code (for example: x64, x86, and so on).
Figure 11: Locate SignTool
- Verify that the key you wish to use to sign the code is available in the remote CNG provider.
Figure 12: Verify the key
- The following command will sign the code specified in the SignTool and require the following parameters at a minimum to successfully run the SignTool:
- CSP: The CNG provider you wish to use for the sign operation.
- KC: Key Container (also known as an alias) that will be used for the sign operation.
- File: Certificate generated from the Private Key stored in Fortanix DSM.
- Code to sign.
Figure 13: Sign the code
If using a certificate already stored in the certstore, you may also omit the CSP and KC parameters:
Figure 14: Omit the CSP and KC
- Once the file has been signed, Fortanix DSM will log an event within the audit log to signify the private key was used to sign the code.
Frequently Asked Questions
- How do I validate the supported algorithms and modes using Fortanix KMS CNG Provider?
- You can view all of the supported methods, algorithms, and modes with Fortanix DSM using the CNG provider by running a
Figure 15: Validate supported algorithms