Using Fortanix Data Security Manager with Microsoft CNG Provider and SignTool

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with Microsoft CNG Provider and SignTool.

It also contains the information that a user requires to:

• Prepare the Build Server and Code-Signing Workstation

• Configure Fortanix DSM for Microsoft CNG and Code-Signing integration

• Generate/Import Private Key and Certificate

• Verify signed-code

Fortanix DSM has a state-of-the-art code-signing solution that offers the following capabilities:

1. FIPS 140-2 level 3 assurance for private key protection.

2. Supports all types of asymmetric keys, signing, and hashing algorithms used in code signing. It also supports signing just the hash.

3. Code signing in large enterprises often requires verification of metadata associated with the data being signed, as well as access control around the use of keys. These checks can be securely performed using plugins in Fortanix DSM.

4. Code signing keys are very sensitive, and their use should be tightly controlled. Fortanix DSM provides elaborate quorum-based policies to be configured for these keys which require approval from M of N administrators before the signing operation is performed. Approvals can be obtained asynchronously and in a distributed manner.

5. Strict role-based-access-control, quorum-based approval workflows, automation, and detailed audit logs for all code signing operations.

6. Full support for REST APIs, KMIP, PKCS#11, JCE, Microsoft CAPI, and CNG for seamless integration with existing DevOps toolchains.

7. Code signing is future-proof in Fortanix DSM. Post-quantum algorithms, such as LMS, are already supported and can be used for code signing.

2.0 Architecture Workflow

Microsoft’s SignTool is a prominent tool used in a Microsoft environment to sign and verify the authenticity of code developed for the Microsoft platforms. Fortanix KMS CNG Provider makes it easy to securely store sensitive objects/keys required during the sign and verify processes, a native feature provided by Fortanix DSM for enterprise-level code-signing capabilities.

3.0 Preparing the Build Server/Code-Signing Workstation

The Server/Workstation that will be running the SignTool must have the following installed:

• Fortanix DSM CNG/EKM provider is installed on the system. For more information, refer to the Fortanix CNG EKM.

  NOTE

  If you use the 32-bit CNG provider, you must use the 32-bit command prompt to execute all the commands mentioned in this article.

  Once installed, validate that the provider has been correctly registered using the command: certutil -csplist

  Since the CNG provider is not configured yet, you will see an error.

  certutil -csplist

  

• SignTool is required and is included with the Windows 10 SDK. For more information, refer to the Windows 10 SDK.

  For more information, refer to the SignTool documentation.

4.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

4.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

4.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

4.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 4.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

4.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 4.4: Creating an Application to go to the detailed view of the app.

2. On the INFO tab, click VIEW API KEY DETAILS.

3. From the API Key Details dialog box, copy the API Key of the app to be used later.

4. On the Build Server/Code-Signing Workstation, Fortanix KMS CNG Provider requires configuration variables. Fortanix DSM supports certificate-based authentication or API key-based authentication for a CNG client. For more information on the authentication steps, refer to the Developer's Guide: Client-Microsoft CNG Key Storage Provider

5. Confirm Fortanix KMS CNG Provider can communicate properly with Fortanix DSM:

   certutil -csp "Fortanix KMS CNG Provider" -key

5.0 Create the Private Key and Certificate

To prevent unauthorized or malicious code signing, always secure private keys and associated certificates. Fortanix DSM enables you to generate keys securely and manage certificates with cryptographic best practices.

This section outlines how to:

• Generate a private key securely within Fortanix DSM.

• Create a Certificate Signing Request (CSR) using certreq.exe.

• Submit the CSR to a Certificate Authority (CA) such as Sectigo.

• Import the signed certificate into Fortanix DSM.

5.1 Generating a Private Key

5.1.1 Using Fortanix DSM UI

This method uses the Fortanix DSM user interface (UI) and the Windows-native certreq.exe tool to build a secure certificate signing workflow using the Fortanix KMS CNG provider.

Perform the following steps to generate a security object (private key) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Security Objects menu item, and then click the + button to create a new security object.

   

2. On the Add new Security Object page, do the following:

   1. Security Object name: Enter the name of your security object.

   2. Group: Select the group as created in Section 4.3: Creating a Group.

   3. Select GENERATE.

   4. In the Choose a type section, select the RSA key type.

   5. In the Key Size section, select the size of the key in bits.

   6. In the Key operations permitted section, select the Verify and Sign operations to define the actions that can be performed with the cryptographic keys.

3. Click GENERATE to create the new security object.

   

5.1.2 Using PowerShell

Alternatively, you can run the following PowerShell commands to create a security object:

1. Run the following command to launch PowerShell and create a new key as well as a self-signed certificate.

   $cert = New-SelfSignedCertificate -Subject "NewIIS2" -type codesigningcert -provider "Fortanix KMS CNG Provider" -certstorelocation Cert:\LocalMachine\My

2. Run the following command to navigate to the local machine’s certificate store:

   Cd Cert:\LocalMachine\My

3. Run the following command to list all certificates in the store and view details:

   Get-ChildItem | Format-Table Subject, FriendlyName, Thumbprint –autosize

4. Run the following command to view the detailed information of certificates in the 'My' store using the CertUtil tool:

   certutil -store My

   

Once the command completes, Fortanix DSM automatically registers the key, and it becomes visible in the Fortanix DSM UI under Security Objects.

5.2 Generating a CSR Using certreq.exe

Perform the following steps to generate a CSR using the Fortanix-backed private key and the Windows built-in certreq.exe tool:

1. In a temporary directory, create a new file named request.inf.

2. Append the following configuration into the file, and update the placeholders as needed:

   [NewRequest]
   Subject = "CN=wincryptoapp, OU=fyoo,O=Fortanix,C=AU"
   KeyContainer = "wincryptoapp"
   ;Uncomment the following line if using the machine key storage
   ;MachineKeySet = true
   ProviderName = "Fortanix KMS CNG Provider"
   UseExistingKeySet = true

   Where,

   • Subject: X.509 distinguished name as used in the certificate.

   • KeyContainer: Name of the security object created private key.

   • ProviderName: Based on the provider’s name when installing the Fortanix CNG Provider.

   • MachineKeySet: Used to determine whether SignTool will check the current user or local machine for CNG configurations, as described in the Clients: Microsoft CNG Key Storage Provider. If this parameter is not set appropriately, the certificate sign request (CSR) will not be generated.

   • UseExistingKeySet: Set to true to use the keys created already on Fortanix DSM.

3. Run the following command generate the CSR:

   certreq.exe -new request.inf request.csr

   This command creates a file named request.csr in the same directory.

4. Send the generated request.csr file to a trusted Certificate Authority (CA) to obtain a signed certificate.

5.3 Exporting the Private Key and Certificate

Perform the following steps to export the certificate and prepare it for use:

1. Run the following command to export the certificate from the Windows certificate store to a file:

   Export-Certificate -Cert (Get-Item Cert:\LocalMachine\My\<thumbprint-of-cert>) -FilePath C:\Test.cert

2. Run the following command to convert the exported certificate file from der to pem format using CertUtil:

   certutil.exe -encode C:\Test.cert C:\Test.pem

   

   NOTE

   This process only exports the certificate, not the private key. The private key remains securely stored in the Fortanix DSM-backed key store and is non-exportable by design when using the Fortanix KMS CNG Provider.

5.4 Importing Signed Certificate

Perform the following steps to import the signed certificate from the Certificate Authority (CA) into Fortanix DSM:

1. Once the CA returns the signed certificate, log in to Fortanix DSM UI and create a security object using IMPORT feature. Upload the signed certificate file in .cer or .crt format.

   

2. Keep a local copy of the certificate on the server that will use SignTool.exe.

   NOTE

   The certificate can be exported again from Fortanix DSM if needed.

6.0 Code-Signing Integration (Directly from Workstation)

This section outlines the steps to sign code using a key managed by Fortanix DSM through a remote CNG provider, directly from a developer workstation.

Perform the following steps:

1. Before initiating the signing operation, verify that the file has no existing digital signatures.

   

2. Open a command prompt and ensure you are using the appropriate signtool.exe version based on your system architecture (for example, x64, x86).

   

3. Run the following command to verify that the private key intended for signing is accessible in the CNG provider registered to Fortanix DSM:

   certutil -csp "Fortanix KMS CNG Provider" -key

   

4. Use the SignTool command with the appropriate parameters to sign your file. It uses the following parameters to successfully run the SignTool:

   • CSP: The CNG provider you wish to use for the sign operation.

   • KC: Key Container (also known as an alias) that will be used for the sign operation.

   • File: Certificate generated from the Private Key stored in Fortanix DSM.

   • File to sign.

     

   For more information on the SignTool parameters, refer to the Sign Command Options.

   If the signing certificate is already present in the local certificate store, you may omit the CSP and KC options:

   signtool.exe sign /csp "Fortanix KMS CNG Provider" /kc "wincryptoapp" /f c:\temp\wincryptoapp.cer c:\temp\lala.ps1

   NOTE

   • If the code signing certificate is cross-signed with an alternative trust path, create a .p7b certificate file instead of a .pem or .cer file using the following command and use it for signing:

     openssl crl2pkcs7 -nocrl -certfile certificatename.pem -certfile IntermediateCert.cer -out wincryptoapp.p7b -certfile CACert.cer
     
     signtool.exe sign /csp "Fortanix KMS CNG Provider" /kc "wincryptoapp" /f c:\temp\wincryptoapp.p7b c:\temp\lala.ps1

   • Microsoft signtool has a known issue that causes the exit status to be non-zero even when the signing operation succeeds. To work around this issue, set the following environment variable before running signtool:

     set FORTANIX_SIGNTOOL_BUG_WORKAROUND=true

5. Once the signing operation is successful, Fortanix DSM will log an audit event indicating that the private key was used for a signing operation.

   

7.0 Verify Signed Code

Signed code can be verified using SignTool.exe, which is part of the Windows SDK.

If a self-signed certificate is used for code signing, it must be manually installed on the server or workstation where the verification will be performed, as it lacks a trusted root CA chain. Self-signed certificates are recommended only for testing purposes, not for production environments.

Perform the following steps to verify code signed with a self-signed certificate:

1. If you do not have the certificate readily available, download the certificate from Fortanix DSM.

2. Right-click the downloaded or existing certificate file and install the Certificate. Ensure it is imported into the Trusted Root Certification Authorities store (in this example, certificate fyoo was used):

   

3. Run the following command to verify the signed code using SignTool.exe. The command requires at least the following parameters:

   signtool verify /pa c:\temp\lala.ps1

   

8.0 Sign and Verify Microsoft Office Macro Files Using 32-Bit Sign Tool

For more details, refer to the Using Fortanix Data Security Manager with 32-Bit SignTool for Signing and Verifying Microsoft Office Macro Files.

9.0 Frequently Asked Questions

1. How do I validate the supported algorithms and modes using Fortanix KMS CNG Provider?

• You can view all the supported methods, algorithms, and modes with Fortanix DSM using the CNG provider by running a csptest:

  certutil -csp "Fortanix KMS CNG Provider" -csptest