Code Signing Private Key Protection Requirements for Cloud HSM Providers

A new requirement starting June 1, 2023 said that the code signing certificate key pair must be generated and stored in a hardware crypto module that meets or exceeds the requirements of FIPS 140-2 level 2 or Common Criteria EAL 4+. This means the key pair will be generated in a device where the private key cannot be exported.

If you are using a Cloud Key Storage solution such as Azure Key Vault or Amazon Key Management Service (KMS) as your provider, and you did not complete the Code Signing Verification by the June 1, 2023 deadline, you are blocked from issuing or renewing Code Signing certificates.

This article outlines the requirements for submitting the information about your cloud HSM setup to satisfy the verification requirements.

Supported Vendors

• Microsoft Azure Key Vault (Premium SKU)
• Microsoft Azure Key Vault Managed HSM
• Amazon Key Management Service (KMS)
• AWS CloudHSM

Prerequisites

• A subscription to Amazon Key Management Service (KMS), AWS Cloud HSM, Azure Key Vault, or Azure Key Vault Managed HSM
• A subscription to CloudTrail service (If using Amazon KMS or AWS Cloud HSM)
• Sufficient privileges to view/create keys and trails​​​​​​

Azure Key Vault (Premium SKU): Configure Policies

The following Azure Polic y must be assigned to demonstrate adequate protection of the private keys in your Azure environment. The policy must be in a “Compliant” state. Follow the instructions below to assign the policy and ensure the Code Signing private keys remain in the HSM.

Note : Azure Key Vault Standard SKU is not supported, as it is not compliant with the CA/Browser forum requirements (keys can be created only in a Hardware Security Module, which is available in only the Premium tier).

• Confirm SKU (Pricing tier)
• Policy: Resource logs in Key Vault should be enabled

Confirm Sku (Pricing tier)

1. Log in to your Azure environment and open Key Vault.

2. Select the key vault that is being used to store the Code Signing keys (repeat this step if you have multiple key vaults to store the Code Signing keys).

3. Click the Overview tab and take a screenshot of the screen to confirm you have a “Premium” SKU. Send this screenshot to Entrust.

Assign policy Resource logs in Key Vault should be enabled

1. Go to the Policy screen and click Assign policy .

2. Click the ... (ellipses) menu for the policy definition.

3. Search for Resource logs in Key Vault should be enabled and then click Add .
4. Click Review & Create , then click Create .
5. The following must be true on the resource Compliance screen:

• Resource compliance state should be compliant
• At least one resource must be compliant
• No exceptions are permitted

Note : The policy check might take up to 48 hours to complete.

Best Practice: Store Code Signing Private Keys in HSM

Follow these steps to ensure that your Code Signing certificate private keys are protected in an HSM. While this not a prerequisite for completing the Code Signing verification, Entrust will ask you to demonstrate that the private keys are stored in an HSM during your next re-verification.

1. Go to the key vault to which you want to add the certificate.

2. On the properties page, select Certificates .

3. Select the Generate/Import tab.

4. On the Create a Certificate screen, choose the following values:

• Method of Certificate Creation : Generate.
• Certificate Name : type your certificate name.
• Type of Certificate Authority (CA): Certificate issued by a non-integrated CA.
• Subject : enter the CN of the certificate (CN must match the approved organization in Entrust).

5. Under Advanced Policy Configuration:

• select No under Exportable Private Key then select RSA-HSM

• Key Size should be set to minimum of 3072

6. In the Certificates list, select the new certificate that was created. The current state of the certificate is disabled because it hasn’t been issued by the CA yet.
7. On the Certificate Operation tab, select Download CSR .
You will need to use this CSR to request and download a Code Signing certificate from Entrust.



9. After you get the certificate, select Merge Signed Request on the Certificate Operation tab to add the Entrust Code Signing certificate to Key Vault.

Azure Key Vault Managed HSM: Configure Policy

The following Azure Policy must be assigned to demonstrate adequate protection of the private keys in your Azure environment. The policy must be in a “Compliant” state. Follow the steps below to assign these policies.

• Confirm Azure Key Vault Managed HSM
• Policy: Resource logs in Azure Key Vault Managed HSM should be enabled

Confirm Azure Key Vault Managed HSM

1. Log in to your Azure environment and open Azure Key Vault Managed HSMs

2. Take a screenshot of the screen to confirm that you have at least one HSM created. Send this screenshot to Entrust.

Assign policy: Resource logs in Azure Key Vault Managed HSM should be enabled

1. Log in to your Azure environment and go to Policy > Assign policy .

2. Click the ... (ellipses) menu for the policy definition.

3. Search for “Resource logs in Azure Key Vault Managed HSM should be enabled” and then click Add .

4. Click Review & Create , then click Create .

The following must be true for resource compliance:

• Resource Compliance state should be compliant
• At least one resource must be compliant
• No exceptions are permitted

Note : The policy check might take up to 48 hours to complete.

If you need help assigning these policies, please contact Microsoft Azure’s support team.

Amazon KMS: Configure Keys and CloudTrail in Amazon Key Management Service

1. Ensure all existing and enabled keys are properly configured.
2. At least 1 Trail is properly enabled. Ensure all existing and enabled keys are properly configured.

Ensure all existing and enabled keys are properly configured

To comply with the Code Signing Baseline Requirements, the following must be true for all enabled keys under “Customer managed keys.”

• Key Origin: AWS KMS
• Key Type: Asymmetric
• Key Usage: Signed and Verify
• Key Spec: 3072 or 4096 (recommended)

Note : All the above must be true if you have created multiple keys except Key Usage. It can be set to Sign and Verify or Encrypt and Decrypt . However, at least one key must have the key usage setting of Sign and Verify .

1. Log into your Amazon Web Services account.
2. Open Key Management Service (KMS) .
3. Select Customer managed keys from the left menu.
4. Take a screenshot of this page. Make sure that all the required columns are included in the screenshot.

At least one Trail must be properly enabled.

At least one trail must be in “Logging” status to ensure that KMS is configured to log all access, operations, and configuration changes.

1. Open CloudTrail from the list of services.
2. If you have an existing Trail, click to open it.

Note : Make sure that Exclude AWS KMS events is set to No. Also , If you do not have an existing Trail, create a new Trail and make sure the AWS KMS event is not selected. Take a screenshot of this page.

AWS CloudHSM

1. Provide a screenshot showing that at least one Cluster is in active status with at least one HSM assigned to it
2. Make sure that at least one Trail is properly enabled

Provide a screenshot showing that at least one Cluster is in active status with at least one HSM assigned to it.

1. To get started, log into your AWS console, then open CloudHSM from the Services menu.
2. Take a screenshot of the page that shows the clusters you use to store the Code Signing keys. Make sure that the status is active and at least one HSM is assigned to it. Send this screenshot to Entrust.

Make sure that at least one Trail is properly enabled.

Follow the these steps to show that at least one Trail is in “Logging” status. This will ensure that CloudTrail is configured to log all access, operations, and configuration changes of the AWS CloudHSM Clusters.

If you have any questions on using Amazon KMS or AWS CloudHSM, please contact the Amazon customer support team.