EV code signing certificate along with cloud HSM

Question

this sounds like a duplicate question but still I couldn't find a correct solution. Maybe a lack of knowledge in this domain.

Anyway, I am using the EV code signing certificate along with a USB device from the COMODO provider, working fine.

But just to make the CI process smooth we wanted to get rid of the USB device and use cloud HSM. Did many calls with all most all vendors but was not clear cost-wise and solution wise which provider to choose from. At the end, I want to import my existing certificate and sign files.

Please share some pointets

Answer 1

This is possible - but managing the HSM is a bit annoying as some docs are relatively bad.

Amazon has some docs on how to do this with e.g. SignTool: https://docs.aws.amazon.com/cloudhsm/latest/userguide/signtool-sdk3.html

Some notes:

1. You can't reuse the certificate on the Hardware Token - you will have to request a new one with the key generated on the HSM.
2. The CloudHSM is relatively expensive - if you have it online 24/7 it costs ~ 1.5k€ per month (But you could stop and start it when required to save money)

What I learned during setting this up for where I work:

1. The version of CloudHSM SDK is quite important

• We use the Client SDK3 because only it (at least 1 year ago) supplied the "Cryptographic Service Provider" which signtool would use.

2. While it's cleaner to use a seperate HSM user to own and another user to use the certificate - it's really annoying to set up.

Answer 2

I am providing EV code signing certificates HSM based you don’t need to any usb token for using certificate , you can export it anywhere

Answer 3

Disclaimer: I haven't actually done this, just been researching it for our own use.

There seem to be two ways to do this:

1. Generate your CSR with non-exportable key in the HSM in some way that can be verified by the certificate issuer. The CA then issues your certificate to be imported in the HSM. This varies by cloud HSM provider. SSL.com can do this and outlines the mechanism here https://www.ssl.com/guide/supported-cloud-hsms-document-signing-ev-code-signing/

2. Use cloud signing as a service. The service issues the certificate and keeps it and the private key in their HSM. This might be more cost-effective too because cloud HSM's are wicked expensive. You generate a hash of your file, send it (and some strong authentication like OTP) to the service, they send back a signature. Again SSL.com has a service called eSigner which they document well (including how to use the TOTP secret for build automation so you don't need to manually use your OTP app each time). I think DigiCert's "Secure Software Manager" is a similar service but I haven't verified that yet, their documentation is really high-level and vague.

Answer 4

But just to make the CI process smooth we wanted to get rid of the USB device and use cloud HSM.

The code signing certificate is stored on an external hardware token (USB key). You will not be able to import the private key into an HSM.

Using AWS CloudHSM will not allow you to bypass Comodo's code signing certificate procedures (usage or renewal). Since the Comodo EV certificate implements Two-Factor Authentication (PIN), you must use their procedures which means the hardware token must be present to sign.

Unless you require that level of key security, consider a standard Code Signing certificate.