How to Configure Windows HLK to use SafeNet Luna HSM for Package Signing

Windows HLK for Package Signing

Follow these steps to secure the HLK signing keys on SafeNet Luna HSM:

Register CSP

SafeNet Luna CSP should be installed on the HLK Test Server machine to use the CSP keys generated for HLK signing.

  • Enter HLK Test Server as domain administrator through the login process. 
  • The command register will be inputted. The general form of the command is as follows: 
C:\Program Files\SafeNet\LunaClient\CSP>register. exe
  • The partition password is to be given when the one-time prompt appears. To enumerate the Luna Cryptographic Services for Microsoft Windows. The general form of the command is as follows:  
C:\Program Files\SafeNet\LunaClient\CSP>register. exe /l

Creating Code Signing Certificate

Creating Code Signing certificate

Thus, Luna Cryptographic Services for Microsoft is created to facilitate the combination of the SafeNet Luna HSM and the Windows HLK.

Windows is the system that is being used to produce the certificate. The certificate should be duly signed, and the signature certificate should be authorized.

It is necessary for the “Trusted Root Certificate Authority” to be included in the process. 

Create a request.inf file by using the following attributes on the HLK Test server:

    [Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "C=IN,O=Gemalto,CN=HLK,OU=HLKIntegration"
KeySpec = 1
KeyLength = 2048
Exportable = FALSE
MachineKeySet = FALSE
KeyContainer = HLK
ProviderName = "Luna Cryptographic Services for Microsoft Windows”
ProviderType = 1
KeyUsage = 0x04
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.3

    View the RSA keys generated on the Luna SA HSM partition

    Generate a Certificate Request using the request.inf file:

    The steps to produce the certificate request for the HLK are as follows. To sign, execute the command:

      certreq. exe -new request. inf request. req

      Thus, the application triggers sending a certificate request file request.reg the institution that must be sent to a Certificate Authority by a notary. Reach out to your CA, choose Code Signing Certificate, and accomplish this task to get a signed certificate.

      Ever import the signed certificate in the user’s personal certificate store. The primary purpose of the import statement is to carry the certificate that has been signed. Execute the below command:

        certreq. exe -accept <Commands To Get The Signed Certificate>.

        Open the certmgr. msc, double-click on personal -> certificates, and check that the certificate has been correctly imported.

          Double-click the certificate and look at the message at the bottom to verify that there is a private key mapped with this certificate.

            If the private key is not mapped correctly, fix the certificate. Open the certificate and head to the Details tab. Rephrase the given sentence.  Copy the serial number or thumbprint of the certificate. 

            Carry out the given command to establish the connection between the private key and the certificate. 

            certutil -repairstore –csp "Luna Cryptographic Services for Microsoft Windows" -user My. "SerialNumber or ThumbPrint"

            After the restart store command has been executed, reinstall the certificate manager, snap-in, open, and the certificate has the confirmation message at the bottom “You have a private key that corresponds to this certificate is displayed.”

            Signing the HLK Packages

            When you generate the certificate and the private keys on SafeNet Luna HSM, you will have a secure certificate and the private keys. Carry out the given below-declared steps to signing the package:

            Step 1: HLK Studio of Open Windows is on the HLK Test Server

              HLK Test Clients must be included in the Configuration Tab of the Default Pool. Create the new pool and then obstruct the machine with the new pool. Make the status of “Ready“.

              Start a new project or import an existing one and go to the signing page.

              Step 2: Go to the Selection tab to see if the project that is created or imported is on the list. Choose the packs that should be signed

              Browse the Test tab and test the selected packages to verify that the Result tab shows the Test Verification as successful.   

              Step 3: Once you have passed the successful Test Verification, navigate to the Package tab and click on Create Package for the package signing. Select Use the certificate store and click OK. 

                Step 4: From the pop-up window, pick the signing certificate made with Luna CSP and imported from the local machine’s certificate store on the computer and then click OK.

                Step 5: Choose the place to store the signed package.

                Step 6: Merge and save to begin signing. The first step in signing starts with a Creating Package window.

                Step 7: At the end, a well-organized project message pack is presented and the package is signed.

                  It fulfills the Windows Hardware Lab Kit (HLK) integration with SafeNet Luna HSM and package signing with codes generated on SafeNet Luna HSM.

                  Conclusion

                  Today, you can secure software distribution through SignMyCode; hence, the power of secure software distribution is at your fingertips.

                  Begin to ensure the integrity and authenticity of your digital assets by getting the code signing certificate now. Secure your applications, drivers, and software from unauthorized tampering or modification, and build your users’ trust with each download.

                  Windows Security

                  Microsoft Authenticode Signing

                  Verify the Integrity of your Software by Adding Authenticode Signature on 32/64 bit Software Binaries using Code Signing Certificate.

                  Buy Authenticode Code Signing Certificates

                  Related posts:

                  1. How to Configure Luna HSM and Sign JAR File?
                  2. How to Configure Oracle Key Vault to use Luna HSM?
                  3. How to Configure and Integrate Luna HSM with CyberArk Vault?
                  4. How to Sign Drivers Through WINDOWS HLK?
                  Janki Mehta

                  Janki Mehta

                  Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.