





The code signing technique authenticates the legitimacy and integrity of software. It ensures users that the code or software they are using is authentic and has not been modified.
To enhance code signing practices and bolster overall security, organizations are adopting advanced tools and approaches like YubiHSM (Hardware Security Module).
In this blog, we will explore the concept of YubiHSM and learn how to utilize it for generating a code signing certificate request.
YubiHSM is a specialized hardware device created by Yubico, a well-known industry leader in authentication solutions based on hardware.
This device is explicitly designed to handle cryptographic operations and manage cryptographic keys. YubiHSM provides a secure and tamper-resistant environment that is ideal for tasks like code signing.
By incorporating strong security measures and adhering to industry-standard compliance, YubiHSM guarantees the utmost level of protection for critical cryptographic operations.
Note: From June 1st, 2023, onwards, there will be substantial alterations to the issuance process of OV code signing certificates.
The Certificate Authority/Browser Forum has established new directives mandating the generation, storage, and utilization of private keys for these certificates in either a Hardware Security Module (HSM), Hardware storage tokens, or a Trusted Platform Module (TPM) that complies with FIPS 140 Level 2, Common Criteria EAL 4+, or an equivalent standard.
To comply with the updated guidelines, it is recommended to utilize the YubiHSM 2. This hardware solution is not only FIPS 140-2 verified at Level 3, but it also meets the stringent requirements of the authenticator assurance level 3 (AAL3) outlined in NIST SP800-63B guidelines.
Using a YubiHSM2 for generating a code signing certificate request is a straightforward process that involves these six steps:
Let’s explore these steps in depth.
1. Use the following command to generate a Certificate Signing Request (CSR):
certreq -new sign.inf sign.req.
Note: This command creates a CSR named “sign.req” based on the information provided in the “sign.inf” file.
2. Verify the CSR’s successful creation and check for a new object’s presence on the YubiHSM to be 100% sure.
signtool sign /v /sm /tr http://timestamp.digicert.com /td SHA1 /fd SHA1 /a /d "DropBearSec Signing Machine" /as c:\tmp\testfile.exe
When facing an issue during the signing procedure, the error messages shown by signtool may not offer enough information to identify the core cause of the issue.
In such situations, you can consider the following alternatives:
By including these arguments, you can obtain more detailed information during the signing process.
Another approach is to use certutil commands to gather information and diagnose the issue.
Here are some of the certutil commands along with their functions that will help you to troubleshoot:
Command | Description | Additional Information |
certutil -verifystore my <certificate hash> | Checks the validity of the imported certificate. | If the certificate is valid, you will see a confirmation that the certificate is valid. |
certutil -csplist | Checks whether the YubiHSM Key Storage Provider has been installed properly or not. | If the Provider Name: YubiHSM Key Storage Provider” is documented without any errors, then it has been installed correctly. |
certutil -csp “YubiHSM Key Storage Provider” -key | Checks whether the key is accessible through the storage provider or not. | If it is accessible, the output will include key data associated with the YubiHSM Key Storage Provider. |
certutil -store my <certificate hash> | Displays information related to the certificate. | If you are using a new machine and you haven’t executed the certutil -repairstore command, then you may observe the “Cannot find the certificate and private key for decryption” message. |
Utilizing YubiHSM for generating a code signing certificate request involves a straightforward six-step process, including connecting and installing the YubiHSM software, creating an INF file, generating a certificate signing request, submitting it to a Certificate Authority, installing the newly issued certificate, and signing the code.
If issues arise during the signing process, additional troubleshooting options such as using the /debug and /v arguments with signtool or employing certutil commands can help diagnose and resolve any problems.