How to Use YubiHSM For Code Signing Requests?

YubiHSM for Code Signing

The code signing technique authenticates the legitimacy and integrity of software. It ensures users that the code or software they are using is authentic and has not been modified.

To enhance code signing practices and bolster overall security, organizations are adopting advanced tools and approaches like YubiHSM (Hardware Security Module).

In this blog, we will explore the concept of YubiHSM and learn how to utilize it for generating a code signing certificate request.

What is YubiHSM?

YubiHSM 2

YubiHSM is a specialized hardware device created by Yubico, a well-known industry leader in authentication solutions based on hardware.

This device is explicitly designed to handle cryptographic operations and manage cryptographic keys. YubiHSM provides a secure and tamper-resistant environment that is ideal for tasks like code signing.

By incorporating strong security measures and adhering to industry-standard compliance, YubiHSM guarantees the utmost level of protection for critical cryptographic operations.

Note: From June 1st, 2023, onwards, there will be substantial alterations to the issuance process of OV code signing certificates.

The Certificate Authority/Browser Forum has established new directives mandating the generation, storage, and utilization of private keys for these certificates in either a Hardware Security Module (HSM), Hardware storage tokens, or a Trusted Platform Module (TPM) that complies with FIPS 140 Level 2, Common Criteria EAL 4+, or an equivalent standard.

To comply with the updated guidelines, it is recommended to utilize the YubiHSM 2. This hardware solution is not only FIPS 140-2 verified at Level 3, but it also meets the stringent requirements of the authenticator assurance level 3 (AAL3) outlined in NIST SP800-63B guidelines.

How to Utilize YubiHSM 2 for Generating a Code Signing Certificate Request?

Using a YubiHSM2 for generating a code signing certificate request is a straightforward process that involves these six steps:

  1. Connect the YubiHSM and Install the YubiHSM Software.
  2. Create an INF File Using YubiCo Template.
  3. Generate a Certificate Signing Request Using the File with the .INF Extension as Input.
  4. Submit the Certificate Signing Request to a Certificate Authority.
  5. Install the Newly Issued Certificate in the Signing Machine’s Certificate Store.
  6. Sign Your Code.

Let’s explore these steps in depth.

Connect the YubiHSM and Install the YubiHSM Software

  1. Download the appropriate YubiHSM software package for your operating system.
  2. Install the CNG (Cryptographic Next Generation) and Connector components from the .zip folder.
  3. Confirm the successful installation by accessing the status page at http://localhost:12345/connector/status.

Create an INF File Using YubiCo Template

  1. Download the provided YubiCo sample template that describes the required signing certificate.
  2. Modify the template as needed, including updating the subject information.
  3. Save the modified template as an INF file for later use.

Generate a Certificate Signing Request Using the File with the .INF Extension as Input.

1. Use the following command to generate a Certificate Signing Request (CSR):

certreq -new sign.inf sign.req.

Note: This command creates a CSR named “sign.req” based on the information provided in the “sign.inf” file.

2. Verify the CSR’s successful creation and check for a new object’s presence on the YubiHSM to be 100% sure.

Submit the Certificate Signing Request to a Certificate Authority

  1. Submit the generated CSR to your chosen Certificate Authority (CA) through their online portal or your organization’s internal CA process.
  2. Wait for the CA to review the CSR and issue a new code signing certificate.
  3. Download the issued certificate.

Install the Newly Issued Certificate in the Signing Machine’s Certificate Store

  1. Locate the downloaded code signing certificate on your machine.
  2. Double-click the certificate file to launch the installation wizard.
  3. Follow the wizard’s instructions to import the certificate into the appropriate certificate store on your signing machine, typically the Personal\My store.
  4. Ensure that the certificate is associated with the secret key material on the YubiHSM through the installed CNG provider.

Sign Your Code

  1. Ensure that you have the Microsoft code signing tools installed (included in the Windows 10 SDK).
  2. Use the signtool command with the appropriate parameters to sign your code.

    Here’s an example:
signtool sign /v /sm /tr http://timestamp.digicert.com /td SHA1 /fd SHA1 /a /d "DropBearSec Signing Machine" /as c:\tmp\testfile.exe

Facing Issues while Signing Your Code using YubiHSM?

When facing an issue during the signing procedure, the error messages shown by signtool may not offer enough information to identify the core cause of the issue.

In such situations, you can consider the following alternatives:

Use the /debug and /v arguments with SignTool:

By including these arguments, you can obtain more detailed information during the signing process.

Utilize Certutil Commands:

Another approach is to use certutil commands to gather information and diagnose the issue.

Here are some of the certutil commands along with their functions that will help you to troubleshoot:

CommandDescriptionAdditional Information
certutil -verifystore my <certificate hash>Checks the validity of the imported certificate.If the certificate is valid, you will see a confirmation that the certificate is valid.
certutil -csplistChecks whether the YubiHSM Key Storage Provider has been installed properly or not.If the Provider Name: YubiHSM Key Storage Provider” is documented without any errors, then it has been installed correctly.
certutil -csp “YubiHSM Key Storage Provider” -keyChecks whether the key is accessible through the storage provider or not.If it is accessible, the output will include key data associated with the YubiHSM Key Storage Provider.
certutil -store my <certificate hash>Displays information related to the certificate.If you are using a new machine and you haven’t executed the certutil -repairstore command, then you may observe the “Cannot find the certificate and private key for decryption” message.

Conclusion

Utilizing YubiHSM for generating a code signing certificate request involves a straightforward six-step process, including connecting and installing the YubiHSM software, creating an INF file, generating a certificate signing request, submitting it to a Certificate Authority, installing the newly issued certificate, and signing the code.

If issues arise during the signing process, additional troubleshooting options such as using the /debug and /v arguments with signtool or employing certutil commands can help diagnose and resolve any problems.

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.