{"id":4173,"date":"2025-01-30T05:27:22","date_gmt":"2025-01-30T05:27:22","guid":{"rendered":"https:\/\/signmycode.com\/resources\/?p=4173"},"modified":"2026-02-13T10:33:36","modified_gmt":"2026-02-13T10:33:36","slug":"sectigo-code-signing-implementations-on-google-kms-key-management-service","status":"publish","type":"post","link":"https:\/\/signmycode.com\/resources\/sectigo-code-signing-implementations-on-google-kms-key-management-service","title":{"rendered":"Sectigo Code Signing Instructions for Google KMS: Create HSM Key, Attestation, CSR &amp; Sign Code"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Sectigo Code Signing Certificates now integrate seamlessly with Google Cloud HSM (KMS), which empowers developers with an efficient and secure way to sign their code. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It integrates a well-founded mechanism that places your private keys directly into FIPS 140-2 Level 3-compliant HSMs, ensuring high security. This will eliminate the need to wait for the physical token (USB). <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Your Options for Secure Key Storage with Sectigo:<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">When purchasing from Sectigo, you have 3 choices for storing your private key:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">1. YubiKey 5 FIPS (USB Token)<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Ideal for individuals or small teams. Plug it in, sign code, done. Portable and super secure.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">2. Luna Network HSM v7.X (Hardware Security Module)<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Best for large organizations. Full-blown physical HSM hosted on-prem.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">3. Google Cloud KMS (Cloud HSM)<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Want to go cloud-native? This is where Google KMS comes in. Sectigo supports using <a href=\"https:\/\/signmycode.com\/blog\/google-cloud-kms-introduces-quantum-safe-digital-signatures\">Google KMS<\/a> for certificate-based signing, making your CI\/CD workflows seamless and secure.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here, we provide a detailed guide on how to set up a Google Cloud account, generate a CSR, and sign the Code or Executables.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to Set Up Sectigo Code Signing Certificates within Google Cloud KMS?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Follow the step-by-step instructions to issue and use a <a href=\"https:\/\/signmycode.com\/sectigo-code-signing\">Sectigo Code Signing Certificate<\/a> with the private key securely stored in Google Cloud KMS (HSM).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Follow Quick Steps:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Setup Google Cloud Account<\/li>\n\n\n\n<li>Create a Key Ring, Key, and Obtain Attestation<\/li>\n\n\n\n<li>Create CSR<\/li>\n\n\n\n<li>Submit CSR <\/li>\n\n\n\n<li>Sign Executables<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Now, we&#8217;ll see each step in detail! <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Setting up a Google Cloud Account<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><span style=\"box-sizing: border-box; margin: 0px; padding: 0px;\">To begin the entire setup process, you need to register an account with&nbsp;<a href=\"https:\/\/cloud.google.com\/\" target=\"_blank\">Google Cloud Platform<\/a>, enable billing, and Create a project.<\/span><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Create the Key Ring, HSM Key, and Attestation<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">First, you\u2019ll need to generate a key pair in Google Cloud. Complete these steps in the Google Cloud dashboard\/console:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: In Google KMS, Create a Key Ring<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">First, you need to create a key ring in Google Cloud Key Management Service (KMS). A key ring is a logical grouping of cryptographic keys that allows you to manage them collectively. <strong>Follow these steps to create a key ring:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"502\" src=\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/create-key-ring-kms-1024x502.webp\" alt=\"Create Key Ring\" class=\"wp-image-4175\" srcset=\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/create-key-ring-kms-1024x502.webp 1024w, https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/create-key-ring-kms-300x147.webp 300w, https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/create-key-ring-kms-768x377.webp 768w, https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/create-key-ring-kms-png.webp 1482w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Once the key ring is created, it will serve as the container for your cryptographic keys.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Creating a New HSM Key<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Now, after creating a key ring in the Google KMS, create a new key for you with these settings:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Before you begin, you need the following:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A <strong>Google Cloud project resource<\/strong> to contain your Cloud KMS resources. We recommend using a separate project for your Cloud KMS resources that contains no other Google Cloud resources.<\/li>\n\n\n\n<li>The <strong>name and location of the key ring<\/strong> where you want to create your key. Choose a key ring in a location that is near your other resources and that supports your chosen <a href=\"https:\/\/cloud.google.com\/kms\/docs\/protection-levels\">protection level<\/a>.<\/li>\n\n\n\n<li><a href=\"https:\/\/cloud.google.com\/iam\/docs\/understanding-roles#cloudkms.admin\">Cloud KMS Admin <\/a>(roles\/cloudkms.admin) <strong>IAM role<\/strong> on the project or a parent resource to Create Key<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Create a Key (Asymmetric Signing key)<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"700\" height=\"843\" src=\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/create-hsm-key-kms.webp\" alt=\"\" class=\"wp-image-4177\" srcset=\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/create-hsm-key-kms.webp 700w, https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/create-hsm-key-kms-249x300.webp 249w\" sizes=\"auto, (max-width: 700px) 100vw, 700px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In the Google Cloud console, go to the <a href=\"https:\/\/console.cloud.google.com\/security\/kms\">Key Management <\/a>page.<\/li>\n\n\n\n<li>Click the <strong>name of the key ring<\/strong> for which you will create a key.<\/li>\n\n\n\n<li>Click on <strong>Create key<\/strong>.<\/li>\n\n\n\n<li>For <strong>Key name<\/strong>, enter a name for your key.<\/li>\n\n\n\n<li>For <strong>Protection level<\/strong>, select &#8216;<strong>HSM<\/strong>&#8216;.<\/li>\n\n\n\n<li>For <strong>Key material<\/strong>, select &#8216;<strong>HSM<\/strong>&#8211;<strong>Generated key&#8217;<\/strong>.<\/li>\n\n\n\n<li>For <strong>Purpose<\/strong>, select &#8216;<strong>Asymmetric Signing<\/strong>&#8216;.<\/li>\n\n\n\n<li>For <strong>Algorithm<\/strong>, select <strong>3072-bit RSA, PKCS#1 v1.5 padding &#8211; SHA256 Digest<\/strong> (recommended). You can change this value on future key versions.<\/li>\n\n\n\n<li>Click <strong>Create<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Verify and Download the HSM Attestation<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Please navigate inside your <strong>newly generated key<\/strong> and choose the \u201c<strong>Versions<\/strong>\u201d tab. Then, please click on \u201c<strong>Actions\u201d (three dots) -&gt; \u201cVerify attestation\u201d -&gt; \u201cDownload attestation bundle.\u201d<\/strong> You will receive a ZIP file containing the key attestation information.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"469\" src=\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/verify-attestation-1024x469.webp\" alt=\"\" class=\"wp-image-4178\" srcset=\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/verify-attestation-1024x469.webp 1024w, https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/verify-attestation-300x138.webp 300w, https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/verify-attestation-768x352.webp 768w, https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/verify-attestation.webp 1477w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Create the CSR on Google KMS<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Next, you\u2019ll need to generate a CSR using the key you just generated. <span style=\"box-sizing: border-box; margin: 0px; padding: 0px;\">There are several different ways you can generate the CSR Using<a href=\"https:\/\/github.com\/mattes\/google-cloud-kms-csr\" target=\"_blank\">&nbsp;open-source utility&nbsp;Tool <\/a>or manually using OpenSSL.<\/span><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><span style=\"box-sizing: border-box; margin: 0px; padding: 0px;\">Here, we\u2019ll be doing it with OpenSSL on Linux (Ubuntu)<\/span>:<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is a cloud-hosted key, not a private key just placed on the hard disk (USB), so we need to configure Google Cloud KMS PKCS#11 Library with OpenSSL to create CSR.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisites:<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Install the <strong>libengine-pkcs11-openssl package<\/strong> using the command:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt-get update\nsudo apt-get install libengine-pkcs11-openssl<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">PKCS #11 Library Configuration:<\/h3>\n\n\n\n<ul start=\"1\" class=\"wp-block-list\">\n<li><strong>Download the Google PKCS #11 library<\/strong> (libkmsp11.so) from the <a href=\"https:\/\/github.com\/GoogleCloudPlatform\/kms-integrations\/releases\">GoogleCloudPlatform\/kms-integrations GitHub releases page<\/a>.<\/li>\n\n\n\n<li><strong>Extract the downloaded archive<\/strong> and <strong>store libkmsp11.so in \/usr\/local\/lib<\/strong>.<\/li>\n\n\n\n<li><strong>Set the PKCS11_MODULE_PATH environment variable<\/strong> with this command:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code><em>export PKCS11_MODULE_PATH=\"\/path\/to\/libkmsp11.so\"<\/em><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Note:<\/strong> (Modify the path to reflect the location where you extracted the library.)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Create a YAML Configuration File<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The PKCS #11 library requires a YAML configuration file to locate Cloud KMS resources. The YAML must, at a minimum, configure a single PKCS #11 token.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Create a YAML config file<\/strong> (text file in \/etc\/pkcs11-kms.yml) and <strong>set the KMS_PKCS11_CONFIG environment variable<\/strong> with this command:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>---\ntokens:\n- key_ring: \"projects\/{projectId}\/locations\/{location}\/keyRings\/{keyRingName}\"<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Where <strong>{projectId}<\/strong> is your <strong>Google Cloud project ID<\/strong> (A string, not a number; you can check it on the Billing Projects page), <strong>{location}<\/strong> should be the <strong>location where your keyring is hosted<\/strong> (e.g., europe-west6), and <strong>{keyRingName}<\/strong> should be the <strong>name<\/strong> you\u2019ve used when creating the key ring.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">All asymmetric signing and decryption keys in <strong>my-keyring<\/strong> will be available in the<strong> library<\/strong> with this configuration.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><a><\/a>Set the Permission<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">You must set the permissions on the configuration file so that it is writable only by the file owner. <strong>Point KMS_PKCS11_CONFIG to your config file:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><em>export KMS_PKCS11_CONFIG=\"\/path\/to\/pkcs11-config.yaml\"<\/em><\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Google Cloud Authentication<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Set up an authentication method for Google KMS using <strong>Workload Identity Federation<\/strong> or <strong>create a Service Account<\/strong>. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>To create a service account, follow these steps:<\/strong><\/p>\n\n\n\n<ul start=\"1\" class=\"wp-block-list\">\n<li>Go to <a href=\"https:\/\/console.cloud.google.com\/iam-admin\/serviceaccounts\">Service Accounts<\/a>.<\/li>\n\n\n\n<li>Click <strong>Create Service Account<\/strong>.<\/li>\n\n\n\n<li>Open up the <strong>applicable project<\/strong>.<\/li>\n\n\n\n<li>Grant <strong>Cloud KMS Admin<\/strong> and <strong>Cloud KMS Crypto Operator<\/strong> roles to the service account. (required)<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>After creating the service account, create a new JSON key by following these steps:<\/strong><\/p>\n\n\n\n<ul start=\"1\" class=\"wp-block-list\">\n<li>Go to <strong>Menu &gt; IAM &amp; Admin &gt; Service Accounts<\/strong> in the Google Cloud console.<\/li>\n\n\n\n<li>Select <strong>your service account<\/strong>.<\/li>\n\n\n\n<li>Click <strong>Keys &gt; Add key &gt; Create new key<\/strong>.<\/li>\n\n\n\n<li>Select <strong>JSON<\/strong>, then click <strong>Create<\/strong>.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1016\" height=\"591\" src=\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/json-file-png.webp\" alt=\"Create Json File\" class=\"wp-image-4176\" srcset=\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/json-file-png.webp 1016w, https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/json-file-300x175.webp 300w, https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/json-file-768x447.webp 768w\" sizes=\"auto, (max-width: 1016px) 100vw, 1016px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Your new public\/private key pair is generated and downloaded to your machine as a new file. <strong>Save the downloaded JSON file as credentials.json <\/strong>in your working directory.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the path of your private key JSON file using the following command:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><em>export GOOGLE_APPLICATION_CREDENTIALS=\"\/absolute\/path\/to\/credentials\/file.json\"<\/em><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Note:<\/strong> (Update the path to where you\u2019ve stored the file.)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Configuration Done!<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">You\u2019ve configured OpenSSL to use Google KMS as a PKCS #11 provider. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>If you need to troubleshoot your connection to Google KMS, Install the pkcs11-tool with the following code:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><em>sudo apt install opensc<\/em><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Now you need to run <em>pkcs11-tool &#8211;module \/path\/to\/libkmsp11.so &#8211;list-objects<\/em> to see the list of keys you can access. (Update the path to where you\u2019ve stored the file.)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><a><\/a>Generate CSR With OpenSSL<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">You can now generate the CSR using a command like this:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl req -new -subj '\/CN=Your Company Name, LLC\/' -sha256 -engine pkcs11 -keyform engine -key pkcs11:object=your_key_name <\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Replace the following:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>CERTIFICATE_NAME:<\/strong> a name for the certificate that you want to generate.<\/li>\n\n\n\n<li><strong>DIGEST_FLAG:<\/strong> a flag indicating the type of digest. Use -sha256, -sha384, or -sha512 depending on the algorithm of the key.<\/li>\n\n\n\n<li><strong>KEY_ID:<\/strong> the fully qualified resource ID of an asymmetric signing key version\u2014for example,<\/li>\n\n\n\n<li><strong>REQUEST_NAME:<\/strong> a name for the certificate signing request.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Make sure you use the correct <strong>-sigopt options<\/strong> for the type of key that you&#8217;re using.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">You can&#8217;t use an object ID longer than 100 characters with OpenSSL. Use short KeyRing and CryptoKey names, or use pkcs11:object=KEY_NAME instead. For more information on the OpenSSL object ID limit, see the <a href=\"https:\/\/github.com\/OpenSC\/libp11\/issues\/531\">related issue on GitHub<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Submit the CSR to Your Certificate Provider\/CA<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Now that you have your CSR, you can provide it to your <a href=\"https:\/\/signmycode.com\/\">code signing certificate provider<\/a> to obtain the code signing certificate. Complete the certificate enrollment\/generation process with your certificate provider, submitting the CSR and key attestation when prompted.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Important:<\/strong> The key attestation file must be a zip file. Google Cloud offers two different places\/formats where you can download an attestation file; be sure you get the .zip version.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><a><\/a>Sign the Code\/Artifact Using SignTool<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">After your code signing certificate has been issued, you can use it to sign executables. <strong>Here are instructions for signing with SignTool on a Windows machine:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure that you have <strong>SignTool<\/strong> installed on your computer.<\/li>\n\n\n\n<li><strong>Install the latest Google Cloud KMS CNG provider<\/strong> release on your Windows machine using the .msi installer.<\/li>\n\n\n\n<li>Run <strong>gcloud auth application-default login<\/strong> to authenticate your machine to Google Cloud.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>You\u2019ll now be able to sign your executable using SignTool with the following command:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><em>signtool sign \/v \/debug \/fd sha256 \/t http:\/\/timestamp.sectigo.com \/f path\/to\/mycertificate.crt \/csp \"Google Cloud KMS Provider\" \/kc projects\/PROJECT_ID\/locations\/LOCATION\/keyRings\/KEY_RING\/cryptoKeys\/KEY_NAME\/cryptoKeyVersions\/1 path\/to\/file.exe<\/em><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Note:<\/strong> (Update the path to where you\u2019ve stored the certificate file.)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Looking to secure your code with Sectigo Code Signing Certificates? SignMyCode offers both <a href=\"https:\/\/signmycode.com\/sectigo-code-signing\">Sectigo Code Signing<\/a> and <a href=\"https:\/\/signmycode.com\/sectigo-ev-code-signing\">Sectigo EV Code Signing<\/a> at affordable prices. Buy now and enjoy hassle-free code signing with Google Cloud KMS (Key Management Service).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Sectigo Code Signing Certificates now integrate seamlessly with Google Cloud HSM (KMS), which empowers developers with an efficient and secure way to sign their code. It integrates a well-founded mechanism that places your private keys directly into FIPS 140-2 Level 3-compliant HSMs, ensuring high security. This will eliminate the need to wait for the physical&hellip; <a class=\"more-link\" href=\"https:\/\/signmycode.com\/resources\/sectigo-code-signing-implementations-on-google-kms-key-management-service\">Read More <span class=\"screen-reader-text\">Sectigo Code Signing Instructions for Google KMS: Create HSM Key, Attestation, CSR &amp; Sign Code<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":4180,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[463],"tags":[574,576,575],"class_list":["post-4173","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-code-signing","tag-code-signing-using-google-cloud-kms","tag-google-cloud-kms-code-signing","tag-sectigo-code-signing-within-google-kms","entry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Setting up Sectigo Code Signing Certificates on Google Cloud KMS<\/title>\n<meta name=\"description\" content=\"Follow the step-by-step tutorial to Create CSR, Sign Code and Use Sectigo Code Signing Certificate to Google KMS (Key Management Service).\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/signmycode.com\/resources\/sectigo-code-signing-implementations-on-google-kms-key-management-service\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Setting up Sectigo Code Signing Certificates on Google Cloud KMS\" \/>\n<meta property=\"og:description\" content=\"Follow the step-by-step tutorial to Create CSR, Sign Code and Use Sectigo Code Signing Certificate to Google KMS (Key Management Service).\" \/>\n<meta property=\"og:url\" content=\"https:\/\/signmycode.com\/resources\/sectigo-code-signing-implementations-on-google-kms-key-management-service\" \/>\n<meta property=\"og:site_name\" content=\"SignMyCode - Resources\" \/>\n<meta property=\"article:published_time\" content=\"2025-01-30T05:27:22+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-13T10:33:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/sectigo-code-signing-cert-google-kms.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"912\" \/>\n\t<meta property=\"og:image:height\" content=\"453\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Janki Mehta\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Sign_My_Code\" \/>\n<meta name=\"twitter:site\" content=\"@Sign_My_Code\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Janki Mehta\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/sectigo-code-signing-implementations-on-google-kms-key-management-service#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/sectigo-code-signing-implementations-on-google-kms-key-management-service\"},\"author\":{\"name\":\"Janki Mehta\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/#\\\/schema\\\/person\\\/2e80276fd34fd5439c04cd3cb96a389f\"},\"headline\":\"Sectigo Code Signing Instructions for Google KMS: Create HSM Key, Attestation, CSR &amp; Sign Code\",\"datePublished\":\"2025-01-30T05:27:22+00:00\",\"dateModified\":\"2026-02-13T10:33:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/sectigo-code-signing-implementations-on-google-kms-key-management-service\"},\"wordCount\":1480,\"publisher\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/sectigo-code-signing-implementations-on-google-kms-key-management-service#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/wp-content\\\/uploads\\\/2025\\\/01\\\/sectigo-code-signing-cert-google-kms.webp\",\"keywords\":[\"Code Signing using Google Cloud KMS\",\"Google Cloud KMS Code Signing\",\"Sectigo Code Signing within Google KMS\"],\"articleSection\":[\"Cloud Code Signing\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/sectigo-code-signing-implementations-on-google-kms-key-management-service\",\"url\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/sectigo-code-signing-implementations-on-google-kms-key-management-service\",\"name\":\"Setting up Sectigo Code Signing Certificates on Google Cloud KMS\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/sectigo-code-signing-implementations-on-google-kms-key-management-service#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/sectigo-code-signing-implementations-on-google-kms-key-management-service#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/wp-content\\\/uploads\\\/2025\\\/01\\\/sectigo-code-signing-cert-google-kms.webp\",\"datePublished\":\"2025-01-30T05:27:22+00:00\",\"dateModified\":\"2026-02-13T10:33:36+00:00\",\"description\":\"Follow the step-by-step tutorial to Create CSR, Sign Code and Use Sectigo Code Signing Certificate to Google KMS (Key Management Service).\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/sectigo-code-signing-implementations-on-google-kms-key-management-service#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/signmycode.com\\\/resources\\\/sectigo-code-signing-implementations-on-google-kms-key-management-service\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/sectigo-code-signing-implementations-on-google-kms-key-management-service#primaryimage\",\"url\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/wp-content\\\/uploads\\\/2025\\\/01\\\/sectigo-code-signing-cert-google-kms.webp\",\"contentUrl\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/wp-content\\\/uploads\\\/2025\\\/01\\\/sectigo-code-signing-cert-google-kms.webp\",\"width\":912,\"height\":453,\"caption\":\"Setup Sectigo Code Signing Cert to Google Cloud KMS\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/sectigo-code-signing-implementations-on-google-kms-key-management-service#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Sectigo Code Signing Instructions for Google KMS: Create HSM Key, Attestation, CSR &amp; Sign Code\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/#website\",\"url\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/\",\"name\":\"SignMyCode - Resources\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/#organization\",\"name\":\"SignMyCode\",\"url\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/logo1.png\",\"contentUrl\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/logo1.png\",\"width\":135,\"height\":86,\"caption\":\"SignMyCode\"},\"image\":{\"@id\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/Sign_My_Code\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/signmycode.com\\\/resources\\\/#\\\/schema\\\/person\\\/2e80276fd34fd5439c04cd3cb96a389f\",\"name\":\"Janki Mehta\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/74a1328bbec77f3a65123c2396050e61b60fe3831478ceb96b55e5a0fe44e370?s=96&d=blank&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/74a1328bbec77f3a65123c2396050e61b60fe3831478ceb96b55e5a0fe44e370?s=96&d=blank&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/74a1328bbec77f3a65123c2396050e61b60fe3831478ceb96b55e5a0fe44e370?s=96&d=blank&r=g\",\"caption\":\"Janki Mehta\"},\"description\":\"Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web\\\/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.\",\"sameAs\":[\"http:\\\/\\\/smcresources.ssltoolsonline.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Setting up Sectigo Code Signing Certificates on Google Cloud KMS","description":"Follow the step-by-step tutorial to Create CSR, Sign Code and Use Sectigo Code Signing Certificate to Google KMS (Key Management Service).","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/signmycode.com\/resources\/sectigo-code-signing-implementations-on-google-kms-key-management-service","og_locale":"en_US","og_type":"article","og_title":"Setting up Sectigo Code Signing Certificates on Google Cloud KMS","og_description":"Follow the step-by-step tutorial to Create CSR, Sign Code and Use Sectigo Code Signing Certificate to Google KMS (Key Management Service).","og_url":"https:\/\/signmycode.com\/resources\/sectigo-code-signing-implementations-on-google-kms-key-management-service","og_site_name":"SignMyCode - Resources","article_published_time":"2025-01-30T05:27:22+00:00","article_modified_time":"2026-02-13T10:33:36+00:00","og_image":[{"width":912,"height":453,"url":"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/sectigo-code-signing-cert-google-kms.webp","type":"image\/jpeg"}],"author":"Janki Mehta","twitter_card":"summary_large_image","twitter_creator":"@Sign_My_Code","twitter_site":"@Sign_My_Code","twitter_misc":{"Written by":"Janki Mehta","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/signmycode.com\/resources\/sectigo-code-signing-implementations-on-google-kms-key-management-service#article","isPartOf":{"@id":"https:\/\/signmycode.com\/resources\/sectigo-code-signing-implementations-on-google-kms-key-management-service"},"author":{"name":"Janki Mehta","@id":"https:\/\/signmycode.com\/resources\/#\/schema\/person\/2e80276fd34fd5439c04cd3cb96a389f"},"headline":"Sectigo Code Signing Instructions for Google KMS: Create HSM Key, Attestation, CSR &amp; Sign Code","datePublished":"2025-01-30T05:27:22+00:00","dateModified":"2026-02-13T10:33:36+00:00","mainEntityOfPage":{"@id":"https:\/\/signmycode.com\/resources\/sectigo-code-signing-implementations-on-google-kms-key-management-service"},"wordCount":1480,"publisher":{"@id":"https:\/\/signmycode.com\/resources\/#organization"},"image":{"@id":"https:\/\/signmycode.com\/resources\/sectigo-code-signing-implementations-on-google-kms-key-management-service#primaryimage"},"thumbnailUrl":"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/sectigo-code-signing-cert-google-kms.webp","keywords":["Code Signing using Google Cloud KMS","Google Cloud KMS Code Signing","Sectigo Code Signing within Google KMS"],"articleSection":["Cloud Code Signing"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/signmycode.com\/resources\/sectigo-code-signing-implementations-on-google-kms-key-management-service","url":"https:\/\/signmycode.com\/resources\/sectigo-code-signing-implementations-on-google-kms-key-management-service","name":"Setting up Sectigo Code Signing Certificates on Google Cloud KMS","isPartOf":{"@id":"https:\/\/signmycode.com\/resources\/#website"},"primaryImageOfPage":{"@id":"https:\/\/signmycode.com\/resources\/sectigo-code-signing-implementations-on-google-kms-key-management-service#primaryimage"},"image":{"@id":"https:\/\/signmycode.com\/resources\/sectigo-code-signing-implementations-on-google-kms-key-management-service#primaryimage"},"thumbnailUrl":"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/sectigo-code-signing-cert-google-kms.webp","datePublished":"2025-01-30T05:27:22+00:00","dateModified":"2026-02-13T10:33:36+00:00","description":"Follow the step-by-step tutorial to Create CSR, Sign Code and Use Sectigo Code Signing Certificate to Google KMS (Key Management Service).","breadcrumb":{"@id":"https:\/\/signmycode.com\/resources\/sectigo-code-signing-implementations-on-google-kms-key-management-service#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/signmycode.com\/resources\/sectigo-code-signing-implementations-on-google-kms-key-management-service"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/signmycode.com\/resources\/sectigo-code-signing-implementations-on-google-kms-key-management-service#primaryimage","url":"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/sectigo-code-signing-cert-google-kms.webp","contentUrl":"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2025\/01\/sectigo-code-signing-cert-google-kms.webp","width":912,"height":453,"caption":"Setup Sectigo Code Signing Cert to Google Cloud KMS"},{"@type":"BreadcrumbList","@id":"https:\/\/signmycode.com\/resources\/sectigo-code-signing-implementations-on-google-kms-key-management-service#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/signmycode.com\/resources\/"},{"@type":"ListItem","position":2,"name":"Sectigo Code Signing Instructions for Google KMS: Create HSM Key, Attestation, CSR &amp; Sign Code"}]},{"@type":"WebSite","@id":"https:\/\/signmycode.com\/resources\/#website","url":"https:\/\/signmycode.com\/resources\/","name":"SignMyCode - Resources","description":"","publisher":{"@id":"https:\/\/signmycode.com\/resources\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/signmycode.com\/resources\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/signmycode.com\/resources\/#organization","name":"SignMyCode","url":"https:\/\/signmycode.com\/resources\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/signmycode.com\/resources\/#\/schema\/logo\/image\/","url":"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2021\/11\/logo1.png","contentUrl":"https:\/\/signmycode.com\/resources\/wp-content\/uploads\/2021\/11\/logo1.png","width":135,"height":86,"caption":"SignMyCode"},"image":{"@id":"https:\/\/signmycode.com\/resources\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/Sign_My_Code"]},{"@type":"Person","@id":"https:\/\/signmycode.com\/resources\/#\/schema\/person\/2e80276fd34fd5439c04cd3cb96a389f","name":"Janki Mehta","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/74a1328bbec77f3a65123c2396050e61b60fe3831478ceb96b55e5a0fe44e370?s=96&d=blank&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/74a1328bbec77f3a65123c2396050e61b60fe3831478ceb96b55e5a0fe44e370?s=96&d=blank&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/74a1328bbec77f3a65123c2396050e61b60fe3831478ceb96b55e5a0fe44e370?s=96&d=blank&r=g","caption":"Janki Mehta"},"description":"Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web\/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.","sameAs":["http:\/\/smcresources.ssltoolsonline.com"]}]}},"_links":{"self":[{"href":"https:\/\/signmycode.com\/resources\/wp-json\/wp\/v2\/posts\/4173","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/signmycode.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/signmycode.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/signmycode.com\/resources\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/signmycode.com\/resources\/wp-json\/wp\/v2\/comments?post=4173"}],"version-history":[{"count":6,"href":"https:\/\/signmycode.com\/resources\/wp-json\/wp\/v2\/posts\/4173\/revisions"}],"predecessor-version":[{"id":4682,"href":"https:\/\/signmycode.com\/resources\/wp-json\/wp\/v2\/posts\/4173\/revisions\/4682"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/signmycode.com\/resources\/wp-json\/wp\/v2\/media\/4180"}],"wp:attachment":[{"href":"https:\/\/signmycode.com\/resources\/wp-json\/wp\/v2\/media?parent=4173"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/signmycode.com\/resources\/wp-json\/wp\/v2\/categories?post=4173"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/signmycode.com\/resources\/wp-json\/wp\/v2\/tags?post=4173"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}