Code Signing Private Key Protection Requirements for Cloud HSM Providers

Effective June 1, 2023, the code signing certificate key pair must be generated and stored in a hardware crypto module that meets or exceeds the requirements of FIPS 140-2 level 2 or Common Criteria EAL 4+. This means the key pair will be generated in a device where the private key cannot be exported.

If you are using a Cloud Key Storage solution such as Azure Key Vault or Amazon Key Management Service (KMS) as your provider, you will be impacted by the new compliance requirements. Following the June 1, 2023 deadline, if you have not completed Code Signing Verification, you will be blocked from issuing or renewing Code Signing certificates.

This article outlines the requirements for submitting the information about your cloud HSM setup to satisfy the verification requirements.

Supported Vendors

• Microsoft Azure Key Vault (Premium SKU)
• Microsoft Azure Key Vault Managed HSM
• Amazon Key Management Service (KMS)

• AWS CloudHSM

Prerequisites

• A subscription to Amazon Key Management Service (KMS), AWS ClouHSM, Azure Key Vault, or Azure Key Vault Managed HSM
• A subscription to CloudTrail service (If using Amazon KMS or AWS CloudHSM)
• Sufficient privileges to view/create keys and trails​​​​​​

Azure Key Vault: Configure Policies

The following two Azure Policies must be assigned to demonstrate adequate protection of the private keys in your Azure environment. Both policies must be in a “Compliant” state. The instructions below will guide you to assign these three policies.

Note : Azure Key Vault Standard SKU is not supported, as it is not compliant with the CA/Browser forum requirements (keys can be created only in a Hardware Security Module, which is only available in the Premium tier).

• Confirm SKU (Pricing tier)
• Policy #1: Keys should be backed by a hardware security module (HSM)
• Policy #2: Resource logs in Key Vault should be enabled

Confirm Sku (Pricing tier)

1. Log in to your Azure environment and open Key Vault.

2. Select the key vault that is being used to store the Code Signing keys (repeat this step if you have multiple key vaults to store the Code Signing keys).

3. Click the Overview tab and take a screenshot of the screen to confirm you have a “Premium” SKU. Provide this screenshot to Entrust.

Assign policy #1 (Keys should be backed by a hardware security module (HSM))

1. Log in to your Azure environment and go to the Policy screen. Click Assign policy .

2. Click the ... (ellipses) menu for the policy definition.

3. Search for “ Keys should be backed by a hardware security module (HSM) ” and then click Add .

4. Click Review & Create , then click Create in the next step.

5. The following must be true for resource compliance:

• Resource Compliance state should be compliant
• At least one resource must be compliant
• No exceptions are permitted

Note : The policy check might take up to 48 hours to complete.

Assign policy #2 (Resource logs in Key Vault should be enabled)

1. Go to the Policy screen and click Assign policy .

2. Click the ... (ellipses) menu for the policy definition.

3. Search for Resource logs in Key Vault should be enabled and then click Add .

4. Click Review & Create , then click Create in the next step.

5. The following must be true on the resource Compliance screen:

• Resource compliance state should be compliant
• At least one resource must be compliant
• No exceptions are permitted

Note : The policy check might take up to 48 hours to complete.

Azure Key Vault Managed HSM: Configure Policy

The following Azure Policy must be assigned to demonstrate adequate protection of the private keys in your Azure environment. The policy must be in a “Compliant” state. The instructions below will guide you to assign these three policies.

• Confirm Azure Key Vault Managed HSM
• Policy: Resource logs in Azure Key Vault Managed HSM should be enabled

Confirm Azure Key Vault Managed HSM

1. Log in to your Azure environment and open Azure Key Vault Managed HSMs

2. Take a screenshot of the screen to confirm you have at least one HSM created. Provide this screenshot to Entrust.

Assign policy: Resource logs in Azure Key Vault Managed HSM should be enabled

1. Log in to your Azure environment and go to Policy > Assign policy .

2. Click the ... (ellipses) menu for the policy definition.

3. Search for “Resource logs in Azure Key Vault Managed HSM should be enabled” and then click Add .

4. Click Review & Create , then click Create in the next step.

The following must be true for resource compliance:

• Resource Compliance state should be compliant
• At least one resource must be compliant
• No exceptions are permitted

Note : The policy check might take up to 48 hours to complete.

If you need help assigning these policies, please contact Microsoft Azure’s support team.

Amazon KMS: Configure Keys and CloudTrail in Amazon Key Management Service

1. Ensure all existing and enabled keys are properly configured.

2. At least 1 Trail is properly enabled. Ensure all existing and enabled keys are properly configured.

Ensure all existing and enabled keys are properly configured

To comply with the Code Signing Baseline Requirements, the following must be true for all enabled keys under “Customer managed keys.”

• Key Origin: AWS KMS
• Key Type: Asymmetric
• Key Usage: Signed and Verify
• Key Spec: 3072 or 4096 (recommended)

Note : All the above must be true if you have created multiple keys except Key Usage. It can be set to Sign and Verify or Encrypt and Decrypt . However, at least one key must have the key usage setting of Sign and Verify .

1. Log into your Amazon Web Services account.

2. Open Key Management Service (KMS) .

3. Select Customer managed keys from the left menu.

4. Take a screenshot of this page. Make sure that all the required columns are included in the screenshot.

At least one Trail must be properly enabled.

At least one trail must be in “Logging” status to ensure that KMS is configured to log all access, operations, and configuration changes.

1. Open CloudTrail from the list of services.

2. If you have an existing Trail, open it by clicking the trail.

Note : Make sure that Exclude AWS KMS events is set to No. Also , If you do not have an existing Trail, create a new Trail and make sure the AWS KMS event is not selected. Take a screenshot of this page.

AWS CloudHSM

1. Provide a screenshot showing that at least one Cluster is in active status with at least one HSM assigned to it
2. Make sure at least one Trail is properly enabled

Provide a screenshot showing that at least one Cluster is in active status with at least one HSM assigned to it.

1. To get started, log into your AWS console, then open CloudHSM from the Services menu.

2. Take a screenshot of the page that shows the clusters you use to store the Code Signing keys. Make sure that the status is active and at least one HSM is assigned to it. Provide this screenshot to Entrust.

Make sure at least one Trail is properly enabled.

Follow the steps here to show that at least one trail is in “Logging” status. This will ensure that CloudTrail is configured to log all access, operations, and configuration changes of the AWS CloudHSM Clusters.

If you have any questions on using Amazon KMS or AWS CloudHSM, please contact the Amazon customer support team.