Code Signing Private Key Protection Requirements for Cloud HSM Providers.
Effective 1 June 2023, the code signing certificate key pair must be generated and stored in a hardware crypto module that meets or exceeds the requirements of FIPS 140-2 level 2 or Common Criteria EAL 4+. This means the key pair will be generated in a device where the private key cannot be exported.
If you are using a Cloud Key Storage solution such as Azure Key Vault or AWS CloudHSM as your provider, you will be impacted by the new compliance requirements. Following the June 1st, 2023 deadline, if you have not completed Code Signing Verification, you will be blocked from issuing or renewing Code Signing certificates.
This article outlines the requirements for submitting the information about your cloud HSM setup to satisfy the verification requirements.
Prerequisite:
• A subscription to Microsoft Azure
• Azure Key Vault with Managed HSM activated (instructions to activate Managed HSM).
Supported Vendors:
• Microsoft Azure Key Vault
• Amazon AWS CloudHSM (Instructions coming soon)
Configure Policies in Azure Key Vault
The following three Azure Policies must be assigned to demonstrate adequate protection of the private keys in your Azure environment. All three policies must be in a “Compliant” state. The instructions below will guide you to assign the following three policies.
- Policy #1: Keys should be backed by a hardware security module (HSM)
- Policy #2: Resource logs in Key Vault should be enabled
- Policy #3: Resource logs in Azure Key Vault Managed HSM should be enabled
Assign policy #1 (Keys should be backed by a hardware security module (HSM))
3. Search for “Keys should be backed by a hardware security module (HSM)” then click Add
4. Click Review & Create, then click Create in the next step.
5. The following must be true on resource compliance:
-
Resource Compliance state should be Compliant.
-
At least one resource must be compliant.
-
No exceptions are permitted.
Note: The policy check might take up to 48 hours to complete.
Assign policy #2 (Resource logs in Key Vault should be enabled)
2. Click on the ellipsis menu for policy definition
- Resource Compliance state should be Compliant.
- At least 1 resource must be compliant.
- No exceptions are permitted.
Assign policy #3 (Resource logs in Azure Key Vault Managed HSM should be enabled)
1. Login to your Azure environment and go to “Policy.” Click on “Assign policy.”2. Click on the ellipsis menu for policy definition
- Resource Compliance state should be Compliant.
- No exceptions are permitted.
If you require assistance assigning these policies, please contact Microsoft Azure’s support team.