IntegrationGuide - Utimaco · 4 MicrosoftAuthenticodeSetup 4.1 InstallingtheWindowsSDK...
Transcript of IntegrationGuide - Utimaco · 4 MicrosoftAuthenticodeSetup 4.1 InstallingtheWindowsSDK...
.Integration Guide: Microsoft Authenticode
Imprint
copyright 2015 Utimaco IS GmbHGermanusstrasse 4D-52080 AachenGermany
phone +49 (0)241 / 1696-200fax +49 (0)241 / 1696-199web http://hsm.utimaco.comemail [email protected] version 1.0.0date October 2015author System Engineering HSMdocument no. Microsoft Authenticode
all rights reserved No part of this documentation may be reproduced in any form (printing, photocopyor according to any other process) without the written approval of Utimaco IS GmbHor be processed, reproduced or distributed using electronic systems.Utimaco IS GmbH reserves the right to modify or amend the documentation at anytime without prior notice. Utimaco IS GmbH assumes no liability for typographicalerrors and damages incurred due to them.All trademarks and registered trademarks are the property of their respective owners.
.
Contents1 Introduction 4
2 Requirements 4
3 Setting Up CryptoServer Device 5
4 Microsoft Authenticode Setup 7
4.1 Installing the Windows SDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2 Create Certificate Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.3 Install Code Signing Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5 Code Signing 11
6 Further Information 13
.Integration Guide: Microsoft Authenticode
1 IntroductionAuthenticode relies on proven cryptographic techniques from Microsoft and the use of one or more
private keys to sign and timestamp published software. From a security point of view it is impor-
tant to maintain the confidentiality of these code signing keys. The CryptoServer Hardware Security
Module (HSM) integrates with Microsoft Authenticode to provide a trusted system for protecting the
organizational credentials of a software publisher. The CryptoServer HSM secures the code signing
keys on a certified industry standard FIPS 140-2.
This integration guide covers all the necessary information to install, configure and integrate Mi-
crosoft Authenticode with CryptoServer Hardware Security Modules (HSM).
2 RequirementsYou should have prepared an installed Windows Server 2012 R2 operating system. If you are using
a PCI(e) card you also have install the necessary driver for that card.
Software- and Hardware Requirements
HSMModel CryptoServer CS(e)-Series/Se-Series PCI(e)
HSM Firmware SecurityServer 3.21.0
SecurityServer 3.30.0
Software Microsoft SDK 8.1
Page 4
.
3 Setting Up CryptoServer DeviceTo set up a CryptoServer device for Utimaco CSP open the Control Panel and select Utimaco CSP
Configuration applet.
1. Go to the Devices tab in the CryptoServer CSP Configuration window.
2. Click the Add Device button.
This opens the Device Settings dialog box. In Device Specifier, enter the device specifier relevant
for your CryptoServer device.
• If this is a CryptoServer PCI or PCIe card, this is PCI:0.
• If this is a CryptoServer LAN, enter an IP address (for example 192.168.5.17).
• If youwant to use the CryptoServer Simulator, enter [email protected] as the device address.
3. InGroup you now see the name of a computer. Youmay change this to your or keep it as default.
4. Click on OK button. This opens the User Logon dialog box. This window displays all users avail-
able in the user database of the given CryptoServer device.
5. Select the ADMIN user in the user list.
6. Click on the Logon button. The authentication with Key dialog box opens.
7. Select the source of private user key, either smartcard token or key file.
8. Click the OK button.
Page 5
.Integration Guide: Microsoft Authenticode
9. Authenticate yourself with the intended authentication method. Once you have successfully
authenticated yourself to the CryptoServer, you see a key lock symbol in the User Logon dialog
box next to the entry for the ADMIN user.
10. Click OK to close the User Logon dialog box.
11. Click OK to close the CryptoServer CSP Configuration window and the CSP Configuration applet.
Page 6
.
4 Microsoft Authenticode Setup
4.1 Installing the Windows SDKThe Authenticode programs (certutil, cert2spc, signtool) are installed with Microsoft Visual Studio
and Microsoft Windows SDK.
We refer to the appropriate Microsoft Windows SDK installation documentation.
4.2 Create Certificate RequestIt is necessary to create a specific certificate for the code signing purposes. This certificate is in-
stalled in the local Windows certificate store (e.g. personal store). To retrieve an official code signing
certificate issued by a certification authority you have to create a certificate request (CSR) first. Nor-
mally an official certificate authority (e.g. VeriSign, Thawte, DigiCert) will create and sign a certificate
based on your certificate request. If you don`t need an officially signed certificate, you can also use
an in-house certificate authority (e.g. Microsoft Windows Server 2012 Certification Authority).
To create a code signing certificate request you first need to create a template file .inf. Youwill then is-
sue the certificate request based on this template file using Microsoft`s utility certreq.exe, which is
included inMicrosoft Windows Server 2012 R2. Create a file called request.infwhich should include
with amongst others the following information:
• The subject details must include a 2-letter country code ,,C'' and a common name ,,CN'' which
may be your company name.
• Key algorithm and key length as required (e.g. RSA, 2048 bit key).
• KeyContainer name as this will be used to store the private in the CryptoServer and to distin-
guish serveral code signing keys from each other.
• Name of the Cryptographic Service Provider. For use with CryptoServer this needs to be Utimaco
CryptoServer Key Storage Provider.
Page 7
.Integration Guide: Microsoft Authenticode
....
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=Utimaco GmbH,OU=SE HSM,O=Utimaco GmbH,S=NRW,L=Aachen,C=DE"
KeySpec = 1
KeyLength = 2048
Exportable = FALSE
MachineKeySet = FALSE
KeyContainer = CodeSigning
ProviderName = "Utimaco CryptoServer CSP"
ProviderType = 1
KeyUsage = 0x04
It is important, that the ProviderName is given as Utimaco CryptoServer CSP. This
links the code signing certificate with the private key which is stored in the Cryp-
toServer.
1. Save the content of the file request.inf to some directory. Make sure, you don't copy and
paste the quotation marks from this document.
2. Open a command shell prompt.
3. Change to the directory where you have saved your request.inf file.
4. Execute the next command. You can observe any changes in the log file cs2cng.log if you like
to review the action on the CryptoServer for debug purposes. The location and the log level can
be configured using Utimaco CSP Configuration applet.
..
CONSOLE
.
C:\>certreq -new request.inf request.req
CertReq: Request Created
Page 8
.
certreq creates a certificate request file request.req that can either be sent to an official certificate
authority or be signed with your in-house certificate authority. The second option is introduced in the
next section.
4.3 Install Code Signing Certificate
After creating a certificate request, you obtain the certificate from a certificate authority or by your
own certificate authority. To use your code signing certificate you need to install this in your local
Windows certificate store.
1. Now we have to import this obtained certificate in the users personal certificate store. As this
setup is 32 bit, ensure to use the 32bitMicrosoft Certificate Manager Console.
..
CONSOLE
.C:\>certmgr.msc
2. Right Click on Personal > All Task > Import.�. and follow the instruction to import the signed
certificate. Verify the certificate is successfully imported.
3. Double click the certificate and confirm that there is a private key mapped with this certificate.
Check the message at the bottom.
Page 9
.Integration Guide: Microsoft Authenticode
4. In case, the private key is not mapped with private in the CryptoServer, repair the code signing
certificate using the certutil repairstore utility.
• Open the code signing certificate.
• Browse to the details tab.
• Select the serial number field.
• Copy the serial number or thumb print.
• Execute the certutil -repairstore -user My SerialNumber or ThumbPrint command to link the
private key on the CryptoServer with the code signing certificate.
..
CONSOLE
.C:\>certutil -repairstore my <serial number>
5. After the repairstore command has been successfully executed, refresh the certificate manager
snap in, open the certificate and make sure you this message "You have a private key that corre-
sponds to this certificate".
Page 10
.
5 Code SigningOnce the code signing certificate has been installed in the local personal Windows certificate store,
it is possible to sign your executables, dynamic link libraries or cabinet files. To run the signtool for
signing you need to open a developer console. The developer console is part of Windows SDK and
only with this console the signtool is included in your local Windows search path.
..
CONSOLE
.
C:\>signtool sign /v /n "Utimaco GmbH" sample.exe
The following certificate was selected:
Issued to: Utimaco GmbH
Issued by: DigiCert EV Code Signing CA (SHA2)
Expires: Wed Aug 17 14:00:00 2016
SHA1 hash: 985E9A41B797D7F6BCA99CA46E2321AD30F0FBFB
Done Adding Additional Store
Successfully signed: sample.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
You can also include a time stamp in your digital signature for your code signing. Add a timestamp-
ing authority like Verisign (http://timestamp.verisign.com/scripts/timstamp.dll) as extra parameter
to signtool as shown next.
..
CONSOLE
.
C:\>signtool sign /v /n "Utimaco GmbH"
/t http://timestamp.verisign.com/scripts/timstamp.dll sample.exe
The following certificate was selected:
Issued to: Utimaco GmbH
Issued by: DigiCert EV Code Signing CA (SHA2)
Expires: Wed Aug 17 14:00:00 2016
SHA1 hash: 985E9A41B797D7F6BCA99CA46E2321AD30F0FBFB
Page 11
.Integration Guide: Microsoft Authenticode
..
Done Adding Additional Store
Successfully signed: sample.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0
Page 12
.
6 Further InformationThis document forms a part of the information and support which is provided by the Utimaco IS
GmbH. Additional documentation can be found on the product CD in the documentation directory or
at http://hsm.utimaco.com.
Page 13
.
Contact
Utimaco IS GmbHGermanusstraße 4D - 52080 AachenGermany
phone +49 241 1696 - 200fax +49 241 1696 - 199
web https://hsm.utimaco.comemail [email protected]
.