Microsoft Authenticode
Configure your Microsoft Authenticode to generate and store the encryption keys used to secure the organizational credentials of the software publisher on a Luna Cloud HSM Service. The Luna Cloud HSM Service provides full key life-cycle management with FIPS-certified hardware and reduces the cryptographic load on the host server CPU.
We recommend you use the Luna Cloud HSM for Microsoft Authenticode service for this integration.
Authenticode relies on proven cryptographic techniques and the use of one or more private keys to sign and time-stamp the published software. It is important to maintain the confidentiality of these keys. DPoD Luna Cloud HSM Service integrates with Microsoft Authenticode to provide a trusted system for protecting the organizational credentials of the software publisher.
This integration guide uses the following third party applications:
- Microsoft Authenticode (Microsoft Windows SDK 10.1)
This integration is supported on the following operating systems:
- Windows Server 2016
Previous versions of the Luna Cloud HSM Service Client have been tested and verified with the following operating systems:
- Windows Server 2012R2
Luna Cloud HSM Service Client version 10.4 and newer do not support Windows Server 2012R2. Download an older client version off the Support Portal to integrate a Luna Cloud HSM Service with Microsoft Strong Name or Microsoft HCK. The Microsoft Strong Name and Microsoft HCK integrations are only supported on Windows Server 2012R2 operating systems.
Before proceeding with the integration complete the following:
Provision Luna Cloud HSM Service
Configure the Luna Cloud HSM service for your application integration. See the section Luna Cloud HSM Service for detailed instructions on deploying and initializing a Luna Cloud HSM service partition and Luna Cloud HSM service client for your application integration.
Please take the following limitations into consideration when integrating your application with a Luna Cloud HSM service partition:
Non-FIPS algorithms: Luna Cloud HSM services operate in a FIPS and non-FIPS mode, which affects which algorithms are available on the partition. If your organization requires non-FIPS algorithms for your operations, ensure you enable the Remove FIPS restrictions check box when configuring your Luna Cloud HSM service. The FIPS mode is enabled by default.
Refer to the Supported Mechanisms in the SDK Reference Guide for more information about available FIPS and non-FIPS algorithms.
Verify Luna Cloud HSM <slot> value: LunaCM commands work on the current slot. If there is only one slot, then it is always the current slot. If you are completing an integration using Luna Cloud HSM services, you need to verify which slot on the Luna Cloud HSM service you send commands to.
If there is more than one slot, then use the slot set command to direct a command to a specified slot. You can use slot list to determine which slot numbers are in use by which Luna Cloud HSM service.
Prepare Environment for Windows Integration
Your system requires access to the SafeNet Key Storage Provider (KSP). Copy the SafeNetKSP.dll file from your downloaded Luna Cloud HSM service client to C:\\Windows\System32
.
Failure to copy the SafeNetKSP.dll file will result in no access to the SafeNet Key Storage Provider's during the integration. For example, if configuring Microsoft Active Directory Certificate services, the SafeNet Key Storage Providers will not be available options when setting up the Cryptography for CA.
Install Windows SDK
MS Authenticode requires additional libraries to integrate with DPoD. You must install the following in addition to MS Authenticode:
Microsoft Visual Studio
Microsoft Windows SDK
Microsoft Office Smart Tags SDK
Refer to the Microsoft Windows SDK Installation documentation and the Microsoft Office Smart Tags SDK Installation documentation for more information about installing the additional libraries.
Microsoft Authenticode Integration
Microsoft Authenticode permits end users to identify who published a software component and verify that no one has tampered with the software component before downloading the software component from the Internet.
Installing the SafeNet Cryptographic Service Provider for Authenticode
To use Microsoft Authenticode with a Luna Cloud HSM Service you must configure the SafeNet Cryptographic Service Provider to generate the certificates for Microsoft Authenticode.
When possible we recommend using the SafeNet Key Storage Provider (KSP) instead of CSP. CSP is provided in the client package to generate the signing keys for applications running in older Windows cryptographic environments.
Log in to the system as the Domain Administrator
Run the register.exe command to register the CSP.
C:\Program Files\<service_client_installation_directory>\CSP>register.exe
The system will prompt you for the Luna Cloud HSM Service password. Provide the password.
List the Luna Cryptographic services for Microsoft Windows and verify that the Luna CSP is available.
C:\Program Files\<service_client_installation_directory>\CSP>register.exe /l
Restart the server to apply changes.
If using high availability register the high availability library.
C:\Program Files\<service_client_installation_directory>\CSP>register.exe /h
You may need to transfer your LunaCSP.dll file to the CSP folder.
Open a Developer Command Prompt for Visual Studio and generate a certificate using cryptographic services.
makecert -sk <key_container_name> -sp <API_provider_name> -r -n CN=<certificate_name> -ss <name_of_certificate_store> <certificate_name>.cer
Signing and Time Stamping the Code using the command line signtool
Use the command line signtool
and /f
option to sign and time stamp the code using the service generated certificate and SafeNet Cryptographic Service Provider. You do not require the /p
(password) option, because you are providing the /csp
(CSPName) and /k
(PrivateKeyContainerName). Refer to the signtool documentation for more information about the tool and available options.
Navigate to the directory where signtool is stored.
Execute the following command:
signtool sign /v /f <publisher_certificate> /csp <cryptographic service provider> /k <key_container_name> /t <timestamp_url> <file_to_be_signed>
Signing and Time Stamping the Code using the Signtool GUI
You can use the signtool GUI wizard to sign and time stamp the code.
Create a Software Publishing Certificate (SPC) using the recently generated certificate.
Cert2Spc <certificate_name>.cer <certificate_name>.spc
Sign and time stamp the code using the signtool.
a. Navigate to the Microsoft Platform SDK directory C:\ProgramFiles\Microsoft SDKs\Windows\<version>\Bin
.
b. Execute signtool signwizard
.
c. Click Next.
d. Select the file to sign and click Next.
e. Select Custom in the Signing Options window and click Next.
f. Click Select from File. Select the generated Software Publishing Certificate .spc. Click Next.
g. Select Private Key in a CSP. Select the CSP and Key Container. Click Next.
h. Select the Desired Hash Algorithm. Click Next.
i. Click Next.
j. Add a description to the Data Description window, if desired. Click Next.
k. Select Add a timestamp to the data. Provide the time stamping URL. Click Next.
l. Click Finish.
Click OK.
You can use the signtool wizard without accessing the gui interface. The following is an example of the command: C:> signtool sign /v /s <name_of_certificate_store> /csp "Cryptographic Service Provider Name" /kc <key_container_name> /t <timestamp_URL> <file_to_be_signed>
.
Microsoft HCK Integration
Strong Name is the part of Microsoft SDK that offers a powerful mechanism for giving .NET Framework assemblies unique identities. To get a valid strong name, an assembly is strong-name signed during the build process. This is done using the private key that corresponds to the public key in the strong name. The strong name signature can then be verified using the public key.
Installing the SafeNet Cryptographic Service Provider for Microsoft HCK
To use MS Strong Name with a Luna Cloud HSM Service you must configure the SafeNet Cryptographic Service Provider to generate the keys and certificates for MS Strong Name.
When possible we recommend using the SafeNet Key Storage Provider (KSP) instead of CSP. CSP is provided in the client package to generate the signing keys for applications running in older Windows cryptographic environments.
Log in to the system as the Domain Administrator
Run the register.exe command to register the CSP.
C:\Program Files\<service_client_installation_directory>\CSP>register.exe
The system will prompt you for the Luna Cloud HSM Service password. Provide the password.
List the Luna Cryptographic services for Microsoft Windows and verify that the Luna CSP is available.
C:\Program Files\<service_client_installation_directory>\CSP>register.exe /l
Restart the server to apply changes.
If using high availability register the high availability library.
C:\Program Files\<service_client_installation_directory>\CSP>register.exe /h
You may need to transfer your LunaCSP.dll file to the CSP folder.
Generate a certificate using SafeNet Cryptographic services.
C:> makecert -sk <key_container_name> -sp <API_provider_name> -r -n CN= <certificate_name> -ss <name_of_certificate_store> <certificate_name>.cer
Set the SafeNet CSP to be the default CSP for the system.
sn.exe -c <API_provider_name>
Extract the public key from the key-pair generated in step 2 using the following command:
sn.exe -pc <key_container_name> <public_key>
Signing a .NET Assembly
You can use MS Strong Name to sign any .NET assembly.
Use the MS Visual Studio command prompt to compile the program and delay signing the generated .exe file.
csc /delaysign+ / <public_key>:" <path_to_public_key> C:\Users\Administrator\Desktop\myapp.cs
Sign the key.
sn.exe -Rc C:\Users\Administrator\Desktop\myapp.exe <key_container_name>
Verify the signature on the .NET assembly.
sn.exe -v C:\Users\Administrator\Desktop\myapp.exe
Microsoft Strong Name Integration
Microsoft's Windows Certification Program is designed to help your company deliver compatible and reliable systems, software, and hardware products. End users trust the logo as an assurance of compatibility and reliability. This program is intended to help you develop systems and devices that have been tested to ensure that they meet Microsoft standards for Windows 8.1 as well as the quality level that ensures a great Windows experience for end users.
- An HSM on Demand service is used to secure the signing keys so that your signing keys are never accessed by any unauthorized entity. Microsoft HCK uses the RSA keys for signing the packages.
- Microsoft HCK is a 32 bit application so you have to use the Luna Clients with 32 bit CSP.
Installing the SafeNet Cryptographic Service Provider for MS Strong Name
To use Microsoft HCK with an HSM on Demand service you must configure the SafeNet Cryptographic service Provider to generate the certificates for Microsoft HCK.
When possible we recommend using the SafeNet Key Storage Provider (KSP) instead of CSP. CSP is provided in the client package to generate the signing keys for applications running in older Windows cryptographic environments.
Log in to the system as the Domain Administrator
Run the register.exe command to register the CSP.
C:\Program Files\<service_client_installation_directory>\CSP>register.exe
The system will prompt you for the Luna Cloud HSM Service password. Provide the password.
List the Luna Cryptographic services for Microsoft Windows and verify that the Luna CSP is available.
C:\Program Files\<service_client_installation_directory>\CSP>register.exe /l
Restart the server to apply changes.
If using high availability register the high availability library.
C:\Program Files\<service_client_installation_directory>\CSP>register.exe /h
You may need to transfer your LunaCSP.dll file to the CSP folder.
Navigate to C:\Windows\SysWOW64
.
Execute the command certutil -csplist
.
Generating the Microsoft HCK Certificate
To integrate a Luna Cloud HSM Service with the Microsoft HCK, you must use the Luna Cryptographic services for Windows to generate the certificate. The certificate must be signed and the signer certificate must be in the Trusted Root Certificate Authority. There are two methods to generate the file.
Method 1
Create an inf file with the following attributes:
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "C=US,O=SafeNet,CN=HCK,OU=HCKIntegration"
KeySpec = 1
KeyLength = 2048
Exportable = FALSE
MachineKeySet = TRUE
KeyContainer = HCK
ProviderName = "Luna Cryptographic services for Microsoft Windows"
ProviderType = 1
KeyUsage = 0x04
Generate a certificate request using the .inf file. Ensure you use the 32 bit certreq utility inside the C:\Windows\SysWOW64
directory.
Have the certificate signed by a trusted certificate authority.
Import the signed certificate into the user's personal store. Ensure you select the 32 bit Microsoft Certificate Manager Console.
C:\Windows\SysWOW64\certmgr.msc
Right-click Personal, select All Tasks and click Import. Follow the procedure to import the signed certificate.
Double-click the certificate and confirm that there is a private key mapped to the certificate.
If the certificate is not mapped correctly you can repair it using the certutil --repairstore command.
Open the certificate. Open the Details tab and select the Serial Number field. Copy the serial number.
Execute certutil -repairstore -user My
Method 2
Generate a certificate using Luna Cryptographic services.
C:> makecert -sk <key_container_name> -sp <API_provider_name> -r -n CN=<certificate_name> -ss <name_of_certificate_store> <certificate_name>.cer
Navigate to C:\Windows\SysWOW64 and open the certmgr.msc.
Import the certificate into the Trusted Root Certificate Authority folder. Double-click the certificate and confirm that there is a private key mapped to the certificate.
Open Windows Hardware Certification Kit and import the project to sign.
Verify the project imported correctly.
Go to the package tab and click on Create package to sign the package. When the Signing Options Window displays enable the Use Certificate Store radio button. Click OK.
Select the signing certificate. When the Windows Hardware Certification Package Signing Window displays select the certificate that was recently imported. Click OK.
Select a location to save the signed package. Click Save.
The Creating Package Window will display. If the certificate and the private key are correctly mapped, a success message displays and you can verify the signed package in the location you saved it.