英文:
Is there any way to get a Code Signing certificate into Azure Key vault given the new FIPS requirement for storing the private key?
问题
We ordered a new code signing certificate and got the private key on a USB based "hardware token" - this is compatible with the new code signing certificate rules, but that limits access to one physical PC. We do want the certificate to be in Azure Key Vault usable from our build agents (using azuresigntool).
我们订购了新的代码签名证书,并将私钥存储在基于USB的“硬件令牌”上 - 这与新的代码签名证书规则兼容,但限制了只能在一台物理计算机上访问。我们希望将该证书存储在Azure Key Vault中,以便我们的构建代理程序可以使用(使用azuresigntool)。
Our vendor said that they will in the future allow download the private key to FIPS devices, but not yet.
我们的供应商表示他们将来会允许将私钥下载到FIPS设备上,但现在还不支持。
Are there any providers out there that issue code signing certificates that we can install into Azure Key Vault, given the new FIPS requirements for code signing certificates. (PFX files are no longer allowed for code signing certificates)
是否有提供商可以颁发代码签名证书,我们可以将其安装到Azure Key Vault中,考虑到代码签名证书的新FIPS要求。(不再允许使用PFX文件进行代码签名证书)
I need a provider and hopefully a step-by-step way of getting the certificate into Azure Key Vault.
我需要一个提供商,希望能提供将证书导入Azure Key Vault的逐步方式。
英文:
We ordered a new code signing certificate and got the private key on a USB based "hardware token" - this is compatible with the new code signing certificate rules, but that limits access to one physical PC. We do want the certificate to be in Azure Key Vault usable from our build agents (using azuresigntool).
Our vendor said that they will in the future allow download the private key to FIPS devices, but not yet.
Are there any providers out there that issue code signing certificates that we can install into Azure Key Vault, given the new FIPS requirements for code signing certificates. (PFX files is no longer allowed for code signing certificates)
I need a provider and hopefully a step by step way of getting the certificate into Azure Key Vault.
答案1
得分: 3
digicert.com 和 globalsign.com 理论上都提供这项服务。DigiCert 对我来说在验证过程中更快,所以我最终选择了他们。
DigiCert 给我在聊天中提供的获取证书订单的指南如下。在验证过程完成后,它将提供下载证书的选项,您需要将证书合并回 Azure Key Vault 请求中以完成流程。
DigiCert + AzureKeyVault 作为 HSM 的指南
在 Azure 端
-
要设置 Azure Key Vault,请登录到您的 Azure 门户,然后点击“创建资源”按钮。搜索“Key Vault”,然后按“创建”以启动您的 Vault:
-
请选择适合您用例的设置并创建您的 Key Vault。
注意:为了符合 FIPS 140-2 标准,您应选择“高级”定价层。如果不选择“高级”,您的证书可能会被撤销。 -
当您的 Vault 创建完成后,请在左侧的操作栏中选择“Certificates”(证书)。然后点击“Generate/Import”(生成/导入)以开始创建您的代码签名 CSR:
-
填写您的证书名称和主题名称。主题名称应为您的公司名称。
-
将证书颁发机构的类型设置为非集成 CA,然后选择“高级策略配置”:
-
在扩展密钥用途(EKUs)字段中,请添加以下内容:
1.3.6.1.5.5.7.3.3
此 EKU 用于标识证书为代码签名证书。
您还应将“可导出私钥”设置为“否”,将“密钥类型”设置为 RSA-HSM。
注意:所有来自 DigiCert 的代码签名证书都必须使用至少 3072 位的密钥大小签发。 -
配置策略后,点击“确定”,然后点击“创建”。
然后,在证书选项卡下,证书将显示为“正在进行”: -
单击正在进行的证书。选择“证书操作”,然后点击“下载 CSR”:
-
将 CSR 文件保存在您选择的安全位置。
从您的 CertCentral 仪表板订购 EV 代码签名证书
为此,我们创建了以下文件,指导您成功申请 EV 代码签名证书所需的步骤。
该文件名为“Order an EV Code Signing certificate”,可以在以下链接查看:https://docs.digicert.com/manage-certificates/code-signing-certificate/order-ev-code-signing-certificate/
注意:在注册过程中,您必须选择“Install on HSM”(安装到 HSM)的配置选项以获取可与您的 Azure 设置一起使用的证书,否则我们将向您提供一个预配置的硬件令牌,无法与您的 Azure 设置配合使用。
英文:
digicert.com and globalsign.com both in theory offer this. DigiCert was faster to get past validation for me so I ended up going with them.
The instructions that DigiCert gave me over chat to get the certificate ordered are below. After the validation process is completed, it will give you the option to download the certification that you will have to merge back into the Azure Key Vault request to finish the process.
DigiCert + AzureKeyVault as HSM Instructions
On the Azure Side
-
To set up the Azure Key Vault please log in to your Azure Portal and click on the “Create a resource” button. Search for “Key Vault” and press create to get your vault up and running:
-
Please select the settings that fit your use case and create your Key Vault.
Note: In order to be compliant with the FIPS 140-2 standard, you should select the “Premium” pricing tier. If you do not choose “Premium”, there’s a risk that your certificate will be revoked. -
When your vault has been created, please select “Certificates” in the action bar to the left.
Then click “Generate/Import” to start creating your Code Signing CSR: -
Fill out your certificate name and subject name. The subject name should be your company name.
-
Set the Type of Certificate Authority to non-integrated CA and then select Advanced Policy Configuration:
-
In the Extended Key Usages (EKUs) field please add the following:
1.3.6.1.5.5.7.3.3
This EKU identifies the certificate as a Code Signing certificate.
You should also set “Exportable Private Key” as No and the “Key Type” to RSA-HSM.
Note: all Code Signing certificates from DigiCert are required to be issued with a minimum, 3072-bit key size. -
When you have configured the policy, click “Okay” and then “Create”.
The certificate will then appear as an “In progress” certificate under the Certificates tab: -
Click on your certificate in progress. Choose “Certificate Operation” and then click “Download CSR”:
-
Save the CSR file in a safe location of your choosing.
Ordering the EV Code Signing certificate from your CertCentral dashboard
For this, we have created the following document, to guide you on what is required for the successful enrollment of an EV Code Signing certificate.
The document is named, Order an EV Code Signing certificate and can be viewed at the following link: https://docs.digicert.com/manage-certificates/code-signing-certificate/order-ev-code-signing-certificate/
Note: You have to select the provisioning option of, Install on HSM, during the enrollment process to get a certificate that will work, otherwise we will ship you a preconfigured hardware token that will not work with your Azure Setup.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论