.

Integration Guide

.

Microsoft AuthenticodeWindows Server 2012 R2

.Integration Guide: Microsoft Authenticode

Imprint

copyright 2015 Utimaco IS GmbHGermanusstrasse 4D-52080 AachenGermany

phone +49 (0)241 / 1696-200fax +49 (0)241 / 1696-199web http://hsm.utimaco.comemail support-cs@utimaco.comdocument version 1.0.0date October 2015author System Engineering HSMdocument no. Microsoft Authenticode

all rights reserved No part of this documentation may be reproduced in any form (printing, photocopyor according to any other process) without the written approval of Utimaco IS GmbHor be processed, reproduced or distributed using electronic systems.Utimaco IS GmbH reserves the right to modify or amend the documentation at anytime without prior notice. Utimaco IS GmbH assumes no liability for typographicalerrors and damages incurred due to them.All trademarks and registered trademarks are the property of their respective owners.

.

Contents1 Introduction 4

2 Requirements 4

3 Setting Up CryptoServer Device 5

4 Microsoft Authenticode Setup 7

4.1 Installing the Windows SDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4.2 Create Certificate Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4.3 Install Code Signing Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

5 Code Signing 11

6 Further Information 13

.Integration Guide: Microsoft Authenticode

1 IntroductionAuthenticode relies on proven cryptographic techniques from Microsoft and the use of one or more

private keys to sign and timestamp published software. From a security point of view it is impor-

tant to maintain the confidentiality of these code signing keys. The CryptoServer Hardware Security

Module (HSM) integrates with Microsoft Authenticode to provide a trusted system for protecting the

organizational credentials of a software publisher. The CryptoServer HSM secures the code signing

keys on a certified industry standard FIPS 140-2.

This integration guide covers all the necessary information to install, configure and integrate Mi-

crosoft Authenticode with CryptoServer Hardware Security Modules (HSM).

2 RequirementsYou should have prepared an installed Windows Server 2012 R2 operating system. If you are using

a PCI(e) card you also have install the necessary driver for that card.

Software- and Hardware Requirements

HSMModel CryptoServer CS(e)-Series/Se-Series PCI(e)

HSM Firmware SecurityServer 3.21.0

SecurityServer 3.30.0

Software Microsoft SDK 8.1

Page 4

.

3 Setting Up CryptoServer DeviceTo set up a CryptoServer device for Utimaco CSP open the Control Panel and select Utimaco CSP

Configuration applet.

1. Go to the Devices tab in the CryptoServer CSP Configuration window.

2. Click the Add Device button.

This opens the Device Settings dialog box. In Device Specifier, enter the device specifier relevant

for your CryptoServer device.

• If this is a CryptoServer PCI or PCIe card, this is PCI:0.

• If this is a CryptoServer LAN, enter an IP address (for example 192.168.5.17).

• If youwant to use the CryptoServer Simulator, enter 3001@127.0.0.1 as the device address.

3. InGroup you now see the name of a computer. Youmay change this to your or keep it as default.

4. Click on OK button. This opens the User Logon dialog box. This window displays all users avail-

able in the user database of the given CryptoServer device.

5. Select the ADMIN user in the user list.

6. Click on the Logon button. The authentication with Key dialog box opens.

7. Select the source of private user key, either smartcard token or key file.

8. Click the OK button.

Page 5

.Integration Guide: Microsoft Authenticode

9. Authenticate yourself with the intended authentication method. Once you have successfully

authenticated yourself to the CryptoServer, you see a key lock symbol in the User Logon dialog

box next to the entry for the ADMIN user.

10. Click OK to close the User Logon dialog box.

11. Click OK to close the CryptoServer CSP Configuration window and the CSP Configuration applet.

Page 6

.

4 Microsoft Authenticode Setup

4.1 Installing the Windows SDKThe Authenticode programs (certutil, cert2spc, signtool) are installed with Microsoft Visual Studio

and Microsoft Windows SDK.

We refer to the appropriate Microsoft Windows SDK installation documentation.

4.2 Create Certificate RequestIt is necessary to create a specific certificate for the code signing purposes. This certificate is in-

stalled in the local Windows certificate store (e.g. personal store). To retrieve an official code signing

certificate issued by a certification authority you have to create a certificate request (CSR) first. Nor-

mally an official certificate authority (e.g. VeriSign, Thawte, DigiCert) will create and sign a certificate

based on your certificate request. If you don`t need an officially signed certificate, you can also use

an in-house certificate authority (e.g. Microsoft Windows Server 2012 Certification Authority).

To create a code signing certificate request you first need to create a template file .inf. Youwill then is-

sue the certificate request based on this template file using Microsoft`s utility certreq.exe, which is

included inMicrosoft Windows Server 2012 R2. Create a file called request.infwhich should include

with amongst others the following information:

• The subject details must include a 2-letter country code ,,C'' and a common name ,,CN'' which

may be your company name.

• Key algorithm and key length as required (e.g. RSA, 2048 bit key).

• KeyContainer name as this will be used to store the private in the CryptoServer and to distin-

guish serveral code signing keys from each other.

• Name of the Cryptographic Service Provider. For use with CryptoServer this needs to be Utimaco

CryptoServer Key Storage Provider.

Page 7

.Integration Guide: Microsoft Authenticode

....

[Version]

Signature="$Windows NT$"

[NewRequest]

Subject = "CN=Utimaco GmbH,OU=SE HSM,O=Utimaco GmbH,S=NRW,L=Aachen,C=DE"

KeySpec = 1

KeyLength = 2048

Exportable = FALSE

MachineKeySet = FALSE

KeyContainer = CodeSigning

ProviderName = "Utimaco CryptoServer CSP"

ProviderType = 1

KeyUsage = 0x04

It is important, that the ProviderName is given as Utimaco CryptoServer CSP. This

links the code signing certificate with the private key which is stored in the Cryp-

toServer.

1. Save the content of the file request.inf to some directory. Make sure, you don't copy and

paste the quotation marks from this document.

2. Open a command shell prompt.

3. Change to the directory where you have saved your request.inf file.

4. Execute the next command. You can observe any changes in the log file cs2cng.log if you like

to review the action on the CryptoServer for debug purposes. The location and the log level can

be configured using Utimaco CSP Configuration applet.

..

CONSOLE

.

C:\>certreq -new request.inf request.req

CertReq: Request Created

Page 8

.

certreq creates a certificate request file request.req that can either be sent to an official certificate

authority or be signed with your in-house certificate authority. The second option is introduced in the

next section.

4.3 Install Code Signing Certificate

After creating a certificate request, you obtain the certificate from a certificate authority or by your

own certificate authority. To use your code signing certificate you need to install this in your local

Windows certificate store.

1. Now we have to import this obtained certificate in the users personal certificate store. As this

setup is 32 bit, ensure to use the 32bitMicrosoft Certificate Manager Console.

..

CONSOLE

.C:\>certmgr.msc

2. Right Click on Personal > All Task > Import.�. and follow the instruction to import the signed

certificate. Verify the certificate is successfully imported.

3. Double click the certificate and confirm that there is a private key mapped with this certificate.

Check the message at the bottom.

Page 9

.Integration Guide: Microsoft Authenticode

4. In case, the private key is not mapped with private in the CryptoServer, repair the code signing

certificate using the certutil repairstore utility.

• Open the code signing certificate.

• Browse to the details tab.

• Select the serial number field.

• Copy the serial number or thumb print.

• Execute the certutil -repairstore -user My SerialNumber or ThumbPrint command to link the

private key on the CryptoServer with the code signing certificate.

..

CONSOLE

.C:\>certutil -repairstore my <serial number>

5. After the repairstore command has been successfully executed, refresh the certificate manager

snap in, open the certificate and make sure you this message "You have a private key that corre-

sponds to this certificate".

Page 10

.

5 Code SigningOnce the code signing certificate has been installed in the local personal Windows certificate store,

it is possible to sign your executables, dynamic link libraries or cabinet files. To run the signtool for

signing you need to open a developer console. The developer console is part of Windows SDK and

only with this console the signtool is included in your local Windows search path.

..

CONSOLE

.

C:\>signtool sign /v /n "Utimaco GmbH" sample.exe

The following certificate was selected:

Issued to: Utimaco GmbH

Issued by: DigiCert EV Code Signing CA (SHA2)

Expires: Wed Aug 17 14:00:00 2016

SHA1 hash: 985E9A41B797D7F6BCA99CA46E2321AD30F0FBFB

Done Adding Additional Store

Successfully signed: sample.exe

Number of files successfully Signed: 1

Number of warnings: 0

Number of errors: 0

You can also include a time stamp in your digital signature for your code signing. Add a timestamp-

ing authority like Verisign (http://timestamp.verisign.com/scripts/timstamp.dll) as extra parameter

to signtool as shown next.

..

CONSOLE

.

C:\>signtool sign /v /n "Utimaco GmbH"

/t http://timestamp.verisign.com/scripts/timstamp.dll sample.exe

The following certificate was selected:

Issued to: Utimaco GmbH

Issued by: DigiCert EV Code Signing CA (SHA2)

Expires: Wed Aug 17 14:00:00 2016

SHA1 hash: 985E9A41B797D7F6BCA99CA46E2321AD30F0FBFB

Page 11

.Integration Guide: Microsoft Authenticode

..

Done Adding Additional Store

Successfully signed: sample.exe

Number of files successfully Signed: 1

Number of warnings: 0

Number of errors: 0

Page 12

.

6 Further InformationThis document forms a part of the information and support which is provided by the Utimaco IS

GmbH. Additional documentation can be found on the product CD in the documentation directory or

at http://hsm.utimaco.com.

Page 13

.Integration Guide: Microsoft Authenticode

Page 14

.

Page 15

.

Contact

Utimaco IS GmbHGermanusstraße 4D - 52080 AachenGermany

phone +49 241 1696 - 200fax +49 241 1696 - 199

web https://hsm.utimaco.comemail support-cs@utimaco.com

.