Time Stamp Server Integration Guide for Microsoft …...Contents 1Introduction 1 1.1Productconfigurations 1 1.2Requirements 2 1.3Thisguide 2 1.4Moreinformation 3 2Procedures 4 2.1ConfigurenShieldCryptographicServiceProvider

Time Stamp Server™Integration Guide for Microsoft Authenticode

Version: 1.0

Date: Monday, December 23, 2019

Copyright 2019 nCipher Security Limited. All rights reserved.

Copyright in this document is the property of nCipher Security Limited. It is not to be reproduced,modified, adapted, published, translated in any material form (including storage in any medium byelectronic means whether or not transiently or incidentally) in whole or in part nor disclosed to any thirdparty without the prior written permission of nCipher Security Limited neither shall it be used otherwisethan for the purpose for which it is supplied.

Words and logos marked with ® or ™ are trademarks of nCipher Security Limited or its affiliates in the EUand other countries.

Mac and OS X are trademarks of Apple Inc., registered in the U.S. and other countries.

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in theUnited States and/or other countries.

Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.

Information in this document is subject to change without notice.

nCipher Security Limited makes no warranty of any kind with regard to this information, including, but notlimited to, the implied warranties of merchantability and fitness for a particular purpose. nCipher SecurityLimited shall not be liable for errors contained herein or for incidental or consequential damagesconcerned with the furnishing, performance or use of this material.

Where translations have been made in this document English is the canonical language.

Page 2 of 3 Time Stamp Server™ - Integration Guide for Microsoft Authenticode

Contents

1 Introduction 1

1.1 Product configurations 1

1.2 Requirements 2

1.3 This guide 2

1.4 More information 3

2 Procedures 4

2.1 Configure nShield Cryptographic Service Provider 4

2.2 Create the Authenticode Certificate request and install Certificate Chain 5

2.3 Install the Microsoft Windows SDK 7

2.4 Configure the nShield HSM and TSS with Microsoft Authenticode 8

3 Troubleshooting 10

Contact Us 11

Europe, Middle East, and Africa 11

Americas 11

Asia Pacific 11

Time Stamp Server™ - Integration Guide for Microsoft Authenticode Page 3 of 3

1 Introduction

1 IntroductionAuthenticode relies on proven cryptographic techniques and the use of one or more private keys to signand time-stamp the published software. It is important to maintain the confidentiality of these keys.

The Authenticode programs are installed with the Microsoft SDK.

nCipher Hardware Security Modules (HSMs) integrate with Microsoft Authenticode to enable you toidentify the publisher of a software component before it is downloaded from the Internet, and to verifythat no one has altered the code after it has been signed. Authenticode integrates with nCipher TimeStamp Server™ (TSS) to use time-stamping.

The benefits of using an HSM and TSS with Microsoft Authenticode include:

l Protection for the organizational credentials of the software publisher.

l Secure storage of the private key.

l FIPS 140-2 level 3 validated hardware.

l Provision of a trusted time-stamp to Authenticode.

The benefits of TSS include:

l Centrally managed and secured time stamp appliance.

l FIPS secure and audited link to a master time source.

1.1 Product configurationsThis integration uses the nCipher Enhanced Cryptographic Provider with a selection of Authenticodetools provided as part to the Microsoft SDK:

l MakeCert

l Cert2Spc

l SignTool

We have successfully tested the integration between HSMs, TSS, and Authenticode in the followingconfigurations:

Windows OperatingSystem

Security World ver-sion TSS version

Microsoft SDKversion

PCI sup-port

PCIe sup-port

Windows 2016 12.60.3

12.40.2

7.10 10 Yes Yes

Windows 2012 R2 12.60.3

12.40.2

7.10 8.1 Yes Yes


1 Introduction

Windows OperatingSystem

Security World ver-sion TSS version

Microsoft SDKversion

PCI sup-port

PCIe sup-port

Windows 2008 R2 12.60.3

12.40.2

7.10 7.1 Yes Yes

If you require the ability to recover your keys after a firmware upgrade of the nShield module,you must use Operator Card Set (OCS) protection for your TSA keys.

Throughout this guide, the term HSM refers to nShield Solo+ 500.

1.2 RequirementsBefore starting the integration procedure, ensure that:

l The following aspects of HSM administration are taken into account:

l The Administrator Card Set (ACS) K-of-N and management of the card set.

l The type of protection for the application keys, that is, module protection or OCS protection

l The Operator Card Set K-of-N and management of the card set.

l Any requirement for a FIPS 140-2 level 3 Security World.

l Key attributes, such as the key size, persistence, and time-out.

l You obtain a .p7b certificate chain which should have been supplied by the TSA issuingCertification Authority.

l Install the nCipher hardware and software - see the relevant nCipher Installation Guides.

l Create the Security World - see the relevant nCipher product User Guide.

1.3 This guideThis document explains how to set up and configure Microsoft Authenticode with an nShield HSM andTSS. The instructions in this document have been thoroughly tested and provide a step-by-stepintegration process. There may be other untested ways to achieve interoperability.

This document assumes that:

l You have read the nShield HSM documentation.

l You are familiar with the documentation and setup process for Microsoft Authenticode.


1.4 More information

1.4 More informationl For more information about OS support, contact your Microsoft sales representative or nCipher

Support.

l For more information about installing Microsoft Authenticode, see the appropriate Microsoft SDKdocumentation.

l For more information about contacting nCipher, see "Contact Us" on page 11 at the end of thisguide.

l Additional documentation produced to support your nCipher product is in the document directoryof the CD-ROM or DVD-ROM for that product.


2 Procedures

2 Procedures

The installation procedures outlined in this document assume, for example purposes, that youare installing an offline root Certificate System.

It is also assumed that a new root key is generated during installation, rather than a softwarekey being imported from an existing installation.

2.1 Configure nShield Cryptographic Service Provider1. In the Windows Start menu, locate the nCipher folder, then click it to expand it.

2. Click 32bit CSP install wizard, then click Next.

3. If you have an explicit reason to use the Pool Mode feature, select the Enable HSM Pool Mode for CAPIProviders check box.

If the Pool Mode feature is used, OCS protection cannot be used.

4. Click Next.

5. Select the Use the existing security world check box, then click Next.

6. Ensure that the module Mode is operational and State is usable, then click Next.

7. Select the method to protect private keys generated by CSP.


2 Procedures

OCSs might be used, for example, for TSA recovery in the event of firmware upgrade.

8. Click Next.

9. Select the Select to set the nCipherCSP as the default SChannel CSP check box, then click Next.

This completes the nCipher 32-bit CSP installation.

10. Follow steps 2-9 to install the 64-bit nCipher CSP as well.

Both CSPs must be installed. The 32-bit and 64-bit install wizards are identical.

2.2 Create the Authenticode Certificate request and install Cer-tificate Chain

For instructions on adding certificates to the TSA Certificate Store, see the Time StampServerTM Administrator Guide

1. Log into TSS.

2. Create the Authenticode TSA certificate request. Authenticode is specified in the Certificate request> Time-stamp Mode drop-down list.

3. In Certificate management, present the signed TSA certificate and associated Certificate Chain to theTSS certificate Store.

First add the Root CA, then any subordinate certificate(s), and finally the Authenticode TSAcertificate.

4. Find out the TSA ID number:

a. Select TSA management > Operational Status.

b. Select the TSA.

c. Click Details.


2.2 Create the Authenticode Certificate request and install Certificate Chain

d. The TSA ID is displayed in the title bar.

5. In a Windows file management tool, create a copy of theCertchain.p7b file, and rename to includethe Authenticode TSA ID number:

tsaid_.p7b, where n is the tsaid number.

6. Right-click the .p7b file, select Properties, then select Enhanced Key Usage.

The certificate should have Code Signing and Time Stamping.

7. Copy the renamed .p7b file to the following folder:

C:\Program Files\nCipher\nfast\dse200\UserFiles

8. Restart the DSE200 service:


2 Procedures

a. From the Windows Start menu, start Services.

b. From the list, right-click DSE200, and click Restart.

9. Once the service has restarted, log into to TSS, navigate to Operational Status, and confirm that alllights are green.

2.3 Install the Microsoft Windows SDK1. Download the SDK from https://developer.microsoft.com/en-us/windows/downloads/sdk-archive.

2. Run WinSDKSetup.exe.

3. Select to install it onto on your computer, and click Next.

4. Select whether to send anonymous data, and click Next.


2.4 Configure the nShield HSM and TSS with Microsoft Authenticode

5. Accept the License Agreement.

6. Select the features that you want to install, and click Install.

7. Close the welcome dialog to finish the installation.

8. Ensure that the following are on the Windows %PATH%:

C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64

C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\

2.4 Configure the nShield HSM and TSS with MicrosoftAuthenticodeThis section describes the configuration using Authenticode SignTool, used to sign notepad.exe.

The SignTool wizard is no longer supported in Microsoft SDK version 7 and later. Use theSignTool CLI command.

Use your certificate name(s), email address, etc. where placeholders are used in the examplesbelow.

1. Open a command prompt and navigate to:

C:\Program Files\nCipher\nfast\dse200\UserFiles

2. Run:

makecert -sk myKey -r -n "CN=myCertificate, [email protected]" -ss mystore myCert.cer

You should receive the output:

Succeeded

3. Convert the .cer file into a .spc file that Authenticode can use:

Cert2Spc myCert.cer myCert.spc

You should receive the output:

Succeeded

4. Using Windows Explorer, open theUserFiles folder, and confirm that it is populated with filessimilar to those in the example:

Notice:

l The .p7b file.

l ThemyCert.cer and themyCert.spc files.

5. Add the candidate for signing, notepad.exe in this example, manually to the working directory.


2 Procedures

6. Sign notepad.exe using SignTool:

signtool sign /v /a /s mystore /n myCert /t http:///TSS/AuthenticodeTS

notepad.exe

7. If signing is successful, you should receive output similar to this:

The following certificate was selected:

Issued to: myCertificate

Issued by: myCertificate

Expires: Sat Dec 31 23:59:59 2039

SHA1 hash: AA95C8648A35D8807696F7BAED6F3CE414C82FAC

Done Adding Additional Store

Successfully signed: notepad.exe

Number of files successfully Signed: 1

Number of warnings: 0

Number of errors: 0

C:\Program Files\nCipher\nfast\dse200\UserFiles>


3 Troubleshooting

3 TroubleshootingUse the following table to troubleshoot the error messages shown.

Error Message Resolution

nCipher CSP Providers are not displayed in thelist of CSPs in the signtool signwizard utility.

Ensure that the nCipher CSP Wizard has been runwith Set the nCipher CSP as the default SChannel CSPselected.

When Finish is clicked in the signtool signwizardutility, the message The timestamping process didnot complete displays.

Ensure that the URL is correct and includes.../TSS/AuthenticodeTS.


Contact Us

Contact UsWeb site: https://www.ncipher.comSupport: https://help.ncipher.comEmail Support: [email protected] documentation: Available from the Support site listed above.

You can also contact our Support teams by telephone, using the following numbers:

Europe, Middle East, and Africa

United Kingdom: +44 1223 622444One Station SquareCambridgeCB1 2GAUK

Americas

Toll Free: +1 833 425 1990Fort Lauderdale: +1 954 953 5229

Sawgrass Commerce Center – ASuite 130,13800 NW 14 StreetSunriseFL 33323 USA

Asia Pacific

Australia: +61 8 9126 9070World Trade Centre Northbank WharfSiddeley StMelbourne VIC 3005Australia

Japan: +81 50 3196 4994Hong Kong: +852 3008 3188

10/F, V-Point,18 Tang Lung StreetCauseway BayHong Kong


About nCipher SecuritynCipher Security, an Entrust Datacard company, is a leader in the general-purpose hardware security module (HSM)market, empowering world-leading organizations by delivering trust, integrity and control to their business criticalinformation and applications. Today’s fast-moving digital environment enhances customer satisfaction, gives competitiveadvantage and improves operational efficiency – it also multiplies the security risks. Our cryptographic solutions secureemerging technologies such as cloud, IoT, blockchain, and digital payments and help meet new compliance mandates.We do this using our same proven technology that global organizations depend on today to protect against threats totheir sensitive data, network communications and enterprise infrastructure. We deliver trust for your business criticalapplications, ensure the integrity of your data and put you in complete control – today, tomorrow, always.www.ncipher.com

https://www.ncipher.com/

1 Introduction1.1 Product configurations1.2 Requirements1.3 This guide1.4 More information

2 Procedures2.1 Configure nShield Cryptographic Service Provider2.2 Create the Authenticode Certificate request and install Certificate Chain2.3 Install the Microsoft Windows SDK2.4 Configure the nShield HSM and TSS with Microsoft Authenticode

3 TroubleshootingContact UsEurope, Middle East, and AfricaAmericasAsia Pacific

Documents

Time Stamp Server Integration Guide for Microsoft …...Contents 1Introduction 1 1.1Productconfigurations 1 1.2Requirements 2 1.3Thisguide 2 1.4Moreinformation 3 2Procedures 4 2.1ConfigurenShieldCryptographicServiceProvider