Code Signing Help

Microsoft Windows Code Signing

Create your private key

You will need to generate a private key with a minimum key size of 3072 bits for an RSA key. VikingCloud will support two options for your private key generation:

  1. You use a Hardware Crypto Module with a unit design form factor certified as conforming to at least FIPS 140-2 Level 2 or Common Criteria EAL 4+, or
  2. You use a cloud-base key generation and protection solution with the following requirements:
    1. Key creation, storage, and usage of Private Key must remain with the security boundaries of the cloud solution’s Hardware Crypto Module that conforms to at least FIPS 140-2 Level 2 or Common Criteria EAL 4+;
    2. Your subscription at the level that manages the Private Key must be configured to log all access, operations, and configuration changes on the resources securing the Private Key.

Protect your new private key for a Code-Signing certificate

Your private key represents your organization’s identity! Code signed with your private key can be traced back to your organization.

  1. Always use passwords that are randomly generated with at least 16 characters containing uppercase letters, lowercase letters, numbers, and symbols to protect accounts using the private key.
  2. Limit the number of employees who are allowed to use your private key for signing code.
  3. Always time stamp your code so that it can be verified after a certificate has expired or has been revoked.
  4. Use two different signing certificates: one for test signing and the other for release signing. Use the test-signing certificate for signing code of a pre-release build of your software. The test-signing certificate must chain to a completely different root certificate and only be trusted in your test environment by adding it to your certificate store.
  5. Protect the new code that you will sign with the private key. Use code management systems that have strong authentication and audit logging capabilities. Always scan code for viruses before signing it.
  6. Protect against conflicts that occur when you revoke a compromised certificate by using keys and certificates for short durations. Change them often.

Providing proof of private key creation and protection

Beginning May 27, 2023, VikingCloud will require proof that your Private Key is generated, stored, and used in a suitable Hardware Crypto Module with a unit design form factor certified as conforming to at least FIPS 140-2 Level 2 or Common Criteria EAL 4+. The following items will provide VikingCloud with proof of your Private Key Protection:

  1. You counter-sign your certificate request that can be verified by using a manufacturer’s certificate, commonly know as a key attestation, indicating that the Private Key was generated in a non-exportable way using a suitable Hardware Crypto Module;
  2. You provide an internal or external IT audit indicating that it is only using a suitable Hardware Crypto Module to generate Key Pairs to be associated with Code Signing Certificates;
  3. You provide a suitable report from the cloud-based key protection solution subscription and resources configuration protecting the Private Key in a suitable Hardware Crypto Module.

Certificate Information Guidelines

Location - Enter the location where your business operates. If you are an international customer in a country without a State/Province or City/Locality, leave those fields blank.

  • Country Name - Enter the two letter International Organization for Standardization (ISO) abbreviation of the country where your organization is legally located.
  • State/Province - Spell out the entire name of your state or province. For example, if your business operates in Texas, enter "Texas" and not "TX".
  • City/Locality - Spell out the entire name of your city or locality.

Organization - Enter the full, unabbreviated legal name of your business. Include any applicable suffix, such as "Inc" or "LLC". If your company name is registered in an abbreviated form, then you may use that abbreviation if you want.

Organizational Unit - This field will not be included in your certificate, so you can leave it blank.

Common Name - Enter the same value as you entered for your Organization.

Email Address - Enter the address of the person responsible for code signing in your organization. This field is optional.

Generate your CSR

You can generate your CSR and sign it using the private key that you have created in your Hardware Crypto Module.

Submit the CSR to VikingCloud

Now navigate to the location of your saved CSR and open it with a suitable text editor such as Notepad, TextEdit, or vi. Copy the entire text - including the top and bottom dashed lines. You can paste this text directly into the VikingCloud Control Center - Submit your CSR to proceed to validation.