Code Signing Help


Microsoft Windows Code Signing

To generate a CSR to submit to VikingCloud™ for your Code Signing certificate, you must first decide what Key Storage Provider to use to store your private key. If the device that hosts the code signing function uses Windows 8, Windows Server 2012, or newer operating systems, and includes a Trusted Platform Module (TPM) you can use the "Microsoft Platform Crypto Provider" for secure key storage.

Protect your new private key for a Code-Signing certificate

Your private key represents your organization’s identity! Code signed with your private key can be traced back to your organization.

  1. Create and protect your code-signing private key with cryptographic hardware products or on an isolated machine. VikingCloud™ requires that private keys for code-signing be created and stored in one of the following:
    1. A Trusted Platform Module (TPM) that generates and secures a key pair and that can document the subscriber's private key protection through a TPM key attestation.
    2. A hardware crypto module with a unit design form factor certified as conforming to at least FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent
    3. Another type of hardware storage token with a unit design form factor of SD Card or USB token (not necessarily certified as conformant with FIPS 140 Level 2 or Common Criteria EAL 4+). In this case, the token must be kept physically separate from the device that hosts the code signing function until a signing session is begun.
    VikingCloud encourages method 1 and 2 above and discourages method 3 above because, while the SD Card or USB token is connected to the signing device, it is possible for the signing private key to be copied from the device. A TPM or hardware crypto module eliminates that possibility.
  2. Always use passwords that are randomly generated with at least 16 characters containing uppercase letters, lowercase letters, numbers, and symbols to protect your private key.
  3. Limit the number of employees who are allowed to use your private key for signing code.
  4. Always time stamp your code so that it can be verified after a certificate has expired or has been revoked.
  5. Use two different signing certificates: one for test signing and the other for release signing. Use the test-signing certificate for signing code of a pre-release build of your software. The test-signing certificate must chain to a completely different root certificate and only be trusted in your test environment by adding it to your certificate store.
  6. Protect the new code that you will sign with the private key. Use code management systems that have strong authentication and audit logging capabilities. Always scan code for viruses before signing it.
  7. Protect against conflicts that occur when you revoke a compromised certificate by using keys and certificates for short durations. Change them often.

Generate Private Key and CSR

You can use the Microsoft Management Console (MMC) to generate the private key and CSR as follows:

  1. Launch the Microsoft Management Console application (search for "mmc" in the Windows search feature)
  2. From the File menu, select Add/Remove Snap-in...
  3. Select Certificates in the Available snap-ins table on the left and click the Add > button
  4. Select My User Account in the radio list and click Next.
  5. Click Finish.
  6. Click OK.
  7. Click on Certificates - Current User in the left panel.
  8. Right click on Personal in the center panel and select All Tasks -> Advanced Operations -> Create Custom Request
  9. Click Next.
  10. Select Proceed without enrollment policy and click Next
  11. Select (No template) CNG key in the Template field, and PKCS #10 in the Request Format field, and click Next
  12. Expand Details under Custom Request and click the Properties button.
  13. Click on the Subject tab.
  14. Add the following Subject name values:
    Type Value
    Common Name Enter the full, unabbreviated legal name of your business. Include any applicable suffix, such as "Inc" or "LLC". If your company name is registered in an abbreviated form, then you may use that abbreviation if you want.
    Organization Enter the exact value you entered for Common Name.
    Locality Spell out the entire name of the city or locality where your business operates. If you are an international customer in a country without a City/Locality, do not add this field.
    State Spell out the entire name of the state or province where your business operates. For example, if your business operates in Texas, enter "Texas" and not "TX". If you are an international customer in a country without a State/Province, do not add this field.
    Country Enter the two letter International Organization for Standardization (ISO) abbreviation of the country where your organization is legally located.
  15. Click on the Private Key tab.
  16. Under the Cryptographic Service Provider pulldown, select the CSP in which the key should be stored. This should be Microsoft Platform Crypto Provider if you are storing the private key in the system's TPM, or an appropriate Smart Card Key Storage Provider if using an external device. Ensure that no other providers are selected.
  17. Under the Key Options pulldown, select an appropriate key size (VikingCloud requires a minimum of 3072 bits)
  18. Click OK.
  19. Click Next.
  20. Enter/browse to a path and enter a file name for the CSR file. Ensure that Base 64 is selected as the file format. Click Finish.

You will need to submit the CSR file once you have made your purchase.

Submit the CSR to VikingCloud

Now navigate to the location of your saved CSR and open it with a suitable text editor such as Notepad, TextEdit, or vi. Copy the entire text - including the top and bottom dashed lines. You can paste this text directly into the VikingCloud Control Center - Submit your CSR to proceed to validation.