Nitrokey HSM 2 code signing

Our developers would like to sign their applications with a code signing certificate.

  • The CA (Sectigo) requires that the private key be RSA ≥ 3072 bits and be generated and stored on a hardware token. They’ll accept a standard PEM-encoded CSR.
  • As far as I understand, that means that the key/certificate can’t be stored with the PIV interface because that only supports RSA ≤ 2048 bits.
  • The developers would sign their applications with Microsoft Visual Studio, so the certificate would need to be accessible in Windows certificate store (like signtool.exe).

Is it possible to use the Nitrokey HSM 2 in this scenario?

Thanks.

Hi @drs !

Yes. For codesigning certificate use of RSA 4K keys with Nitrokey HSM2 is certainly possible and tested.

Windows

Under Windows this should not be a problem as well. The certificate should be imported into store, and then signtool should work just like that.

Linux

Under Linux you can use osslsigncode tool (possibly available for Windows too), and even do it over a network. Just provide a proper PKCS#11 module. See this combo test snippet:

$ osslsigncode sign -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so -pkcs11module /usr/lib/libpkcs11-proxy.so -key "pkcs11:object=win-sign-test1" -certs outcert.spc -n Nitrokey -in app.exe -out app-signed.exe

Here we sign app.exe with RSA 4k key placed under win-sign-test1 label, over a pkcs11-proxy network proxy.

General

See below threads for potential problems and solutions our users had: