Our developers would like to sign their applications with a code signing certificate.
- The CA (Sectigo) requires that the private key be RSA ≥ 3072 bits and be generated and stored on a hardware token. They’ll accept a standard PEM-encoded CSR.
- As far as I understand, that means that the key/certificate can’t be stored with the PIV interface because that only supports RSA ≤ 2048 bits.
- The developers would sign their applications with Microsoft Visual Studio, so the certificate would need to be accessible in Windows certificate store (like signtool.exe).
Is it possible to use the Nitrokey HSM 2 in this scenario?