Before SSL.com can sign and issue an Adobe-trusted document signing certificate or EV code signing certificates, we must first obtain proof that the private signing key has been generated by and is securely stored on a FIPS 140-2 Level 2 (or greater) certified device, from which it cannot be exported. The act of proving that a private key meets these requirements is known as attestation. The exact procedures for private key attestation vary significantly between devices and cloud computing platforms. SSL.com currently offers automated attestation for YubiKey FIPS tokens, but can also issue signed certificates for keys stored on a variety of hardware security modules (HSMs).
This guide provides a high-level overview of the basic private key attestation procedures for three popular cloud-based HSM services: AWS CloudHSM, Azure Dedicated HSM, and Google Cloud HSM. All three of these services provide FIPS 140-2 Level 3 validated HSM hardware for generating and storing encryption keys.
If you would like to request a certificate from SSL.com for one of these cloud HSM services, please review the information below and then submit an HSM Attestation Request Form.
Amazon Web Services (AWS) CloudHSM service does not currently provide any means by which SSL.com can automate attestation of keys generated on the HSM. For this reason, we currently require a remotely-witnessed key pair generation ceremony before we can issue document signing and EV code signing certificates for installation on AWS CloudHSM. Note that this remote-witnessing procedure will incur fees for time spent by SSL.com staff on ceremony scripting and participation.
During the ceremony, SSL.com staff will observe the generation of one or more cryptographic key pairs with non-exportable private keys on a CloudHSM instance via videoconferencing software. Following the ceremony, the customer may submit a certificate signing request (CSR) for signing and issuance by SSL.com. Any needed assistance with CSR generation by SSL.com staff will be billed at an hourly rate.
Microsoft’s Azure Dedicated HSM service uses the SafeNet Luna Network HSM 7 Model A790 HSM. The Luna
cmu command-line tool can be used to generate a cryptographic key pair and certificate signing request (CSR) for document signing or EV code signing, along with information required for attestation.
When generating your key pair with the cmu generatekeypair utility, be certain to make sure that the private key is not extractable (the default setting is non-extractable). You should generate your CSR with the cmu requestcertificate command.
Before SSL.com can issue a document signing or EV code signing certificate for a CSR generated on Azure Dedicated HSM, we must verify that the key pair was generated on the device and the private key is not exportable. It order to do this, you can request a public key confirmation (PKC) file for the key pair with the cmu getpkc command.
After generating your key pair, CSR, and PKC file, you can submit the CSR and PKC to SSL.com for validation and signing.
Google’s Cloud HSM service uses HSM hardware manufactured by Marvell. When generating a cryptographic key pair, the user may request an attestation statement, signed by the physical hardware, attesting that the private key is protected by the HSM.
This attestation statement may be parsed for evidence that a key was generated on the HSM and is non-exportable, and that a given public key matches it. Please refer to Google’s and Marvell’s documentation for full instructions on producing and parsing an attestation statement. This attestation statement must be submitted to SSL.com along with your certificate signing request (CSR) when requesting a document signing or EV code signing certificate for Google Cloud HSM.
If you would like to request certificates for a networked HSM or other FIPS 140-2 Level 2 (or greater) validated device that is not listed in this guide, please submit an HSM Attestation Request Form detailing the make and model of your device, contact information, and any questions or comments.