en English
X

Select Language

Powered by Google TranslateTranslate

We hope you will find the Google translation service helpful, but we don’t promise that Google’s translation will be accurate or complete. You should not rely on Google’s translation. English is the official language of our site.

en English
X

Select Language

Powered by Google TranslateTranslate

We hope you will find the Google translation service helpful, but we don’t promise that Google’s translation will be accurate or complete. You should not rely on Google’s translation. English is the official language of our site.

Supported Cloud HSMs for Document Signing and EV Code Signing

SSL.com currently supports AWS CloudHSM and Azure Dedicated HSM for issuance of Adobe-trusted document signing certificates and EV code signing certificates. Both of these cloud HSM services provide FIPS 140-2 Level 3 validated HSM hardware for generating and storing encryption keys. This guide provides an overview of key generation, attestation, and certificate ordering for these cloud HSM platforms, and includes pricing information for certificates installed on cloud HSMs.

What is attestation?
Before SSL.com can sign and issue EV code signing or Adobe-trusted document signing certificates, we must first obtain proof that the customer’s private signing key has been generated by and is securely stored on a FIPS 140-2 Level 2 (or greater) certified device, from which it cannot be exported. The act of proving that a private key meets these requirements is known as attestation. The exact procedures for private key attestation vary between devices and cloud computing platforms.

Amazon Web Services (AWS) CloudHSM

Amazon Web Services (AWS) CloudHSM service does not currently provide any means by which SSL.com can automate attestation of keys generated on the HSM. For this reason, we require a remotely-witnessed key pair generation ceremony before we can issue document signing and EV code signing certificates for installation on AWS CloudHSM. This remote-witnessing procedure will incur an extra charge for time spent by SSL.com staff on the ceremony.

During the ceremony, SSL.com staff will observe the generation of one or more cryptographic key pairs with non-exportable private keys on a CloudHSM instance via videoconferencing software. Following the ceremony, the customer may submit a certificate signing request (CSR) for signing and issuance by SSL.com. Please refer to Amazon’s AWS CloudHSM Documentation for CSR generation instructions.

SSL.com’s fee for key generation ceremonies on AWS CloudHSM is $1200.00 USD.

Microsoft Azure Dedicated HSM

Microsoft’s Azure Dedicated HSM service uses the SafeNet Luna Network HSM 7 Model A790 HSM. The Luna cmu command-line tool can be used to generate a cryptographic key pair and certificate signing request (CSR) for document signing or EV code signing, along with information required by SSL.com for attestation. Please refer to Thales’ Certificate Management Utility (CMU) documentation for full instructions on working with the cmu utility.

When generating your key pair with the cmu generatekeypair utility, be certain to make sure that the private key is not extractable (the default setting is non-extractable). You should generate your CSR with the cmu requestcertificate command. 

After generating your key pair and CSR, request a public key confirmation (PKC) file for the new keys with the cmu getpkc command. This file can be used by SSL.com to confirm that the key pair was generated on compliant hardware and the private key is not exportable.

After generating your key pair, CSR, and PKC file, you can submit the CSR and PKC to SSL.com for validation and signing.

SSL.com’s fee for Azure Dedicated HSM PKC confirmation is $500.00 USD.

Cloud HSM Pricing Tiers

For certificates installed on cloud HSM platforms, SSL.com offers the following pricing tiers, based on the maximum number of signings per year.

Tier Price Signings Per Year
Free Tier Base Certificate Price 1,000
Tier 1 Base Price + $180.00 2,000
Tier 2 Base Price + $300.00 5,000
Tier 3 Base Price + $500.00 10,000
Tier 4 Contact Sales > 10,000

Cloud HSM Service Request Form

If you would like to order digital certificates for installation on a supported cloud HSM platform (AWS CloudHSM or Azure Dedicated HSM), please fill out and submit the form below. After we receive your request, a member of SSL.com’s staff will contact you with more details about the ordering and attestation process.

Other Cloud HSM Platforms

SSL.com is currently developing and testing procedures for issuance of document signing certificates on a wide range of HSM services and hardware. If you would like to express interest in ordering certificates for a platform we do not yet support and receive updates on the HSMs we support, please fill out our HSM Inquiry Form.

Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page. You can also find answers to many common support questions in our knowledgebase.

Share on twitter
Twitter
Share on facebook
Facebook
Share on linkedin
LinkedIn
Share on reddit
Reddit
Share on email
Email