Support Desk

  1. Support Desk
  2. Knowledge Base

How to Use AWS CloudHSM with a DigiCert Code Signing Certificate


This guide explains how to:

  1. Generate a private key and CSR using AWS CloudHSM
  2. Order an OV or EV Code Signing Certificate from GeoCerts (DigiCert partner)
  3. Install the issued certificate and bind it to your CloudHSM key for secure code signing
Step 1: Set Up AWS CloudHSM

A. Prerequisites

  • An active AWS account
  • A working CloudHSM cluster with at least one HSM
  • AWS CloudHSM client SDK v5 installed on your signing server
  • A Crypto User (CU) account created on the HSM
Refer to the official AWS CloudHSM setup guide:
 https://docs.aws.amazon.com/cloudhsm/latest/userguide/

Step 2: Generate the Private Key and CSR

A. Connect to CloudHSM

Use the AWS CLI or an EC2 instance connected to the CloudHSM client to start a secure session:

startcloudhsm
B. Generate a Private Key

key_mgmt_util
Then, inside the utility:

generateKeyPair -t RSA -s 3072 -l MyCodeSignKey
  • -t: Key type (RSA)
  • -s: Key size (3072 or 4096 bits recommended for EV)
  • -l: Key label for reference
C. Generate a Certificate Signing Request (CSR)

Still in key_mgmt_util, run:

genCSR -k MyCodeSignKey -s "CN=Your Organization Name" -f /home/user/MyCodeSignCert.csr
This generates a CSR using the HSM-protected private key. The CSR will include the subject name and public key.

Note: AWS CloudHSM does not support including EKU (Extended Key Usage) fields in the CSR. DigiCert will automatically add the Code Signing EKU (1.3.6.1.5.5.7.3.3) when issuing the certificate.

Tip: Including the Code Signing EKU (1.3.6.1.5.5.7.3.3) when generating your CSR is optional. DigiCert will automatically add it to the issued certificate based on the product type (OV or EV Code Signing).
Step 3: Order Your DigiCert Code Signing Certificate

  1. Log in to your GeoCerts account.
  2. Click New Certificate.
  3. Choose one of the following:
    • OV Code Signing Certificate
    • EV Code Signing Certificate
  4. Choose "Install on HSM" as the provisioning method.
    This ensures DigiCert issues the certificate without provisioning it to a USB token or cloud provider. You will manually install it onto your CloudHSM.
  5. Paste in the CSR generated from CloudHSM.
  6. Submit the order and complete any required validation steps.
Note: EV certificates require additional identity verification, which may take a few business days to complete.

Step 4: Download the Issued Certificate

Once the certificate has been approved and issued:

  1. Go to your GeoCerts account and locate your certificate under the Order ID.
  2. Click Download Certificate Files.
  3. Choose the format:
    • PEM (.crt/.pem) or
    • PKCS #7 (.p7b)
Both formats include the end-entity certificate and the intermediate CA chain. PEM is generally preferred for CloudHSM usage.

Step 5: Install the Certificate and Bind It to the Private Key

If your signing tool requires the certificate to be accessible via CloudHSM:

  1. Open key_mgmt_util again.
  2. Import the certificate and bind it to the key label:
importCert -l MyCodeSignCert -f /home/user/issued_cert.pem
This binds the certificate to the original key pair (MyCodeSignKey) stored in your HSM.

Important: The public key in the certificate must match the private key previously generated in CloudHSM, or the import will fail.

Step 6: Sign Code Using the HSM-Stored Certificate

Once installed, your certificate is ready for secure signing using tools that support PKCS#11 or JCE integration with CloudHSM.

Example: Using Microsoft SignTool (Windows)

If configured with PKCS#11 on Windows, you can run:

signtool sign /fd SHA256 /v /n "Your Organization Name" /tr http://timestamp.digicert.com yourApp.exe
Example: Using Jarsigner (Java)

jarsigner -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 \
  -providerArg pkcs11.cfg -signedjar SignedApp.jar UnsignedApp.jar "MyCodeSignKey"
Notes and Best Practices

  • AWS CloudHSM does not support setting EKUs in CSRs, but DigiCert will include the correct EKU automatically during certificate issuance.
  • Always use a key size of at least 3072 bits to comply with industry best practices and EV requirements.
  • The private key must never be exported from the HSM.
  • Be sure to use the exact same key when reissuing or renewing a certificate.
  • If your toolchain cannot interact directly with CloudHSM, consider building an abstraction layer using PKCS#11.