OpenSC minidriver and Windows Authenticode certificates

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSC minidriver and Windows Authenticode certificates

Marco Giuliani
Hello,

I just got a smartcard-HSM and I wanted to use it to store my code signing certificate used for usermode and kernelmode Authenticode code signing. 
I have a PFX file right now, containing the public+private key and I saw that signtool.exe can use CSP to sign PE files. 

Did anybody try storing the code signing certificate into a HSM like Smartcard-HSM through OpenSC and using it for code signing?

Does anybody know how to properly do it? Like how to convert the PFX in something I can import to the HSM?

Thanks for your support!

Marco

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: OpenSC minidriver and Windows Authenticode certificates

Andreas Schwier (ML)
Dear Marco,

the SmartCard-HSM only supports encrypted key import for security
reason. This will not work with tools provided by OpenSC.

We generally advice users to generate keys on the device and use the
backup/restore facility for important keys. This ensures proper access
control to key material and ensures secrecy even while keys are in transit.

The SmartCard-HSM SDK contains a script to import RSA keys from PKCS#12
files into a SmartCard-HSM. The SDK is a commercial product, but if you
need just the script, then that will be available for free under NDA.

Please send me a pm, so we can get that sorted out.

Andreas

On 05/07/2015 03:49 PM, Marco Giuliani wrote:

> Hello,
> I just got a smartcard-HSM and I wanted to use it to store my code signing certificate used for usermode and kernelmode Authenticode code signing. I have a PFX file right now, containing the public+private key and I saw that signtool.exe can use CSP to sign PE files.
> Did anybody try storing the code signing certificate into a HSM like Smartcard-HSM through OpenSC and using it for code signing?
> Does anybody know how to properly do it? Like how to convert the PFX in something I can import to the HSM?
> Thanks for your support!
> Marco    
>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Sch├╝lerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel