Supported Cloud HSMs for Document Signing and Code Signing

SSL.com currently supports AWS CloudHSM, Azure Dedicated HSM, and Google Cloud HSM for issuance of Adobe-trusted document signing certificates, IV/OV code signing certificates, and EV code signing certificates. All of these cloud HSM services provide FIPS 140-2 Level 3 validated HSM hardware for generating and storing encryption keys. This guide provides an overview of key generation, attestation, and certificate ordering for these cloud HSM platforms, and includes pricing information for certificates installed on cloud HSMs.

What is attestation?
Before SSL.com can sign and issue code signing or Adobe-trusted document signing certificates, we must first obtain proof that the customer’s private signing key has been generated by and is securely stored on a FIPS 140-2 Level 2 (or greater) certified device, from which it cannot be exported. The act of proving that a private key meets these requirements is known as attestation. The exact procedures for private key attestation vary between devices and cloud computing platforms.

Amazon Web Services (AWS) CloudHSM

Amazon Web Services (AWS) CloudHSM service does not currently provide any means by which SSL.com can automate attestation of keys generated on the HSM. For this reason, we require a remotely-witnessed key pair generation ceremony before we can issue document signing and code signing certificates for installation on AWS CloudHSM. This remote-witnessing procedure will incur an extra charge for time spent by SSL.com staff on the ceremony.

During the ceremony, SSL.com staff will observe the generation of one or more cryptographic key pairs with non-exportable private keys on a CloudHSM instance via videoconferencing software. Following the ceremony, the customer may submit a certificate signing request (CSR) for signing and issuance by SSL.com. Please refer to Amazon’s AWS CloudHSM Documentation for CSR generation instructions.

SSL.com’s fee for key generation ceremonies on AWS CloudHSM is $1200.00 USD.

Microsoft Azure Key Management Solutions

There are three types of Azure key management solutions that SSL.com can use for signing certificates:

  • Azure Key Vault (Premium Tier) and Azure Key Vault Managed HSM which do not provide remote attestation and we can not currently attest to directly as a CA in a compliant way. While we accept the use of Azure Key Vault Managed HSM, the compliant key generation must be audited and attested to in a letter from a certified security professional which is detailed in the BYOA process.
  • Azure Dedicated HSM for which SSL.com can provide remote attestation services. Bring Your Own Auditor (BYOA) can also be used for Azure Key Vault and Azure Dedicated HSM services in lieu of SSL.com attestation provided.

If a certified security officer does not exist in the organization, there are external attestation service providers that can be engaged to do so. Here is one example: https://spearit.net/services/remote-key-attestation

Microsoft’s Azure Dedicated HSM service uses the SafeNet Luna Network HSM 7 Model A790 HSM. The Luna cmu command-line tool can be used to generate a cryptographic key pair and certificate signing request (CSR) for document signing or code signing, along with information required by SSL.com for attestation. Please refer to Thales’ Certificate Management Utility (CMU) documentation for full instructions on working with the cmu utility.

When generating your key pair with the cmu generatekeypair utility, be certain to make sure that the private key is not extractable (the default setting is non-extractable). You should generate your CSR with the cmu requestcertificate command.

After generating your key pair and CSR, request a public key confirmation (PKC) file for the new keys with the cmu getpkc command. This file can be used by SSL.com to confirm that the key pair was generated on compliant hardware and the private key is not exportable.

After generating your key pair, CSR, and PKC file, you can submit the CSR and PKC to SSL.com for validation and signing.

SSL.com’s fee for Azure Dedicated HSM PKC confirmation is $500.00 USD.

Google Cloud HSM

Google’s Cloud HSM service uses devices manufactured by Marvell (formerly Cavium), which can produce signed attestation statements for cryptographic keys that SSL.com can verify before issuing document signing or code signing certificates. Please refer to Google’s Cloud Key Management documentation when generating your key pair and attestation statement:

After generating your key pair, CSR, and attestation statement, you can submit them to SSL.com for validation and signing. GitHub user mattes has provided an open-source utility for creating a CSR and signing it with a private key from Google Cloud HSM.

SSL.com’s fee for Google Cloud HSM attestation is $500.00 USD.

Bring Your Own Auditor (BYOA)

Attestations can also be performed by other qualified individuals who have recognized cybersecurity certifications. We call this “Bring Your Own Auditor” when the owner of the HSM utilizes means for key generation attestation other than using SSL.com’s attestation services. 

The BYOA option can be used to perform any Key Generation Ceremony (KGC) of a compliant HSM even for those HSMs SSL.com does not provide attestation services for. 

BYOA requires thorough preparation, otherwise, there is a significant risk of rejection for the generated key. This could happen if the device used is not compliant,  the auditor is not qualified, or the auditor’s report does not cover the requirements of the process. In such a case, the ceremony will have to be repeated, resulting in added costs and delays for the client. 

To avoid such scenarios, SSL.com’s customer support and/or validation specialists communicate with the customer before the KGC to provide guidance and ensure the following:

  • The auditor is approved according to the criteria described below
  • The ceremony preparations requirements, as well as the ceremony script, are clear and followed thoroughly so as the KGC environment is properly prepared
  • Any restrictions and/or BYOA-specific terms and conditions are clear and accepted by the customer

Details on requirements for external auditors can be found here.

Cloud HSM Pricing Tiers

For certificates installed on cloud HSM platforms, SSL.com offers the following pricing tiers, based on the maximum number of signings per year.

Tier Price Signings Per Year
Free Tier Base Certificate Price 1,000
Tier 1 Base Price + $180.00 2,000
Tier 2 Base Price + $300.00 5,000
Tier 3 Base Price + $500.00 10,000
Tier 4 Contact Sales > 10,000

Cloud HSM Service Request Form

If you would like to order digital certificates for installation on a supported cloud HSM platform (AWS CloudHSM or Azure Dedicated HSM), please fill out and submit the form below. After we receive your request, a member of SSL.com’s staff will contact you with more details about the ordering and attestation process.

Other Cloud HSM Platforms

SSL.com is currently developing and testing procedures for issuance of document signing certificates on a wide range of HSM services and hardware. If you would like to express interest in ordering certificates for a platform we do not yet support and receive updates on the HSMs we support, please fill out our HSM Inquiry Form.

Need more resources for your SSL.com account? Check out these pages: 

Twitter
Facebook
LinkedIn
Reddit
Email

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.