To enhance overall security infrastructure, organisations are adopting new security tools like Hardware Security Module (HSM) devices, which are usually tamper proof and ensure prompt storage of information or digital security documents, bolstering data and software security measures.

Fundamentals of YubiHSM Device

YubiHSM is one of a kind of HSM device specially created and designed by the globally reputed hardware manufacturing entity "YubiCo" which is empowered with a tamper-resistant environment ensuring accurate data encryption, managing storage of cryptographic keys and handling cryptographic operations smoothly.

Due to these features of the YubiHSM device, organisations prefer using YubiHSM for the code signing process incorporated with strong security measures and adhering to industry-standard compliance of handling code signing requests smoothly.

How to Use YubiHSM For Creating a Code Signing Certificate Request

Having known about the YubiHSM device, let us take a closer look to better understand the process of utilizing the YubiHSM device, like the YubiHSM 2, for generating code signing certificate requests using an easy 6-Step Tutorial:

1. Connect the YubiHSM and Install the YubiHSM Software

The initial step is downloading the YubiHSM software package on your operating system followed by installing Cryptographic Next Generation (CNG) and connector components from the Zip folder.
Once, you are done confirm the installation success by accessing the status page at "localhost:12345/connector/status."

2. Create an INF File using the YubiCo Template

In this step, download the provided YubiCo sample template describing the required signing certificate, like an EV Code Signing Certificate.
You may make modifications to the template, like updating subject information, etc., and save the template as an INF file for later use.

3. Generating CSR using the INF File

The third step involves creating a Certificate Signing Request (CSR) with the file using the.INF extension as an input value. For CSR generation, execute the below command:
certreq -new sign.inf sign.req.

This command will generate the CSR as "sign.req" as per the information provided in the INF file.
You also need to check for a new object’s presence on the YubiHSM device to ensure a CSR is successfully created.

4. Submission of the CSR to the Certificate Authority

On successful completion of Step 3, you are required to submit the Certificate Signing Request (CSR), which was created in Step 3, to the respective Certificate Authority (CA) from their online portal or through their designated process, whereby the CA will review the CSR and issue a new code signing certificate to you, which needs to be downloaded on your system.

5. Installing the New Code Signing Certificate in the Signing Machine’s Certificate Store

To install the newly issued code signing certificate in the signing machine’s certificate store, follow these instructions:

i. Locate the code signing certificate on your system that you downloaded in the previous step.
ii. Open the certificate installation wizard by double-clicking on the code signing certificate file.
iii. Follow the wizard’s instructions for importing your issued certificate into the appropriate certificate store on your signing machine or system location, like "Personal\My Store."
iv. Please ensure that the certificate is associated with the secret key material on the YubiHSM through the installed CNG provider.

6. Digitally Sign Your Code

This is the final step, whereby you can now sign your code with the aid of Microsoft code signing tools (usually included in the Windows 10 SDK installation package).
Moreover, for code signing, you can also use the "SignTool Command" with proper parameters, as shown below.
signtool sign /v /sm /tr http://timestamp.digicert.com /td SHA1 /fd SHA1 /a /d "DropBearSec Signing Machine" /as c:\tmp\testfile.exe

Conclusion

To summarise, following the above 6-step tutorial enables you to appropriately create a code signing certificate using YubiHSM, which you can digitally sign with the issued code signing certificate.

Moreover, if you encounter any issues in the code signing process, it is recommended to use additional options like "/debug and /v arguments with signtool" or "employing certutil commands" as a troubleshooting process for resolving them.