windowscode-signingyubicoyubihsm

YubiHSM Code-signing exporting certificate


I followed the tutorial for generating a code-signing certificate using the YubiHSM Key Storage provider available here. After creating the Certificate Signing Request (CSR) with certreq -new sign.inf sign.req a new asymmetric key is created in the YubiHSM together with an association between this key and the certificate in the YubiHSM Key Storage Provider (KSP). After that, I am able to sign my binaries using something like signtool sign /sha1 <certificate hash> <binary name>.

However, when I export this certificate and import it to a different machine the certificate does not have an associated private key. Typing certutil -repairstore my <certificate hash> does not help. As far as I understand, the KSP only stores a link to the YubiHSM, not the actual private key itself. So I suppose I need to somehow create this association in the KSP.


Solution

  • I finally managed to solve the issue as follows: After installing and configuring the YubiHSM KSP, install your exported certificate. After installing the certificate check its validity with:

    certutil -verifystore my <certificate hash>
    

    If you still cannot see the installed certificate try adding it manually using:

    certutil -addstore -f "My" "MyCertificate.cer"
    

    Once you can find the imported certificate, you need to manually bind the certificate to the private key. This is because the key is not stored with the certificate and Windows doesn’t automatically create an association between the two.

    certutil -repairstore my <certificate hash>
    

    Now you should be able to see the correct key label in the Key Container field using the certutil -verifystore command.

    After that you should be able to start signing your binaries with signtool. However, I had to add the /sm flag to make it work.

    signtool sign /sm /a /n "<CertificateName>" /fd sha256 path-to-binary-to-sign.exe