Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

Venafi Trust Protection Platform

Venafi Trust Protection Platform Integration

search

Venafi Trust Protection Platform Integration

Venafi Trust Protection Platform Integration

The Venafi Trust Protection Platform integrates with the HSMoD service for the following use cases:

Use Case 1: Protecting the Database with HSM encryption

Venafi Trust Protection Platform maintains all system information in a database. System information includes: configuration settings, managed server and certificate information, credentials, archived certificates, and private keys.

To secure this information, Venafi uses hardware encryption keys on the HSM to encrypt the information used to connect to the database. The HSM connector provides the information required to access HSM encryption keys from Venafi. You create the HSM connector in the Venafi Configuration Console.

Creating the HSM Connector

The HSM connector provides information required to access encryption keys in Venafi Platform. You can create the HSM connector in the Venafi Configuration Console.

To create the HSM connector

Open the Venafi Configuration Console, and select the Connectors node from the left pane beneath Venafi Configuration.

In the Actions panel, click Create HSM Connector.

If requested, enter the Venafi Trust Protection Platform administrator credentials.

The Create new HSM (Cryptoki) Connector screen displays.

a. Specify the name of the connector in the Name field.

b. Enter the location of the cryptoki.dll file in the Venafi Cryptoki DLL Path field.

c. Specify the slot id of the HSM partition on the Slot field.

d. Select the user required to access the keys on the HSM partition in the User Type field.

e. Enter the Crypto Officer password in the Pin field.

Click Verify.

In the Permitted Keys field, click on New Key to create a new encryption key on the HSM partition or service.

The Create New HSM Key screen displays.

a. Specify the name of the encryption key in the Name field.

b. Open the Type drop-down menu and select AES 256.

Click Create.

Select the new key in the Permitted Keys field.

Click Create.

The HSM connector generates under Encryption Connectors.

The encryption key generates on the partition. You can verify the encryption key exists by executing partition contents in lunacm.

Use Case 2: Remotely Generating HSM keys (with Advanced Key Protect)

Venafi Platform orchestrates the connection to the system that requires the certificate. The key pair is securely maintained on the HSM, delivering HSM-based key protection, and the private key never leaves the HSM.

Configuring the Target Machine

Perform the following steps on the target machine where you want to configure the certificate.

To configure the target machine

Install the HSMoD client on the target machine and initialize the service.

Configure the application on the target machine to use the HSM.

For more details, refer to the Venafi Documentation for a list of supported applications.

Enabling Venafi Advanced Key Protect

Venafi Advanced Key Protect allows you to use the HSM to generate keys and private keys remotely. This is an add-on feature to Venafi Platform.

To enable Venafi Advanced Key Protect

Open the Venafi Configuration Console, and click the Connectors node.

In the Actions panel, click Enable Advanced Key Protect.

Review the information in the dialog boxes and confirm the action.

Restart the IIS service by going to the Product node, and clicking on Website, and then clicking Restart.

Restart the Venafi Platform service by clicking on Venafi Platform, and then clicking Restart.

Restart the Logging service by clicking on Logging, and then clicking Restart.

Configuring the certificate object for remote HSM key generation

Configure the certificate object for Venafi platform to access the HSM and use the HSM cryptographic objects.

To configure the certificate object for remote HSM key generation

Select the policy from the Policy tree.

Select the application that you have configured on the target machine.

a. Under Remote Generation Settings, expand the Private Key Location drop-down menu and select Gemalto SafeNet HSM.

b. Specify the key label in the Key Label field.

c. Click Save to save the application object.

d. Select Policy -> Settings -> Certificate.

e. Expand the Key Generation drop-down menu and select the HSM, and expand the Encryption Key drop-down menu and select the encryption key.

f. Click Save.

Add the certificate object.

Remote HSM key generation will not work with the self-signed CA template.

a. Right click on Policy and navigate to Add -> Certificates -> Certificate.

b. Specify the details of the certificate in the General Information tab.

c. Open the Management Type drop-down menu and select Provisioning.

d. Enable the Service Generated CSR radio button in the CSR Generation field.

e. Set Generate Key/CSR on Application to YES.

f. Fill out the details in the Subject DN tab.

g. Specify the key type in the Private Key tab.

h. In the Other Information tab, choose the CA Template.

i. Click Save.

The certificate generates with the Certificate Status OK.

Go to the application object where you want to associate the certificate. Under the Certificate section, choose the renewed certificate in the Associated Certificate field. Click Save.

Return to the certificate object and click Renew Now.

The certificate moves from OK to Queued for Renewal stage.

Wait a short period and click the Refresh Icon in the upper-right corner.

The certificate renews. Scroll down to see the details of the certificate.

After installation completes on the target machine, the status returns to Ok.

Verify the certificate is installed on the application on the target machine and the keys are created on the HSM.

You can verify that the certificate is installed on the application of the target machine and that the keys were generated on the HSMoD service by executing partition contents in lunacm.

This completes the integration of Venafi Trust Protection Platform with an HSM on Demand Service.

Use Case 3: Venafi Code Signing

Venafi Code Signing allows you to store private code signing keys in the HSM. To use an HSM for code signing key storage, the HSM must first be connected to Trust Protection Platform. Once connected, the HSM becomes available as a key storage option when setting up code signing projects.

To facilitate authentication and code signing functions, Trust Protection Platform uses the following two endpoints:

  • vedauth
  • vedhsm

To configure code signing in Venafi Platform, complete the following steps:

Creating the HSM Connector

The HSM connector provides the HSM credential information to Venafi, allowing Venafi to access signing keys stored on the HSM. You create the HSM connector using the Venafi COnfiguration Console.

Ensure that the HSM service client is configured on the host system and that the HSMoD service is accessible over lunacm.

To create the HSM connector

Open the Venafi Configuration Console, and click on the Connectors node from left pane under Venafi COnfiguration.

In the Actions panel, click Create HSM Connector.

If requested enter the Venafi Trust Protection Platform administration credentials.

The Create new HSM (Cryptoki) Connector screen displays.

a. Specify the name of the connector in the Name field.

b. Enter the location of the cryptoki.dll file in the Cryptoki DLL Path.

c. Specify the slot id of the HSM partition in the Slot field.

To verify the slot ID for the HSMoD service execute slot list in lunacm.

d. Open the User Type drop-down menu and select Crypto Officer (User).

e. Enter the Crypto Officer password in the Pin field.

f. Click Verify.

g. Select the check box: Allow Key Storage.

h. Click Apply and OK.

The HSM connector generates. Restart the Venafi services.

Assigning the Code Signing Administrator

The Administrators node allows you to view, assign, and delete Code Signing Administrator users. Add the Code Signing Administrator capability to an existing Venafi user.

To assign the Code Signing Administrator

Click the Administrators node in Venafi Configuration Console.

In the Actions panel, click Add Code Signing Administrator.

Search for the user you want to assign, and click Select.

Creating the Certificate Authority (CA) template

Each environment in a code signing project requires a CA template. You can create a self-signed CA template, a DigiCert CA template, or a Microsoft CA template.

Refer to the Venafi Documentation for detailed steps.

Creating the Signing Flow

Flows in Venafi Code Signing define the approvals that must be granted before a signing can take place using a given private key. Create the Venafi approval flow to define the required approvals for code signing.

To create the Signing Flow

In the Flows node, click Add a new Code Signing Flow in the Actions panel.

Specify the name of the flow and click Create.

Record the Signing Flow name, it is required for an upcoming procedure.

Configure the flow by adding Approvers. Refer to the Venafi Documentation for detailed steps.

Creating the Environment Template

Code Signing Environment Templates allow the Code Signing Administrator to suggest or require specific values to be used in code signing projects. Each project requires at least one environment.

To create the Environment Template

In the Venafi Code Signing node of the Venafi COnfiguration Console, select Environment Templates.

Click Add Template from the Actions panel.

Specify the name of the template.

The Development Properties wizard displays.

Under Settings, specify Description, Certificate Container and the SIgning Flow created in the previous procedure.

Under the Certificate Authority tab, specify the CA template created in the earlier procedure.

Under the Keys tab, select the RSA key length values you want to allow. This becomes the algorithm and key length that appear as part of the certificate.

Under the Key Storage tab, click on the drop-down menu and select the HSM Connector created in a previous procedure. Click Add.

You can specify addition details, such as the Subject Domain Name of the certificate, in the remaining tabs, but they are not required to complete the integration.

Installing and Configuring Venafi Cryptographic Service Provider (CSP)

The Venafi Cryptographic Service Provider (CSP) is the bridge between the workstation on which code signing operations take place and the Trust Protection Platform server, which stores and manages use of private code signing keys.

Install the Venafi CSP on every workstation where code will be signed using private keys managed by Venafi Trust Protection Platform. The Venafi CSP communicates with the Trust Protection Platform server over a TLS-encrypted REST API.

The Venafi CSP supports both CSP and KSP. The Venafi CSP only supports RSA certificates.

To install and configure the Venafi CSP

Obtain VenafiCSP-x64.msi.

Run the CSP installation file as the administrator on a client machine.

The CSP installation wizard opens.

Accept the license agreement, and click Next.

Select the location where you want the CSP to be installed, and then click Next.

Click Install.

On the Welcome screen, select whether you want to use an answer file for this installation. Click Next.

On the Before You Begin screen, verify that you have all the information you need to complete the installation.

On the Host URLs screen, enter the UrL addresses for the AUthentication Server and the HSM Server.

Authentication Server URL: https://<IP_address_of_Venafi_TPP>/vedauth

HSM Server URL: https://<IP_address_of_Venafi_TPP>/vedhsm

Click Next.

On the Access Authorization screen, enter your Trust Protection Platform user name and password. Check whether you want to enable access for the Current User only, Local Machine only, or both.

On the Configure CSP screen, determine the location where the configuration progress and errors will be logged.

Click Finish.

Creating the Code Signing Project

Code signing projects govern the use of private code signing keys. Code signing projects rely on settings defined in the Environment Template.

To create the Code Signing Project

Log in to Aperture by going to https://[IP_address_of_Venafi_TPP]/Aperture/codesigning.

Click on Add Project on the project list screen to open the project configuration wizard.

Enter a Project Name and Description.

Click Next.

Click the Add Environment card.

a. From the Environment Type drop-down, select the type of environment.

b. Click the Certificate Provider drop-down list, and select the certificate provider you want to associate with this environment. If only one certificate provider is assigned to this environment, that provider is automatically sealed and the drop-down is not editable.

c. In the Environment Name box, enter a name for this environment.

d. Ensure that key Storage location points to HSM connector.

e. Complete the remaining fields as required.

f. Click Add.

Click Next.

Assign Users and Approvers to the project.

Click Next.

Optionally, if you want to restrict what signing applications are allowed to use this project, enter them in the Permitted Applications field.

Click Submit for Approval.

Approving the Code Signing Project

After a new code signing project is submitted for approval, the Code Signing Administrators receive an email informing them that a project is ready for review.

Code signing administrators should follow these steps for reviewing and approving the code signing project.

To approve the code signing project

Sign into Aperture at https://[IP_address_of_Venafi_TPP]/Aperture/codesigning.

In the Code Signing menu, click Approvals > Pending Approvals.

Click Approve for the Code Signing Project created in the previous procedure.

This completes the configuration for Venafi Code Signing Project.

Verify the certificate is installed on the CAPI store on the target machine and the keys are created on HSM.

The certificate and project details are visible in the Venafi CSP Configuration Console and on the client machine.

Signing code using Venafi Code Signing

When a Key User or a Local Machine is issued a grant, the associated certificates that are permitted to be used by that user or machine are installed in the CAPI store. These certificates can be used by the signing applications as code signing certificates.

This section provides example provides example commands to sign material using jarsigner and signtool.

Using jarsigner

Execute jarsigner to sign .jar files on the target machine using the installed Code Signing Certificate.


jarsigner.exe -storetype Windows-My -keystore NONE sample.jar -signedjar signedsample.jar CodeSigning jar signed

Using signtool

Execute signtool to sign .exe or .dll files on the target machine using the installed Code Signing Certificate.


signtool sign /n "codesigning" sample.dll