Read time: 30 minutes

Introduction and overview of the Test Lab

There are five computers/machines involved in this two-tier PKI hierarchy lab.

  1. There is one domain controller (DC01) that is also running Active Directory-integrated Domain Name Service (DNS). This computer will also provide the Lightweight Directory Access Protocol (LDAP) location for the CDP and the AIA point for the PKI configuration.
  2. One Standalone Offline Root CA (CA01).
  3. One Enterprise Issuing CA (CA02).
  4. One Web Server (SRV1) (HTTP CDP/AIA) and
  5. One Windows 10 (Win10) Client computer.
AD DS forest – encryptionconsulting.com
Virtual Machine Roles OS Type IP Address Subnet mask Preferred DNS server
DC01.encryptionconsulting.com DC & DNS – LDAPCDP/AIA Windows Server 2019 192.168.1.10 255.255.255.0 192.168.1.10
CA01 Standalone Offline Root CA Windows Server 2019 NA NA NA
CA02.encryptionconsulting.com Enterprise Issuing CA Windows Server 2019 192.168.1.12 255.255.255.0 192.168.1.10
SRV1.encryptionconsulting.com Web Server – HTTP CDP/AIA Windows Server 2019 192.168.1.13 255.255.255.0 192.168.1.10
WIN10.encryptionconsulting.com Windows Client Computer Windows 10 192.168.1.14 255.255.255.0 192.168.1.10

Major Steps

There are eight major steps in this step-by-step guide as listed below (each includes several sub-tasks).

  1. Install the Active Directory Forest
  2. Prepare the webserver for CDP and AIA publication
  3. Install the standalone offline root CA
  4. Perform post-installation configuration steps on the standalone offline root CA
  5. Install Subordinate Issuing CA
  6. Perform the post-installation configuration on the subordinate issuing CA
  7. Install and configure the online responder
  8. Verify the PKI hierarchy health

1. Active Directory Forest

Task 1: Install a new forest by using Server Manager

To install the EncryptionConsulting.com forest:

  1. Go to Portal.azure.com and Log onto DC01 as DC01Administrator.
  2. Open Server Manager. Select Start, click Administrative Tools and then click Server Manager.
  3. In the console tree, right-click Manage and then click Add Roles & Features
  4. On the Before You Begin page, click Next.
  5. On the Select Installation Type, click Role-Based or Feature-Based installation
  6. On Server Selection, select a server from the server pool and click on Then click Next
  7. On the Select Server Roles page, select Active Directory Domain Services. Click Next.
    1. If prompted by the Add Roles Wizard, click Add Required Features and then click Next.
  8. On the Features page, click next.
  9. On the Active Directory Domain Services page, click Next.
  10. On the Confirm Installation Selections page, click Install.
  11. When completed, click the hyperlink to Promote this server to a domain controller
  1. On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.
  2. On the Deployment Configuration page, select Add a new forest, Specify Forest Root Domain page, in FQDN of the forest root domain, type com, and then click Next.
  1. On the Set Forest Functional Level page, in the Forest functional level drop-down menu, select Windows Server 2016 and then click Next

On the Directory Services Restore Mode Administrator Password page, type and confirm the restore mode password, and then click Next. This password must be used to start AD DS in Directory Service Restore Mode for tasks that must be performed offline.

DNS server is selected by default so that your forest DNS infrastructure can be created during AD DS installation. In our scenario we are going to use Active Directory–integrated DNS so we have selected to install DNS

  1. On the Additional Options page, click Next.

If no static IP address is assigned for the network adapter, a warning message appears advising you to set static addresses.

The wizard displays a message indicating that it cannot create a delegation for the DNS server. Click Yes to continue.

  1. On the Location for Database, Log Files, and SYSVOL page, click Next.
  1. On the Prerequisites Check page, review your selections and click install Active Directory Domain Services.
  1. Wait for some time until the installation completes and the system restarts.

NOTE: If you are using Active Directory-integrated DNS, the IP address for the Preferred DNS server for the first domain controller in the forest is automatically set to the loopback address of 127.0.0.1. This helps assure that the IP address of the first domain controller will be resolved in DNS even if the static IP address of the server is changed. If you prefer to configure the actual IP address of the DNS server rather than the loopback address, then replace it with 192.168.1.10 after the restart.

Task 2 : HTTP Web Server: CDP and AIA Publication

  1. Log on to SRV1 as the local administrator.
  2. Click Start, type cpl, and press ENTER. Click Change.
  3. In Member of, select Domain, and then type com Click OK.
  4. In Windows Security, enter the User name and password for the domain administrator account. Click OK.
  5. You should be welcomed to the Encryption Consulting Click OK.
  6. When prompted that a restart is required, click OK. Click Close. Click Restart Now.

Task 3 : Install Web Server (IIS) Role

  1. Log on to EncryptionConsulting.com as EncryptionconsuAdministrator. (Ensure that you switch user to log on as EncryptionconsuAdministrator)
  2. Open Server Manager.
  3. Right-click on Roles and then select Add Roles.
  4. On the Before You Begin page select Next.
  5. On the Select Installation Type page, select Role-based or feature-based installation
  1. On Select Destination Server, select a server from the server pool and click on EncryptionConsulting.com, then click Next
  1. On the Select Server Roles page select Web Server (IIS) and then click Next
  1. On the Select features page, click next
  2. On the Web Server (IIS) page, click Next
  1. Leave the defaults on the Select Role Services page and then click Next.
  1. On Confirm Installation Selections page, click Install.
  1. On the Installation Results page, click Close

Task 5 : Create CertEnroll Folder and grant Share & NTFS Permissions to Cert Publishers group

  1. Log onto EncryptionConsulting.com as EncryptionconsuAdministrator.
  2. Click Start and select Computer to open Windows Explorer and then go to C:
  3. Create a folder called CertEnroll at the root of C: 
  4. Right-click on the CertEnroll folder and select Properties.
  1. On the CertEnroll Properties page select Sharing tab to configure share permissions.
  2. Click on the Advanced Sharing option and then select Share this folder.
  3. Click on Permissions and then click Add.
  4. On Select Users or Groups page, in the Enter, the object names to select, type EncryptionconsuCert Publishers, and then click
  5. On the Permissions for CertEnroll dialog box, select Cert Publishers group and then in the Allow column select Change Click OK twice to go back to the CertEnroll Properties page.
  6. Select the Security tab and click Edit to configure NTFS permissions.
  7. On Permissions for CertEnroll page click Add.Windows
  8. On Select Users or Groups page, under the Enter, the object names to select, enter EncryptionConsultingCert Publishers, and then click
  9. On the Permissions for CertEnroll page highlight, the Cert Publishers group, and then under the Allow column select Modify Click OK.
  1. On the CertEnroll Properties page, click OK.

Task 6 : Create CertEnroll Virtual Directory in IIS

  1. Ensure you are logged on to EncryptionConsulting.com as EncryptionconsuAdministrator.
  2. Click StartAdministrative Tools, and then select Internet Information Services (IIS) Manager.
  3. On the Connections, expand SRV1 and then expand Sites.
  4. Right-click on Default Web Site and select Add Virtual Directory.
  5. On Add Virtual Directory page, in Alias, type CertEnroll. In the Physical path, type C:Certenroll, and then click OK.
  1. In the Connections pane, under the Default Web Site, ensure the CertEnroll virtual directory is selected.
  2. In the CertEnroll Home pane, double-click on Directory Browsing.
  3. In the Actions pane click Enable.

Task 7: Enable Double Escaping on IIS Server

Allowing double escaping makes it possible for the webserver to host Delta CRLs.

  1. Ensure you are logged on to EncryptionConsulting.com as EncryptionconsuAdministrator.
  2. Open a Command Prompt. To do so, click Start, click Run, and then type cmd. Click OK.
  3. Then type cd %windir%system32inetsrv and press ENTER.
  4. Type the following command and press EnterAppcmd set config “Default Web Site” /section:system.webServer/Security/requestFiltering -allowDoubleEscaping:True
  5. Restart IIS service. To do so, type iisreset and press ENTER.

Task 8: Create CNAME (pki.EncryptionConsulting.com) in DNS

  1. Ensure that you are logged on to EncryptionConsulting.com as EncryptionconsuAdministrator.
  2. Open the DNS Console. You can do so by clicking Start, click Run, and then type msc. Click OK.
  3. Expand Forward Lookup Zones, select and then right-click com zone. Click New Alias (CNAME).
  4. In Alias name (uses parent domain if left blank), type PKI. In the Fully qualified domain name(FQDN) for the target host field, type EncryptionConsulting.com. and then click OK.

Note – Include the terminating “.” in the FQDN in the previous step. In a production environment, this alias can resolve to a load balancer that distributes requests to any number of web servers that contain the CA certificates and CRLs.

Activity 2: Install the Standalone Offline Root CA

The standalone offline root CA should not be installed in the domain. As a matter of fact, it should not even be connected to a network at all.

Task 1: Create a CAPolicy.inf for the standalone offline root CA

To create a CAPolicy.inf for the standalone offline root CA:

  1. Log onto CA01 as CA01Administrator.
  2. Click Start, click Run, and then type notepad C:WindowsCAPolicy.inf and press ENTER.
  3. When prompted to create a new file, click Yes.
  4. Type in the following as contents of the file.
[Version]
Signature="$Windows NT$"
[Certsrv_Server]
RenewalKeyLength=2048 ; recommended 4096
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
AlternateSignatureAlgorithm=0

Click File and Save to save the CAPolicy.inf file under C:Windows directory.

Warning CAPolicy.inf with the .inf extension. Type .inf at the end of the file name and select the options as described, the file will be saved as a text file and will not be used during CA installation.

  1. Close Notepad.

NOTE: Make sure you change the computer name as “CA01”. Windows > Run > sysdm.cpl > Change the computer name and restart the machine.

Task 2: Installing the Standalone Offline Root CA

To install the standalone offline root CA:

  1. Log onto CA01 as CA01Administrator.
  2. Click Start, click Administrative Tools, and then click Server Manager.
  3. Right-click on Roles and then click Add Roles.
  4. On the Before You Begin page click Next.
  5. On the Installation Type page, choose Role-based or Featured based installation, and then click
  6. On the server selection
    page, click
  7. On the Select Server Roles page select Active Directory Certificate Services, and then click Next.
  1. On the select features page, click next.
  2. On the Introduction to Active Directory Certificate Services page, click Next.
  3. On the Select Role Services page, ensure that Certification Authority is selected, and then Next.
  1. On the confirmation page, click install
  1. Click on configure “Active Directory Certificate Services on the destination server”.
  2. On the Specify Credential to configure roles and services page, the credential should be CA01Administrator, then click Next.
  3. On the Select Role, services to configure page, choose Certificate Authority, and then click Next.
  4. On the Specify Setup Type page, ensure that Standalone is selected, and then click Next.
    • Note: Enterprise option is greyed out as CA01 server is not joined to Active Directory domain.
  1. On the Specify CA Type page, ensure that Root CA is selected, and then click Next.
  1. On the Set Up Private Key page, ensure that Create a new private key is selected, and then click Next.
  1. Leave the defaults on the Configure Cryptography for CA page, and then click Next.
    • Important: In a production environment, you would set the CSP, Hash Algorithm, and Key length to meet application compatibility requirements.
  1. On Configure CA Name page, under the Common name for this CA, clear the existing entry and type EncryptionConsulting Root CA. Click Next.
    • Note: A Distinguished Name Suffix is optional for a root CA. This will be configured in a later step.
  1. On the Set Validity Period page, under Select validity period for the certificate generated for this CA, clear the existing entry and then type 20. Leave the selection box set to Years. Click Next.
  1. Keep the default settings on the Configure Certificate Database page, and then click Next.
  1. On the Confirm Installation Selections page, review the settings, and then click Configure.
  1. Review the information on the Installation Results page to verify that the installation is successful and then click Close.

Activity 3: Perform Post Installation Configuration for Root CA

  1. Ensure that you are logged on to CA01as CA01Administrator.
  2. Open a command prompt. To do so, you can click Start, click Run, type cmd and then click OK.
  3. To define the Active Directory Configuration Partition Distinguished Name, run the following command from an administrative command prompt:
    • Certutil -setreg CADSConfigDN “CN=Configuration, DC=EncryptionConsulting, DC=com”
  4. To define CRL Period Units  and CRL Periods, run the following commands from an administrative command prompt:
    • Certutil -setreg CACRLPeriodUnits 52
    • Certutil -setreg CACRLPeriod “Weeks”
    • Certutil -setreg CACRLDeltaPeriodUnits 0
  5. To define CRL Overlap Period Units and CRL Overlap Period, run the following commands from an administrative command prompt:
    • Certutil -setreg CACRLOverlapPeriodUnits 12
    • Certutil -setreg CACRLOverlapPeriod “Hours”
  6. To define Validity Period Units for all issued certificates by this CA, type the following command and then press Enter. In this lab, the Enterprise Issuing CA should receive a 10-year lifetime for its CA certificate. To configure this, run the following commands from an administrative command prompt:
    • Certutil -setreg CAValidityPeriodUnits 10
    • Certutil -setreg CAValidityPeriod “Years”

Task 1: Enable Auditing on the Root CA

CA auditing depends on system Audit Object Access to be enabled. The following instructions describe how to use the Local Security Policy to enable object access auditing.

  1. Click Start, click Administrative Tools, and then select Local Security Policy.
  2. Expand Local Policies and then select Audit Policy.
  3. Double click Audit Object Access and then select Success and Failure then click OK.
  1. Close Local Security Policy editor.
  2. Enable auditing for the CA by selecting which group of events to audit in the Certificate Authority MMC snap-in or by configuring the AuditFilter registry key setting. To configure Auditing for all CA related events, run the following command from an administrative command prompt:

Certutil -setreg CAAuditFilter 127

Task 2: Configure the AIA and CDP

There are multiple different methods for configuring the Authority Information Access (AIA) and certificate revocation list distribution point (CDP) locations. You can use the user interface (in the Properties of the CA object), certutil, or directly edit the registry. The AIA is used to point to the public key for the certification authority (CA). The CDP is where the certificate revocation list is maintained, which allows client computers to determine if a certificate has been revoked. In this lab there will be three locations for the AIA and four locations for the CDP.

Task 3: Configure the AIA

Using a certutil command is a quick and common method for configuring the AIA. When you run the following certutil command, you will be configuring a static file system location, a lightweight directory access path (LDAP) location, and HTTP location for the AIA. The certutil command to set the AIA modifies the registry, so ensure that you run the command from a command prompt run as Administrator. Run the following command:

certutil -setreg CACACertPublicationURLs “1:C:Windowssystem32CertSrvCertEnroll%1_%3%4.crtn2:ldap:///CN=%7, CN=AIA, CN=Public Key Services, CN=Services, %6%11n2:http://pki.EncryptionConsulting.com/CertEnroll/%1_%3%4.crt”

After you have run that command, run the following command to confirm your settings:

certutil -getreg CACACertPublicationURLsIf you look in the registry, under the following path: HKEY_LOCAL_MACHINESystemCurrentControlSetServicesCertSvcConfiguration EncryptionConsulting Root CA, you can confirm the CACertPublicationURLs by opening that REG_MULTI_SZ value. You should see the following:

  1. C:Windowssystem32CertSrvCertEnroll%1_%3%4.crt
  2. ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
  3. http://pki.EncryptionConsulting.com/CertEnroll/%1_%3%4.crt

You can also see this in the CA (certsrv) console. To open the console, click Start, click Administrative Tools, and then click Certification Authority. In the navigation pane, expand the Certificate Authority (Local). Right-click EncryptionConsulting Root CA and then click Properties. On the Extensions tab, under Select extension, click Authority Information Access (AIA) and you will see the graphical representation of the AIA settings.

Task 4: Configure the CDP

The certutil command to set the CDP modifies the registry, so ensure that you run the command from an command

certutil -setreg CACRLPublicationURLs “1:C:Windowssystem32CertSrvCertEnroll%3%8%9.crln10:ldap:///CN=%7%8, CN=%2, CN=CDP, CN=Public Key Services, CN=Services, %6%10n2:http://pki.EncryptionConsulting.com/CertEnroll/%3%8%9.crl”

After you run that command, run the following certutil command to verify your settings:

certutil -getreg CACRLPublicationURLs

In the registry location:  HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfiguration EncryptionConsulting Root CA you can open the REG_MULTI_SZ valueand see the configuration of these values:

  1. C:Windowssystem32CertSrvCertEnroll%3%8%9.crl
  2. ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
  3. http://pki.EncryptionConsulting.com/CertEnroll/%3%8%9.crl

You can also see this in the CA (certsrv) console. To open the console, click Start, click Administrative Tools, and then click Certification Authority. In the navigation pane, ensure that Certificate Authority (Local) is expanded. Right-click EncryptionConsultng Root CA and then click Properties. On the Extensions tab, under Select extension, click CRL Distribution Point (CDP) and you will see the graphical representation of the CDP settings.

At an administrative command prompt, run the following commands to restart Active Directory Certificate Services and to publish the CRL

net stop certsvc

net start certsvc

certutil -crl

Activity 4: Install Enterprise Issuing CA

Task 1: Join CA02 to the domain

To join CA02 to the domain:

  1. Log on to CA02 as the local administrator.
  2. Click Start, type sysdm.cpl, and press ENTER. Click Change.
  3. In the Computer name, type CA02 and then click OK.
  4. When prompted that you need to restart the computer, click OK. Click Close. Click Restart Now.
  5. After CA02 restarts, log on as a local administrator.
  6. Click Start, type sysdm.cpl, and press ENTER. Click Change.
  7. In Member of, select Domain, and then type EncryptionConsulting.com. Click OK.
  8. In Windows Security, enter the User name and password for the domain administrator account. Click OK.
  9. You should be welcomed to the EncryptionConsulting domain. Click OK.
  10. When prompted that a restart is required, click OK. Click Close. Click Restart Now.

Task 2: Create CAPolicy.inf for Enterprise Root CA

  1. Log onto EncryptionConsulting.com as EncryptionConsultingAdministrator. (Ensure that you switch user to log on as EncryptionConsultingAdministrator)
  2. Click Start, select Run, and then type notepad C:WindowsCAPolicy.inf and press ENTER.
  3. When prompted to create a new file, click Yes.
  4. Type in the following as the content of the file.
    [Version]
    Signature=”$Windows NT$”
    [PolicyStatementExtension]
    Policies=InternalPolicy
    [InternalPolicy]
    OID= 1.2.3.4.1455.67.89.5
    URL=http://pki.EncryptionConsulting.com/cps.txt
    [Certsrv_Server]
    RenewalKeyLength=2048
    RenewalValidityPeriod=Years
    RenewalValidityPeriodUnits=10
    LoadDefaultTemplates=0
    AlternateSignatureAlgorithm=0
  5. Click File and Save to save the CAPolicy.inf file under C:Windows directoryImportant: Ensure that the CAPolicy.inf is saved as a .inf file. The file will not be used if it is saved with any other file extension.
  6. Close Notepad

Task 3: Publish the Root CA Certificate and CRL

  1. Ensure you are logged on to CA02. EncryptionConsulting.com as EncryptionConsultingAdministrator.
  2. Copy Root CA Certificate (CA01_EncryptionConsulting Root CA.crt) and Root CA CRL (EncryptionConsulting Root CA.crl) files from C:WindowsSystem32CertSrvCertEnroll directory on CA01 server to removable media (A:).
  3. On CA02, to publish EncryptionConsulting Root CA Certificate and CRL in Active Directory, run the following commands at an administrative command prompt. Ensure that you substitute the correct drive letter of your removable media (for A:) in the commands that follow:certutil -f -dspublish “A:CA01_EncryptionConsulting Root CA.crt” RootCAcertutil -f -dspublish “A:EncryptionConsulting Root CA.crl” CA01
  4. To publish EncryptionConsulting Root CA Certificate and CRL to http://pki. EncryptionConsulting.com/CertEnroll, copy EncryptionConsulting Root CA Certificate and CRL to \srv1. EncryptionConsulting.comC$CertEnroll directory. Run the following commands from an administrative command prompt. Ensure that you substitute the correct drive letter of your removable media (for A:)
    copy “C:CA01_EncryptionConsulting Root CA.crt” \SRV1.EncryptionConsulting.comC$CertEnroll

    copy “C:EncryptionConsulting Root CA.crl” \SRV1.EncryptionConsulting.comC$CertEnroll

  5. To add EncryptionConsulting Root CA Certificate and CRL in CA02. com local store, run the following command from an administrative command prompt. Ensure that you substitute the correct drive letter of your removable media (for A:) in the commands that follow:
    • certutil -addstore -f root “CA01_ EncryptionConsulting Root CA.crt”
    • certutil -addstore -f root “ EncryptionConsulting CA.crl”

Activity 5: Install Subordinate Issuing CA

Subordinate issuing CA on CA02. EncryptionConsulting com

  1. Ensure that you are logged on to CA02. EncryptionConsulting.com as EncryptionConsulting Administrator.
  2. Open Server Manager.
  3. Right-click Roles and then select Add Roles.
  4. On the Before You Begin page select Next.
  1. On the Installation Type page, choose Role-based or Featured based installation, and then click
  2. On the server selection page, click
  3. On the Select Server Roles page select Active Directory Certificate Services, and then click Next.
  1. On the Select features page, click Next.
  1. On the Introduction to Active Directory Certificate Services page, click Next.
  1. On the Select Role Services page, select Certification Authority and Certification Authority Web Enrollment. If you see the Add Roles Wizard, click Add Required Role Services. Click Next.
  1. On the Web Server Role IIS page, click Next.
  2. Leave the Role Services as default and click Next.
  3. On the confirmation page, review the details and click Install.
  1. Click on “configure Active Directory Certificate Services on the destination server”.
  2. On the Specify Credential to configure roles and services page, the credential should be EncryptionsuAdministrator, then click Next.
  3. On the Select Role services to configure page, select Certificate Authority and Certificate Authority Web Enrollment then click Next.
  1. On the Specify Setup Type page, ensure that Enterprise is selected, and then click Next.
  1. On the Specify CA Type page, select Subordinate CA and then click Next
  1. On the Set Up Private Key page, ensure that Create a new private key is selected, and then click Next.
  1. Leave the defaults on the Configure Cryptography for CA page, then click Next.
    Important: When installing in a production environment, the CSP, Hash Algorithm and Key length selected must support application compatibility requirements.
  1. On Configure CA Name page, clear the existing entry for the Common name for this CA box, and enter EncryptionConsulting Issuing CA, then select Next.Note – Distinguished Name Suffix is automatically populated and should not be modified.
  1. On the Request certificate from a parent CA page, select Save a certificate request to file on the target machine option then click Next.
  1. Leave the defaults on the Configure Certificate Database page, and then click Next.
  1. On the Confirm Installation Selections page, click configure.
  1. Review the information on the Installation Results page to verify that the installation is successful and then click Close.
    • The following warning message is expected: “The Active Directory Certificate Services installation is incomplete. To complete the installation, use the requested file “C:CA02.EncryptionConsulting.com_EncryptionConsulting-CA02-CA.req” to obtain a certificate from the parent CA. Then, use the Certification Authority snap-in to install the certificate. To complete this procedure, right-click the node with the name of the CA, and then click Install CA Certificate. The operation was completed successfully. 0x0 (WIN32: 0).”
  1. Copy C: EncryptionConsulting.com_EncryptionConsulting-CA02-CA.req to your removable media. For example, if you want to copy to a floppy disk drive using the drive letter A:, you would run the following command from a command prompt:copy “C:CA02. EncryptionConsulting.com_ EncryptionConsulting Issuing CA.req” A:

Task 1: Submit the Request and Issue Encryption Consulting Issuing CA Certificate

To submit the certificate request and issue the requested certificate:

    1. Ensure that you are logged on to CA01 as CA01Administrator. Place the removable media with the certificate request into CA01.
    2. On CA01, open an administrative command prompt. Then, submit the request using the following command (assuming that A: is your removable media drive letter):
      • certreq -submit “A:CA02.EncryptionConsulting.com_EncryptionConsulting-CA02-CA.req”
      • Note: Pay attention to the RequestID number that is displayed after you submit the request. You will use this number when retrieving the certificate.
    3. In the Certification Authority List dialog box, ensure that EncryptionConsulting Root CA is selected and then click OK
    4. Open the Certification Authority console. To do so, click Start, click Administrative Tools, and click Certification Authority.
    5. In the certsrv [Certification Authority (Local)] dialog box, in the console tree, expand EncryptionConsulting Root CA.
    6. Click Pending Requests. In the details pane, right-click the request you just submitted, click All Tasks, and then click Issue.
    1. Return to the administrative command prompt to accept the issued certificate by running the following command. Ensure that you substitute the appropriate drive letter of your removable media for A: as well as the correct RequestID for 2:
      • certreq -retrieve 2 “A: EncryptionConsulting.com_EncryptionConsulting-CA02-CA.crt”
    2. In the Certification Authority List dialog box, ensure that EncryptionConsulting Root CA is selected and then click OK.

Task 2: Install the Encryption Consulting Issuing CA Certificate on CA02

To install the certificate and start the Certification Authority service on CA02:

    1. Ensure that you are logged on to CA02. EncryptionConsulting.com as EncryptionConsuAdministrator. Place the removable media with the issued certificate for CA02. EncryptionConsulting.com into CA02.
    2. Open the Certification Authority console.
    3. In the Certification Authority console tree, right-click EncryptionConsulting Issuing CA, and then click Install CA Certificate.
    4. In the Select file to complete CA installation, navigate to your removable media. Ensure that you are displaying All Files (*.*)and click the EncryptionConsulting.com_EncryptionConsulting-CA02-CA certificate. Click Open.
    5. In the console tree, right-click EncryptionConsulting Issuing CA, click All Tasks, and then click Start Service.
    6. In the console tree, expand EncryptionConsulting Issuing CA and then click Certificate Templates. Notice there are no certificates shown in the details pane. This is because the CAPolicy.inf specified not to install the default templates in the line LoadDefaultTemplates=0.

Activity 6: Perform Post Installation Configuration Tasks on the Subordinate Issuing CA

There are multiple settings to configure to complete the installation of the issuing CA. These are like the tasks that were needed to complete the configuration of the root CA.

Task 1: Configure Certificate Revocation and CA Certificate Validity Periods

To configure certificate revocation and CA certificate validity periods:

    1. Ensure that you are logged on to CA02. EncryptionConsulting.com as EncryptionConsuAdministrator.
    2. Configure the CRL and Delta CRL settings by running the following command from an administrative command prompt:
      • Certutil -setreg CACRLPeriodUnits 1
      • Certutil -setreg CACRLPeriod “Weeks”
      • Certutil -setreg CACRLDeltaPeriodUnits 1
      • Certutil -setreg CACRLDeltaPeriod “Days”
    3. Define CRL overlap settings by running the following command from an administrative command prompt:
      • Certutil -setreg CACRLOverlapPeriodUnits 12
      • Certutil -setreg CACRLOverlapPeriod “Hours”
    4. The default setting for the Validity Period is 2 years in the registry. Adjust this setting accordingly to meet your needs of entity certificate’s lifetime issued from EncryptionConsulting Issuing CA. It is recommended that you do not configure validity periods that are longer than half of the total lifetime of the EncryptionConsulting Issuing CA certificate, which was issued to be valid for 10 years. To limit issued certificates to 5 years, run the following commands from an administrative command prompt:
      • Certutil -setreg CAValidityPeriodUnits 5
      • Certutil -setreg CAValidityPeriod “Years”

Task 2: Enable Auditing on the Issuing CA

CA auditing depends on system Audit Object Access to be enabled. The following instructions describe how to use the Local Security Policy to enable object access auditing.

    1. Click Start, click Administrative Tools, and then select Local Security Policy.
    2. Expand Local Policies and then select Audit Policy.
    3. Double click Audit Object Access and then select Success and Failure then click OK.
    1. Close Local Security Policy editor.
    2. Enable auditing for the CA by selecting which group of events to audit in the Certificate Authority MMC snap-in or by configuring the AuditFilter registry key setting. To configure Auditing for all CA related events, run the following command from an administrative command prompt:Certutil -setreg CAAuditFilter 127

Task 3: Configure the AIA

Using a certutil command is a quick and common method for configuring the AIA. When you run the following certutil command, you will be configuring a static file system location, a lightweight directory access path (LDAP) location, and HTTP location for the AIA. The certutil command to set the AIA modifies the registry, so ensure that you run the command from a command prompt run as Administrator. Run the following command:

certutil -setreg CACACertPublicationURLs “1:C:Windowssystem32CertSrvCertEnroll%1_%3%4.crtn2:ldap:///CN=%7,CN=AIA,
CN=Public Key Services,CN=Services,%6%11n2:http://pki.
EncryptionConsulting.com/CertEnroll/%1_%3%4.crt”After you have run that command, run the following command to confirm your settings:

certutil -getreg CACACertPublicationURLs

If you look in the registry, under the following path: HKEY_LOCAL_MACHINESystemCurrentControlSetServicesCertSvcConfiguration EncryptionConsulting Issuing CA, you can confirm the CACertPublicationURLs by opening that REG_MULTI_SZ value. You should see the following:

    1. C:Windowssystem32CertSrvCertEnroll%1_%3%4.crt
    2. ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11
    3. http://pki.EncryptionConsulting.com/CertEnroll/%1_%3%4.crt

You can also see this in the CA (certsrv) console. To open the console, click Start, click Administrative Tools, and then click Certification Authority. In the navigation pane, expand the Certificate Authority (Local). Right-click EncryptionConsulting Root CA and then click Properties. On the Extensions tab, under Select extension, click Authority Information Access (AIA) and you will see the graphical representation of the AIA settings.

From an administrative command prompt, run the following command to copy the EncryptionConsulting Issuing CA certificate to the HTTP AIA location:

copy “c:WindowsSystem32certsrvcertenrollCA02 EncryptionConsulting.com_ EncryptionConsulting Issuing CA.crt” \srv1.EncryptionConsulting.comc$certenroll

Task 4: Configure the CDP

The certutil command to set the CDP modifies the registry, so ensure that you run the command from a command prompt run as Administrator. Run the following command:

certutil -setreg CACRLPublicationURLs “65:C:Windowssystem32CertSrvCertEnroll%3%8%9.crln79:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10n6:http://pki. EncryptionConsulting.com/CertEnroll/%3%8%9.crln65:\srv1. EncryptionConsulting.comCertEnroll%3%8%9.crl”

After you run that command, run the following certutil command to verify your settings:

certutil -getreg CACRLPublicationURLs

In the registry location: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvcConfiguration EncryptionConsulting Issuing CA you can open the REG_MULTI_SZ value and see the configuration of these values:

    1. C:Windowssystem32CertSrvCertEnroll%3%8%9.crl
    2. ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
    3. http://pki.EncryptionConsulting.com/CertEnroll/%3%8%9.crl
    4. \srv1.EncryptionConsulting.comCertEnroll%3%8%9.crl

You can also see this in the CA (certsrv) console. To open the console, click Start, click Administrative Tools, and then click Certification Authority. In the navigation pane, ensure that Certificate Authority (Local) is expanded. Right-click EncryptionConsulting Root CA and then click Properties. On the Extensions tab, under Select extension, click CRL Distribution Point (CDP) and you will see the graphical representation of the CDP settings.

At an administrative command prompt, run the following commands to restart Active Directory Certificate Services and to publish the CRL.

net stop certsvc && net start certsvc

certutil -crl

Activity 7: Install and Configure the Online Responder Role Service

Task 1: Install the Online Responder Role Service on SRV1

      1. Ensure that you are logged on to SRV1. EncryptionConsulting.com as EncryptionConsuAdministrator.
      2. Open Server Manager.
      3. Right click on Roles, and then click Add Roles.
      4. On the Before You Begin page, then select Next.
      5. On the Select Installation type page, select Role-based or feature-based installation and then click Next.
      6. On the Server Selection page, click Next.
      7. On the Select Server Roles page, select Active Directory Certificate Services and then click Next.
      1. On the Features page, click Next.
      2. On Introduction to Active Directory Certificate Services page, click Next.
      3. On the Select Role Services page, clear the Certification Authority, and then select Online Responder. Click Next.
        • Note: You do not want to install a Certification Authority on SRV1.EncryptionConsulting.com, so you are clearing that checkbox.
        • If the Add role services and features required for Online Responder page appears, click Add Required Role Services and then click Next. Then, on the Web Server (IIS), click Next.
      1. On the Confirm Installation Selections page, click Install. Click Close when the installation is complete.
      1. Click on “Configure Active Directory Certificate Services on the destination server“, on the Credential Page, make sure EncryptionconsuAdministrator is mentioned, then click Next.
      1. On the Select Role, Services to configure page, select “online Responder” and click Next.
      1. On the confirmation page, verify the details and click Next.

Task 2: Add the OCSP URL to the Encryption Consulting Issuing CA

To add the OCSP URL to the EncryptionConsulting Issuing CA:

      1. Ensure that you are logged on to CA02. EncryptionConsulting.com as EncryptionConsuAdministrator
      2. In the Certification Authority console, in the console tree, right-click EncryptionConsulting Issuing CA, and then click Properties.
      3. On the Extensions tab, under Select extension, select Authority Information Access (AIA), and then click Add.
      4. In Location, type  certutil -getreg CACRLPublicationURLs
      5. and then click OK.
      6. Select Include in the online certificate status protocol (OCSP) extension.
        • Note: A common misconfiguration is to select both checkboxes in the Extensions tab, which is incorrect. Ensure thatInclude in the online certificate status protocol (OCSP) extension checkbox is the only one selected.
      1. Click OK. When prompted by the Certification Authority dialog box to restart Active Directory Certificate Services, click Yes.Important: The EncryptionConsulting Issuing CA will now include http://srv1. EncryptionConsulting.com/ocsp URL as part of Authority Information Access (AIA) extension in all newly issued certificates issued or renewed or re-enrolled certificates. However, certificates enrolled from EncryptionConsulting Issuing CA prior to this change will not have this URL.

Task 3: Configure and Publish the OCSP Response Signing Certificate on the Encryption Consulting Issuing CA

To configure the OCSP response signing certificate:

      1. On CA02. EncryptionConsulting.com, ensure that you are logged on as EncryptionConsuAdministrator.
      2. In the Certification Authority console, ensure that the EncryptionConsulting Issuing CA is expanded in the console tree.
      3. Right-click on Certificate Templates and then click ManageCertificate Templates opens and displays the certificate templates stored in Active Directory.
      4. In the details pane (middle pane) right-click OCSP Response Signing and then click Properties.
      5. On the Security tab click Add. Click Object Types.
      6. In the Object Types dialog box, select Computers and then click OK.
      7. In Enter the object names to select, type SRV1 and then click Check Names. Click OK.
      8. Ensure that SRV1 is selected and in the Allow column, ensure that the Read and Enroll permissions are selected. Click OK.
      9. Close Certificate Templates MMC console.
      10. In certsrv console, right-click Certificate Templates, then select New and then select Certificate Template to Issue.
      11. In the Enable Certificate Templates dialog box, click OCSP Response Signing and the click OK.

Task 4: Configure Revocation Configuration on the Online Responder

To configure the revocation configuration:

      1. On SRV1.EncryptionConsulting.com, ensure that you are logged on as EncryptionConsuAdministrator.
      2. Open Server Manager navigate to Tools and click on “Online Responder Management”.
      3. Right-click Revocation Configuration and then click Add Revocation Configuration.
      4. On the Getting Started with Adding a Revocation Configuration page click Next.
      1. In Name, enter EncryptionConsulting Issuing CA, and then click Next.
      1. On the Select CA Certificate Location page ensure that Select a certificate for an Existing enterprise CA is selected, then click Next.
      1. On the Choose CA Certificates page, ensure that Browse CA certificates published in Active Directory is selected, and then click Browse.
      2. On the Select Certification Authority dialog box, ensure that EncryptionConsulting Issuing CA is selected, and then click OK. Click Next.
      1. Leave the defaults on the Select Signing Certificate page, and then click Next.
      1. On the Revocation Provider page, click Provider.
      1. Review the choices listed for OCSP Responder to down CRLs in the form of LDAP and HTTP locations.
        • Note: Depending on your needs you could select either the LDAP or HTTP as your primary location for OCSP Responder to download CRLs. You can change the order for LDAP and HTTP URLs using Move Up or Move Down Leave the defaults as they appear.
      2. Clear the Refresh CRLs based on their validity periods. In the Update, CRLs at this refresh interval (min) box, type 15 and then click OK. Click Finish.
        • Note: Modifying this setting to download CRLs at a faster rate than the CRL’s normal expiration makes it possible for the OCSP responder to rapidly download new CRLs rather than use the last downloaded CRL’s normal expiration date. Production needs may differ from the value chosen here.
      3. In the Certification Authority console, expand Array Configuration and then click SRV1.
      4. Review Revocation Configuration Status in the middle pane to ensure there is a signing certificate present and the status reports as OK. The provider is successfully using the current configuration.

Task 5: Configure Group Policy to Provide the OCSP URL for the EncryptionConsulting Issuing CA

This configuration would only be needed to allow existing certificate holders to take advantage of a new OCSP responder without having to re-enroll new certificates with the required OCSP URL added to them.

      1. Ensure you are logged on to DC01. EncryptionConsulting.com as EncryptionConsuAdministrator.
      2. Open an administrative command prompt and run the following commands:
        • cd
        • certutil  -config “ca02.EncryptionConsulting.comEncryptionConsulting Issuing CA” -ca.cert EncryptionConsultingissuingca.cer
      3. Click Start, click Run, and then type msc. Press ENTER.
      4. Expand Forest, expand Domains, expand EncryptionConsulting.com, and then expand Group Policy Objects.
      5. Right-click Default Domain Policy, then click Edit.
      6. Under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.
      7. Right-click Intermediate Certification Authorities, and then click Import.
      8. On the Welcome to Certificate Import Wizard page, click Next.
      1. In the File name, type C:EncryptionConsultingissuingca.cer, and then click Next.
      1. On the Certificate Store page, click Next.
      2. On the Completing the Certificate Import Wizard, click Finish and then click OK.
      1. In the console tree, select Intermediate Certification Authorities
      2. In the details pane, right-click EncryptionConsulting Issuing CA certificate, then click Properties.
      3. On the OCSP tab, in Add URL enter http://srv1.com/ocsp, and then click Add URL. Click OK.
      1. Close the Group Policy Management Editor and then close Group Policy Management console.

Activity 8: Verify the PKI Hierarchy Health

Task 1: Win10

      1. Log on to WIN10 as the local administrator.
      2. Click Start, type cpl, and press ENTER. Click Change. (Ensure the computer name is already set to WIN10 – otherwise, change it)
      3. In Member of, select Domain, and then type com. Click OK.
      4. In Windows Security, enter the Username and password for the domain administrator account. Click OK.
      5. You should be welcomed to the EncryptionConsulting domain. Click OK.
      6. When prompted that a restart is required, click OK. Click Close. Click Restart Now.

Task 2: Check PKI Health with Enterprise PKI

To use the Enterprise PKI console to check PKI health:

      1. On CA02. EncryptionConsulting.com, ensure that you are logged on as EncryptionConsuAdministrator.
      2. Open Server Manager.
      3. In the console tree, under Roles and Active Directory Certificate Services, click Enterprise PKI.
        • Alternatively, you can run Enterprise PKI by running msc from an administrative command prompt.
      4. Right-click Enterprise PKI and then click Manage AD Containers.
      1. On the NTAuthCertificates tab, verify the EncryptionConsulting Issuing CA certificate appears with a status of OK.
      2. On the AIA Container tab, verify both the EncryptionConsulting Root CA and the EncryptionConsulting Issuing CA certificates are present with a status of OK.
      3. On the CDP Container tab, verify EncryptionConsulting Root CA base CRLEncryptionConsulting Issuing CA base, and the Delta CRLs are present with a status of OK.
      4. On Certification Authorities Container, verify EncryptionConsulting Root CA certificate is present with a status of OK.
      5. On Enrollment Services Container, verify EncryptionConsulting Issuing CA certificate is present with a status of OK.

Task 3: Configure Certificate Distribution on the Encryption Consulting Issuing CA

To publish a certificate for computers in the enterprise:

      1. On CA02. com, ensure that you are logged on as EncryptionConsuAdministrator.
      2. In the Certification Authority console, ensure that EncryptionConsulting Issuing CA is expanded.
      3. Right-click Certificate Templates select New and select Certificate Template to Issue.
      4. On the Enable Certificate Templates dialog box, click Workstation Authentication, page and then click OK.

Task 4: Obtain a Certificate Using WIN10 and Verify PKI Health

To obtain a certificate for WIN10 and verify PKI health:

      1. Log into Win10. com as EncryptionConsuAdministrator. (Ensure that you switch user to log on as EncryptionConsuAdministrator)
      2. Click Start, type mmc, and then press ENTER.
      3. Click File, and then click Add/Remove Snap-in.
      4. Click Certificates, then click Add. Select Computer Account, and then click Finish. Click OK.
      1. Expand Certificates, right-click Personal, click All Tasks, and then click Request New Certificate.
      2. On the Before you begin page, click Next.
      3. On the Select Certificate Enrollment Policy page, click Next.
      4. Select Workstation Authentication, and click Enroll. When the certificate is enrolled, click Enroll.
      1. In the console tree, expand Personal, and click Certificates. In the details pane, right-click the  EncryptionConsulting.com certificate, click All Tasks, and then click Export.
      2. On the Welcome to Certificate Export Wizard page, click Next.
      1. On the Export Private Key, click Next. (No, do not export the private key selected by default).
    1. On the Export File Format page, click Next. [DER encoded binary X.509 (.CER) is the default selection].
    2. On the File to Export page, type C:win10, and then click Next.
    3. On the Completing the Certificate Export Wizard page, click then Finish, and then click OK.
    4. Open a command prompt and run the following commands: (To open a command prompt, click Start, type cmd, and then press ENTER)
      • cd
      • certutil -URL C:win10.cer
    5. In the URL Retrieval Tool, perform the following steps, in the Retrieve section:
      • Select OCSP (from AIA) option and then click Retrieve. Confirm that it shows status as Verified.
      • Select CRLs (from CDP) option and then click Retrieve. Confirm that it shows status as Verified.
      • Select the Certs (from AIA) option and then click Retrieve. Confirm that it shows status as Verified.
    6. Click Exit to close the URL Retrieval Tool.
    7. From a command prompt run the following command to thoroughly verify certificate chain retrieval and revocation status.
      • certutil -verify -urlfetch c:win10.cer
    8. Review the output and make sure all the chain retrieval and revocation status are successfully verified.

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 10 minutes

In this discussion whiteboard, we will be discussing about what is Code Signing process? What are the benefits of using Code Signing certificates for your software/code security? What makes the Code Signing certificates the best security solution for developers. Let’s get into the topic:

With the increase in penetration of mobile devices across the globe, there is a steep increase in demand for Cybersecurity. The enhancement in mobile and internet infrastructure and advancements in technology across the globe is propelling the adoption of smart devices among enterprises and consumers. At the same time, enterprises are rapidly embracing cloud platforms and other networking technologies. Because of these advancements, companies are becoming more vulnerable to various cyber-attacks.

In 2017, cyber-attacks on mobile devices increased by over 40% with an average of over 1.2 million attacks per month. Hence, cyber security modules such as cryptography, Data Loss Prevention became more and more critical for the end-users and organizations dealing with sensitive data. The global cybersecurity market is set to grow from its market value of more than $120 billion in 2019 to over $300 billion by 2024. The cybersecurity market is propelled by the increasing need among enterprises to minimize security risks.

Studies have shown that at least 93% of all mobile transactions were blocked in 2019 as they were fraudulent. It is necessary to enthuse a sense of trust in your customers that the software they are downloading is safe. It is also the reason why you must buy a code signing certificate.

All these factors combined contributed to the growth in demand for cybersecurity especially Code Signing certificates. Code signing certificates provide confidence and trust to end users on the code/software programs developed by the tech firms.

What is a Code Signing process?

Code signing is a process to confirm the authenticity and originality of digital information such as a piece of software code. It assures users that this digital information is valid and establishes the legitimacy of the author. Code signing also ensures that this piece of digital information has not changed or been revoked after it was validly signed.

Code Signing plays an important role as it can enable the identification of legitimate software versus malware or rogue code. Digitally signed code ensures that the software running on computers and devices is trusted and unmodified.

Software powers your organization and reflects the true value of your business. Protecting the software with a robust code signing process is vital without limiting access to the code, assuring this digital information is not malicious code and establishing the legitimacy of the author.

Explore the complete information about Code Signing process here:

Encryption consulting’s (EC) CodeSign Secure platform

Encryption consulting (EC) CodeSign secure platform provides you with the facility to sign your software code and programs digitally. Hardware security modules (HSMs) store all the private keys used for code signing and other digital signatures of your organization. Organizations leveraging CodeSign Secure platform by EC can enjoy the following benefits:

  • Easy integration with leading Hardware Security Module (HSM) vendors.
  • Authorized users only access to the platform.
  • Key management service to avoid any unsafe storage of keys.
  • Enhanced performance by eliminating any bottlenecks caused.

Why to use EC’s CodeSign Secure platform?

There are several benefits of using Encryption consulting’s CodeSign Secure for performing your code sign operations. CodeSign Secure helps customers stay ahead of the curve by providing a secure Code Signing solution with tamper-proof storage for the keys and complete visibility and control of Code Signing activities. The private keys of the code-signing certificate can be stored in an HSM to eliminate the risks associated with stolen, corrupted, or misused keys. Client-side hashing ensures build performance and avoids unnecessary movement of files to provide a greater level of security. Client-side hashing ensures build performance and avoids unnecessary movement of files to provide a greater level of security. Client-side hashing ensures build performance and avoids unnecessary movement of files to provide a greater level of security. Seamless authentication is provided to code signing clients via CodeSign Secure platform to make use of state-of-the-art security features including client-side hashing, multi-factor authentication, device authentication, and as well as multi-tier approvers workflows, and more. Support for InfoSec policies to improve adoption of the solution and enable different business teams to have their own workflow for Code Signing. CodeSign Secure is embedded with a state-of-the-art client-side hash signing mechanism resulting in less data travelling over the network, making it a highly efficient Code Signing system for the complex cryptographic operations occurring in the HSM.

Code Signing process for developers

Code signing process also leverages the principle of public key cryptography (especially PKI). When a developer wants to perform code signing then he/she are actually pinning a digital cryptographic certificate to the piece of code or software program. There are two critical steps involved in the code signing process: 

  1. Encryption
  2. Hashing

As a first step, a unique private key needs to be generated by the developer that can be used to encrypt the information. According to the concept of public key cryptography, a private-public key pair is a set of encryption mechanisms to perform encryption/decryption. Once the key pair has been generated, the public key is sent to a trusted issuing body called a Certificate Authority (CA) which verifies the developer’s authenticity, and then attaches their public key with a digitally signed certificate which is the developer’s proof that they are the rightful owner of the key. This certificate is the code-signing certificate in question. The CA sends the public key along with the certificate back to the developer who requested it.

As we have both the code-signing certificate and an encryption key pair, developer must leverage these certificate and key pair to hash the software’s code before they can encrypt and sign it. Hashing is a procedure in which a hash function is used to convert code into an arbitrary fixed value. The output of hashing, called a digest, is then encrypted using the private key. Next, the developer combines this digest with the code-signing certificate and the hash function to create something called a signature block, which is essentially all the above items combined into a piece of code that can be conveniently inserted into software.

Once the developer injects the signature block into the software, it is effectively code-signed, and can be distributed.

What are the benefits of Code Signing for developers?

Code signing is one of the safest process which provides maximum security for the software and code. This is the very aspect which makes code signing a highly sort after process for developers as well as tech firms. Let us understand some of the important benefits of using code signing for securing your code/software. Encryption consulting provides CodeSign Secure platform to perform the code signing activity. You would be able to protect the firm’s unique code and software programs by performing code signing process using this platform.

Protects code integrity

Code signing provides authentication to the code and/or software programs integrity using hash function. If the hash used to sign the application matches the hash on a downloaded application, the code integrity is intact. If the hash used does not match, users experience a security warning or the code fails to download. Code Signing Certificates include an optional timestamp to extend the life of your digital signatures. Your code will remain valid even if your code signing certificate expires, because the validity of the code signing certificate at the time of the digital signature can be verified.

Streamlined security of the code

When your code/software programs are integrated with code signing portals using API integration. Encryption consulting’s Code Sign secure will make the process of code signing easy to manage and integrate with your code. Streamlined security helps you get to market faster while protecting the integrity of your code and reducing security warnings.

Minimize security warnings through trusted Certificate Authority

Code signing process creates and establishes trust as certificates from trusted Certificate Authority (CA) is leveraged. Root certificates of trusted and reputed certificates authorities will be installed on the client host machines. So, it is always advised to use standard Code signing providers such as CodeSign Secure. When you use code signing, your code is automatically accepted without any security warnings. This will pave way for seamless download of the software or code. With minimum security warnings, there will be better ease of usage for the end user.

Encryption Consulting’s CodeSign Secure platform use cases for developers

There are multiple use cases that can be implemented using CodeSign Secure platform by Encryption Consulting. Majority of the use cases can be relevant to digital signature concept discuss above. CodeSign Secure platform will cater to all round requirements of your organization. Let us look into some of the major use cases covered under Encryption Consulting’s CodeSign Secure:

  • Code Signing:

    Sign code from any platform, including Apple, Microsoft, Linux, and much more.

  • Document Signing:

    Digitally sign documents using keys that are secured in your HSMs.

  • Docker Image Signing:

    Digital fingerprinting to docker images while storing keys in HSMs.

  • Firmware Code Signing:

    Sign any type of firmware binaries to authenticate the manufacturer to avoid firmware code tampering.

Organizations with sensitive data, patented code/programs can benefit from CodeSign Secure platform. Online distribution of the software is becoming de-facto today considering the speed to market, reduced costs, scale, and efficiency advantages over traditional software distribution channels such as retail stores or software CDs shipped to customers. Code signing is a must for online distribution. For example, third party software publishing platforms increasingly require applications (both desktop as well as mobile) to be signed before agreeing to publish them. Even if you are able to reach a large number of users, without code signing, the warnings shown during download and install of unsigned software are often enough to discourage the user from proceeding with the download and install. Encryption Consulting will provide strongly secured keys in FIPS certified encrypted storage systems (HSMs) during the code signing operation. Faster code signing process can be achieved through CodeSign secure as the signing occurs locally in the build machine. Reporting and auditing features for full visibility on all private key access and usage to InfoSec and compliance teams.

Encryption Consulting’s PKI complete package

Encryption Consulting LLC (EC) is offering a complete all-round package on training for Public Key Infrastructure (PKI). This PKI course can be taken by candidate who is at any level – be it a beginner, intermediate level or advanced level. PKI course is recommended for anyone using or managing certificates, designing or deploying a PKI enterprise solution, or evaluating & selecting a commercial PKI Technology Solution.

Planning a Public Key Infrastructure (PKI) can have a significant skill ceiling, as an organization’s authentication, encryption, and digital signing can depend on how the PKI is built. An organization needs a robust and secure PKI infrastructure to ensure security and privacy and meet regulations and compliance. Creating and managing a PKI requires ample knowledge about it, which Encryption Consulting brings along with the experience needed for organizations to have a custom solution for their needs.

In our three days, PKI Training delivered online, In-person focusing on Microsoft Active Directory Certificate Service (ADCS) Training, customers will learn how to deploy or design PKI solutions in the enterprise.

You will learn how to build a PKI on Windows Server 2019, focusing on areas such as integration with HSM, Two-tier PKI, Cloud PKI, and more.

There is a strong emphasis on: PKI Governance, PKI Design best practices, Certificate Lifecycle Management process and PKI operations and hands-on skills lab.

For more details on PKI training by Encryption Consulting (EC), please click here:

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Read time: 10 minutes

In this discussion whiteboard, what is a trusted time stamp and what is Time Stamping Authority (TSA)? What are various protocols followed by Time Stamping Authority (TSA)? What are various steps involved in time stamping process performed by Time Stamping Authority? How is this concept critical in code signing process? What is CodeSign Secure by Encryption Consulting? Let’s get into the topic to understand responses to these questions:

Code signing is a type of digital signature used to provide security and authentication for the intellectual property in the form of code or software program. Code signing process leverages several modules for completion of the process in order to provide technical security and integrity for your code/ software program. Time stamping is one of the key aspect of the code signing process architecture. Let us go first understand what exactly is the code signing process and what are different components involved in the code signing architecture. This will lead us to the trusted time stamping concept and Time Stamping Authority (TSA). One important point to note is time stamping process can be applied to documents which are signed either through digital signatures or electronic signatures. 

What is a Code Signing process?

In the recent past many technology firms are being targeted by hackers to tamper and corrupt the source code. These attacks heavily impact brand reputation and leads to huge losses for firms victimized. To tackle this scenario, Code Signing technique can be used for safeguarding the code integrity and to provide authenticity of the author to the end user by providing digital signatures. Code Signing provides secure and trusted distribution of software preventing tampering, corruption, and forgery. Code signing improves end-user confidence in software/code integrity and sender authenticity.  

Code signing is the process of applying a digital signature to any software program that is intended for release and distribution to another party or user, with two key objectives. One is to prove the authenticity and ownership of the software. The second is to prove the integrity of the software i.e. prove that the software has not been tampered with, for example by the insertion of any malicious code. Code signing applies to any type of software: executables, archives, drivers, firmware, libraries, packages, patches, and updates. An introduction to code signing has been provided in earlier articles on this blog. In this article, we look at some of the business benefits of signing code.

Code signing is a process to validate the authenticity of software and it is one type of digital signature based on PKI. Code signing is a process to confirm the authenticity and originality of digital information such as a piece of software code. It assures users that this digital information is valid and establishes the legitimacy of the author. Code signing also ensures that this piece of digital information has not changed or been revoked after it was validly signed. Code Signing plays an important role as it can enable identification of a legitimate software versus malware or rogue code. Digitally signed code ensures that the software running on computers and devices is trusted and unmodified.

Software powers your organization and reflects the true value of your business. Protecting the software with a robust code signing process is vital without limiting access to the code, assuring this digital information is not malicious code and establishing the legitimacy of the author.

Code Signing Architecture

Code Signing Architecture provides a detailed explanation on how the Code Signing process works along with its components. Below mentioned are the four important differentiating components in the Code Signing Architecture.  

These four components together will achieve the full cycle completion of code signing process. Public Key Infrastructure (PKI) plays a crucial role in achieving the code signing for your important documents.

To understand more about Code signing process, read our blog posts here:

In the above architecture, our point of focus is on “Time Stamping Authority” which is an optional part of code signing process right now, but slowly it is gaining importance in achieving authenticity for your code/software program. So, what is time stamping process and how is this time stamping authority important for time stamping process? Let’s take a look now:

What is time stamping process?

Time stamping is an optional part of the code signing process, where validity of code signing signature by the software even after expiry of the certificate used for code signing. This acts like an additional control where the signature used for code signing process is preserved even after the expiry ensuring the smooth flow of operations without interruption. 

Whenever the signed software’s executable is run/executed on any client machine/system, its digital signature is verified by the user’s operating system. Now, suppose the user has time stamped the software. The users’ computer will verify the signature based on the time it was digitally signed, rather than the current time of the system when the software is executed.

What is Time Stamping Authority (TSA)?

An optional but important component in Code Signing Architecture is Time Stamp Authority (TSA). Time stamping preserves the source time when the code was signed and allows software to be accepted by the OS and other client device platforms even after the certificate expires. Signed software is validated with the source time when the certificate was signed rather than the current time. Hence, it is always advisable to use Time stamping technique while performing code signing.

Digital signature signed code is sent to TSA for time stamping. TSA applies its own signature along with the valid source time stamp. TSA is independent from Code Signing System and synchronizes its clock with an authoritative time source. 

Time stamping protocols

Time Stamping Authorities follow certain protocols for performing time stamping activity to ensure higher protection and security. There are two major protocols usually followed by TSAs for time stamping.

  • RFC 3161 – RFC 5035
  • Microsoft Authenticode

RFC 3161 – The time-stamping protocol defined in RFC 3161 requires that the Cryptographic Message Syntax (CMS) SignedData [RFC5652], used to apply a digital signature on the time-stamp token, include a signed attribute that identifies the signer’s certificate.
Authenticode applies digital signature technology to guarantee the authorship and integrity of binary data such as installable software. A client web browser, or other system components, can use the Authenticode signatures to verify the integrity of the data when the software is downloaded or installed. Authenticode signatures can be used with many software formats, including .cab, .exe, .ocx, and .dll.

To know more about the Microsoft Authenticode, please read through the page mentioned below:
https://docs.microsoft.com/en-us/windows/win32/seccrypto/time-stamping-authenticode-signatures

How does Time stamping authority perform time stamping process?

Public Key Infrastructures (PKIs) play a crucial role in Time Stamping Authority (TSA) performing time stamping process. Let us understand the high level steps that are involved in the time stamping process. 

Step 1: The client application connects with the Time Stamping Authority (TSA) service. Now, hash is created for the code or software program which needs to be code signed.

Step 2: Hash created for the code is sent to Time Stamping Authority (TSA) for time stamping. Once the hash is sent to TSA, any changes made to code or software program hashed has to be communicated with TSA server.

Step 3: Time stamping authority combines the hash of the original file received from client along with the trusted time stamp. The result is digitally signed with a secure private key. This signing process creates a “Time stamp token” which is sent back to the client. 

Step 4: The client receives the timestamp token created by Time Stamping Authority which is recorded along within the document or code signature.

Who can use Time stamping?

Trusted time stamping process can be add additional security control to the documents which are either digitally signed or electronically signed. Documents which are signed using electronic signature can be time stamped. Recipients can verify the integrity of the document post time stamp. For digitally signed documents, there are two main reasons for including a trusted timestamp when you digitally sign a document – ensuring Long-Term Validation (LTV) of the signature and adding non-repudiation or confidence around when the signature was actually applied. 

Encryption Consulting provides CodeSign Secure platform for digitally code signing your most important and highly sensitive code and/or software programs to ensure security and integrity. Post performing code signing process through CodeSign Secure we would guide you in performing trusted time stamping process through a Time Stamping Authority (TSA).

Below is the brief provided on Encryption Consulting’s (EC) CodeSign Secure platform and its benefits.

Encryption consulting’s (EC) CodeSign Secure platform:

Encryption consulting (EC) CodeSign secure platform provides you with the facility to sign your software code and programs digitally. Hardware security modules (HSMs) store all the private keys used for code signing and other digital signatures of your organization. Organizations leveraging CodeSign Secure platform by EC can enjoy the following benefits:

  • Easy integration with leading Hardware Security Module (HSM) vendors.
  • Authorized users only access to the platform.
  • Key management service to avoid any unsafe storage of keys.
  • Enhanced performance by eliminating any bottlenecks caused.

Why to use EC’s CodeSign Secure platform?

There are several benefits of using Encryption consulting’s CodeSign Secure for performing your code sign operations. CodeSign Secure helps customers stay ahead of the curve by providing a secure Code Signing solution with tamper proof storage for the keys and complete visibility and control of Code Signing activities. The private keys of the code-signing certificate can be stored in an HSM to eliminate the risks associated with stolen, corrupted, or misused keys. Client-side hashing ensures build performance and avoids unnecessary movement of files to provide a greater level of security. Client-side hashing ensures build performance and avoids unnecessary movement of files to provide a greater level of security. Client-side hashing ensures build performance and avoids unnecessary movement of files to provide a greater level of security. Seamless authentication is provided to code signing clients via CodeSign Secure platform to make use of state-of-the-art security features including client-side hashing, multi-factor authentication, device authentication, and as well as multi-tier approvers workflows, and more. Support for InfoSec policies to improve adoption of the solution and enable different business teams to have their own workflow for Code Signing. CodeSign Secure is embedded with a state-of-the-art client-side hash signing mechanism resulting in less data travelling over the network, making it a highly efficient Code Signing system for the complex cryptographic operations occurring in the HSM.

Explore more about our CodeSign Secure platform features and benefits in the below link:

Encryption Consulting’s Managed PKI / CodeSign Secure

Encryption Consulting LLC (EC) will completely offload the Public Key Infrastructure environment, which means EC will take care of building the PKI infrastructure to lead and manage the PKI environment (on-premises, PKI in the cloud, cloud-based hybrid PKI infrastructure) of your organization. Also, along with PKI, Encryption Consulting also assists you in performing code signing process for your important and highly sensitive documents, codes and software programs.

Encryption Consulting will deploy and support your PKI using a fully developed and tested set of procedures and audited processes. Admin rights to your Active Directory will not be required and control over your PKI and its associated business processes will always remain with you. Furthermore, for security reasons the CA keys will be held in FIPS 140-2 Level 3 HSMs hosted either in in your secure datacentre or in our Encryption Consulting datacentre in Dallas, Texas.

Conclusion

Encryption Consulting’s PKI-as-a-Service, or managed PKI, allows you to get all the benefits of a well-run PKI without the operational complexity and cost of operating the software and hardware required to run the show. Your teams still maintain the control they need over day-to-day operations while offloading back-end tasks to a trusted team of PKI experts.

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

What is Code signing?

In the recent past, many technology firms are being targeted by hackers to tamper and corrupt the source code. These attacks heavily impact brand reputation and also leads to huge losses for firms victimized. To tackle this scenario, Code Signing technique can be used for safe guarding the code integrity and to provide authenticity of the author to the end user by providing digital signatures. Code Signing provides secure and trusted distribution of software preventing tampering, corruption and forgery. Code signing improves end-user confidence in software/code integrity and sender authenticity.

To explore the “Top 5 benefits of Code Signing“, please go through the blog article: www.encryptionconsulting.com/code-signing-top-5-benefits

Code Signing Architecture:

Code Signing Architecture provides a detailed explanation on how the Code Signing process works along with its components. Mentioned below are the four important differentiating components in the Code Signing Architecture.

These four components together will achieve the full cycle completion of the code signing process. Each component has a defined working process which is discussed in detailed below.

Code Signing System (CSS):

The Code Signing System (CSS) is the first and important component of Code Signing Architecture. Code signing system signs the submitted code using digital signature and authenticates the author. The digital signature is generated by CSS using private signing key and certificates. It is highly important to secure the private signing key and certificate from misuse and unauthorized access.

Certificate Authority (CA):

Developers or Source issuing code should use certificates from authentic certificate authorities (CA) as the certificate enables the process of authenticating the source. Certificates issued by authentic certificate authorities must comply with standard certificate policies such as NIST Interagency Report 7924 which specifies requirements to be followed by CAs while issuing certificates. Also, the developer requesting the certificate from authentic CAs has to provide supporting validation documents which would be verified before providing certificates. CA would follow guidelines mandated by standard agencies such as CA security council, CA/Browser Forum etc.

Time Stamp Authority (TSA)

An optional but important component in Code Signing Architecture is Time Stamp Authority (TSA). Time stamping preserves the source time when the code was signed and allows software to be accepted by the OS and other client device platforms even after the certificate expires. Signed software is validated with the source time when the certificate was signed rather than the current time. Hence, it is always advisable to use Time stamping technique while performing code signing. Digital signature signed code is sent to TSA for time stamping. TSA applies its own signature along with the valid source time stamp. TSA is independent from Code Signing System and synchronizes its clock with an authoritative time source.

Verifiers

End user using the code digitally signed by the publisher first initiates the process of verifying the signature. In general, verifiers are used to perform this step of validating the signatures and time stamp (if any). Verifiers leverage trust anchors to validate the signature on the signed code. Trust anchors are usually public keys of root certificate authorities (CA) installed securely on the verifying platform. In general, root CAs use standard architecture such as X.509 standard. If your organization is looking for implementation of Code signing, please consult info@encryptionconsulting.com for further information

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Code Signing, as a technology, provides authenticity to the software codes, applications and/or files. This is done by signing the code using digital certificates and public key infrastructure. Hence, code signing provides assurance and trust to end users against code tampering or corruption. This is just one of the benefit of using code signing. To explore the “Top 5 benefits of Code Signing“, please go through the blog article: www.encryptionconsulting.com/code-signing-top-5-benefits

Every organization is expected to benefit a lot through code signing and this very reason makes this technology critical. One has to keep in mind the best practices to be followed while implementing code signing. Because when there is a breach of private keys of your company due to poorly implemented infrastructure, it not only impacts the customers but also the trust they have on your brand and its products.


Let’s take a look into the most critical best practices your company has to follow while implementing code signing technology:

Code Signing: Best Practices :

  1. Separation of environments: Test signing and Release signingOne of the important code signing best practice is to set up a parallel environment for code signing infrastructure to sign test code with an internal test root Certificate Authority (CA). Internal test root CA would provide test certificates for signing the code. This benefits the firm in two ways, first benefit is limiting the exposure of actual private keys and code signing mechanisms to close group of users/developers and the other benefit is to opportunity to test the signed code for functionality bugs and vulnerabilities.

    Test signing can be done in two ways:

    • Test Certificate Signing Authority
    • Self-signed certificates

    Mid-size to small sized organizations can use self-signing certificates for the test code sign process. This might involve some effort to make the certificates trusted as, by default, it won’t be trusted. In general, one can obtain these certificates through free tools without using any public key infrastructure (PKI). Organizations with complex and huge size test environment can use internal test CA for generating test certificates for the code signing process.

    Either your firm uses self-signed certificates or internal test CA, always ensure that code signing process and root certificates are separated between test and production environment.

  2. Restricted access to Private keys through physical securitySystems with private keys have to have minimal access. As the saying goes, the most secure computer would be the one with minimum external connections. Hence, minimize the number of personnel having access to system with private keys used for code signing process.

    Physical security is equally important for securing the sensitive data. In spite of all the virtual measures taken, if there is an employee or contractor who gains unwanted access can be a high threat. Physical measures such as cameras, fingerprint access, security guards etc. can be utilized for providing physical security.

  3. Cryptographic hardware protection modules (HSMs)Cryptographic hardware protection modules restrict the export of private keys from these devices. Cryptographic modules are tamper proof and secure for storing keys that are used to sign digital certificates. There are three important types of cryptographic devices used for securing keys:

    In general, HSMs are preferred over other devices as the security standards are relatively higher. Ensure that all the devices used are compliant with FIPS 140 level 2 certified.

  4. Timestamp process: Public or PrivateTime stamping process helps in verifying the authenticity of the publisher after the expiry of certificate. Public time stamping authority can be used for cost benefit but it is always suggested to use internal timestamp authority to avoid public network access.

    Timestamp certificates can be issued for a maximum time period of 135 months. Strict measures has to be taken while you expose code signing process during external/public time stamping.

  5. Scan the code for viruses Code signing process helps in authenticating the code alone and cannot secure the code. Hence, it is always suggested to perform virus and malware scans before publishing the code and signing with digital certificates. Using virus/malware scan improves the quality of code as well.

If your organization is looking for implementation of Code signing, please consult info@encryptionconsulting.com for further information

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

What is Code Signing?

If you are a CISO or holding an equivalent position for any organization, one of the biggest nightmares would be failure of line of defense for data security. One such important module relevant to data protection is “Code Signing”. Organizations have to be aware of threats posed to Code signing process and implement reasonable recommendations for tackling the issues.

According to a study conducted by Venafi, it is understood that out of 320 participants from USA, Europe and Canada more than 28% implement a defined code signing policy for protecting certificates used for signing code. There are high chances of forging and stealing of certificates by cyber hackers when proper policies are not enforced for code signing.

Let’s discuss few scenarios of threat landscape for “Code Signing” when appropriate code signing policy is not in place.

Potential Threats to Code Signing

  1. Theft/Loss of Private Signing KeysPrivate signing keys have to be protected with utmost care. Many incidents are reported regularly due to theft of private signing keys. Cyber criminals with access to these signing keys might masquerade malware/malicious code as an authentic code or software. These incidents would cause huge financial loss as well as brand reputation loss. A single compromised private key can cause devastation to the entire firm’s business.

    Real world incidents due to theft of private signing keys caused lot of damage for the affected firms. Governments also are affected by the loss of private keys and one of the classic examples is the attack on Malaysian Government during November 2011 where legitimate certificates stolen were used to sign malware.

  2. Compromised Certificate AuthorityDirect attack launched on certificate authority (CA) issuing code signing certificates can cause severe damage to the firm using the certificates. Hence, it is always advisable to ensure the best practices are followed by CAs issuing certificates. Cyber attack incidents on CAs can even lead to the bankruptcy of the firm issuing certificates.

    One such incident happened to a Dutch certificate authority – DigiNotar in 2011. Certificate Authority was compromised by hackers and issued fake certificates for many reputed websites which eventually resulted in bankruptcy of DigiNotar.

    Best practice is to perform assessment on the vetting processes used by Certificate authority and data security measures in place before choosing the CA.

  3. Use of insecure cryptography governance controls:Usage of weak and insecure cryptographic algorithms for code signing process would create vulnerabilities which can lead to cyber attacks such as brute force attack to hack keys used for code signing. Poor governance controls can cause intrusions into development and production systems. These security lapses can cause malicious code to be signed and authenticated.

    CISOs should consider implementing proper governance controls to create secure environment. Also, performing appropriate assessment of code signing processes would avoid any unprecedented breach.

    Venafi research survey on Code signing best practices and processes followed across US, Canada and Europe showed an astonishing picture about code signing landscape. More than 50% of the respondents across US, Canada and Europe either do not have code signing processes defined or implementing informal process with inconsistency. This is a huge alarming concern for CISOs.

    35% of the respondents do not have clear owner for managing code signing private keys. In many cases, either development team or information security or both are managing private keys used for code signing.

    It is the responsibility of CISOs to consider hiring an in-house team or a consulting firm who possess expertise in cryptography and code signing processes for better and secure implementation of “Code Signing”.

If your organization is looking for assessment and/or implementation of Code signing, please consult info@encryptionconsulting.com for further information

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

What is Code Signing?

Code signing is the process of authenticating software code/application/program/scripts to confirm the source of origin of the publisher and assure that the code has not been tampered or altered since it was signed.

Certificate Authorities (CA) confirm code signing source identity and bind their public key to a code signing certificate. This certificate enables validation of code sign with an authentic root certificate. Performing code sign will cater below three functions:

  • Provides authentication of code
  • Provides cryptographic protection
  • Software/code author validation

Top 5 benefits of “Code Signing”:

Let us take a look into the top 5 benefits users can enjoy by using “Code signing”:

  1. Validates code integrity: Code signing provides integrity check of the code using hash function. Hash function is used at the source to sign the code and the same hash has to be matched at the destination. This provides proof of code integrity. If the hash is not matched, users would either receive a security warning or code will fail to download.

    Verification can be performed using timestamp as well. Code signing certificates might include optional time stamp. Time stamp data strip is included along with signature during the time of signature. This process ensures the validity of certificate at the time of signature.

  2. Issuing company reputation and authenticity:Using code signing process for authentication and validation of software, code and/or programs eliminates the risk of program corruption and tampering. This will safeguard the company’s reputation as well as intellectual property.

    Enhancing trust on both sides of the transaction, companies can be more benefitted with customers trusting their software programs, files etc. for download. With increase in reputation one can expect considerable increase in customer loyalty.

  3. Increase in revenue:Now a days, software publishers and network platform provides are increasingly mandating code signing process from a trusted source/certificate authority (CA) for distribution of software among users.

    This is even more beneficial for small companies or individual developers to gain trust among customers through authenticity and increase their brand presence as well as revenue.

  4. Safe and secure user experience:As already discussed in one of the points mentioned above, Code signing process builds mutual trust amongst both the parties i.e. vendor as well as consumer. On top of it, customers who use code signed software or files can be sure of security as the code is properly authenticated and validated which prevents code tampering.

    Also, using code signing provides smooth user experience as there will be minimized security warnings and installation failures when code is signed by trusted certificate authority.

  5. Seamless integration with multiple platforms:Code signing process is now available on multiple platforms such as Apple iOS, Windows, Linux, Android, JAVA, Adobe AIR etc. Many of these platforms highly recommend code signing process for code distribution.

    Many browsers would require code signed using certificate from trusted certificate authority and reject any action commands provided through untrusted sources. One interesting fact is, Microsoft office macros and Firefox browser extensions also require code signing.

If your organization is looking for implementation of Code signing, please consult info@encryptionconsulting.com for further information

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
ServicesAdvantagesDisadvantages
Bring Your Own Encryption (BYOE)
  • The Bring Your Own Encryption (BYOE) concept is the desired trust model for organizations that require full control over access to their data regardless of where it is stored or processed.
  • Regulated industries, such as financial services and healthcare, require keys to be segregated from the cloud Data Warehouse compute and storage infrastructure. BYOE enables organizations to comply with this requirement with encryption applied to the most sensitive columns, and dynamic masking or filtering access to other sensitive columns – achieving the optimal balance between data protection, compliance, analytics and usability of the data.
  • Without exposing encryption keys or sensitive data to the cloud, BYOE enhances the security of data within all cloud services such as Database as a Service (DBaaS) environments, as data is always encrypted before being sent to the cloud.
  • There is an increased latency problem as any data element has to go through repeated cycles of encryption and decryption for utilization in cloud environments, thereby inducing latency related issues.
  • As there are limited interfaces available, there is a requirement to build Custom API’s for integration with multiple cloud service providers, which might not be feasible for a small/medium sized organizations.
  • As the organizations adopt a move to cloud approach, this approach puts increasing pressure on the on-premises infrastructure with respect to scaling, performance, etc.
Bring Your Own Key-Cloud HSM
  • No Key exposure outside the HSM.
  • FIPS advanced level (FIPS 140-2 Level 3 and above) complaint hardware-based devices meeting all regulatory requirements.
  • Can perform all core functions of an on-premises HSM: key generation, key storage, key rotation, and APIs to orchestrate encryption in the cloud.
  • Designed for security.
  • Dedicated hardware and software for security functions.
  • Need specialized, in-house resources to manage key and crypto lifecycle activities.
  • HSM-based approaches are more cost intensive due to the use of a dedicated hardware appliance.
  • Performance overheads.
Bring Your Own Key-Cloud KMS
  • No specialized skilled resources are required.
  • Enables existing products that need keys to use cryptography.
  • Provides a centralized point to manage keys across heterogeneous products.
  • Native integration with other services such as system administration, databases, storage and application development tools offered by the cloud provider.
  • Key exposure outside HSM.
  • FIPS 140-2 Level 3 and above devices not available.
Software
Key
Manage-ment
  • With this approach, service accounts, generic administrative accounts which may be assumed by one or more users, can access these secrets, but no one else.
  • Not compliant with regulatory requirements which specify FIPS-certified hardware.
Secret Management
  • Run the organizations own key management application in the cloud.
  • Lower cost than HSMs and full control of key services, rather than delegating them to your cloud provider.
  • Can perform all core functions of an HSM: key generation, key storage, key rotation, and APIs to orchestrate encryption in the cloud.
  • N/A

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Below are the top features of the leading commercial key management solutions:

  • Leading commercial key management solutions have dedicated hardware/software appliances for key storage that can be on the Cloud or on-premises. This key storage is only accessible by the customer, and allows the customer to inject the key into any CSP.
  • Commercial key management solutions are up to FIPS 140-2 Level 4 compliant and support symmetric and asymmetric keys. They also support AES – 128, 192, or 256 bit keys, RSA keys with  SHA-1, SHA-256, SHA-384, SHA-512, SSL3, Blake2b (256, 384, 512), or Blake2s-256 between 1024 and 8192 bits, DES keys of 56bits, 3DES keys of 168bits, and HMAC keys between 128 and 512 bits.
  • Commercial key management solutions are capable of key management, storage, and auditing, encryption, and tokenization.

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Secret Management refers to tools or methods that are used to manage authentication credentials (or secrets). These may include passwords, access keys, API keys, and tokens that can be used in applications, services, privileged accounts or other sensitive areas of the IT ecosystem.

Advantages

  • By this approach, service accounts — generic administrative accounts which may be assumed by one or more users — can access these secrets, but no one else

Disadvantages

  • Not compliant with regulatory requirements which specify FIPS-certified hardware

Why is Secret Management important?

Passwords and access keys are some of the most used tools to authenticate users or automated applications onto the network or give access to specific services, systems, or information that might be otherwise classified. Since these secrets need to be transferred securely, secret management would need to account for and mitigate the risk portrayed on the secrets while in transit as well as on rest.

Some of the secrets include:

  • Passwords
  • API keys or other application keys/credentials
  • SSH Keys
  • Database and other system passwords
  • Certificates for secure communication (TLS/SSL and more).
  • Private encryption keys such as PGP
  • RSA and other one-time password devices

Challenges in Secret Management

As IT infrastructure grows and develops, it increases the complexity and the diversity of the secrets involved that needs to be properly protected. Those secrets should be securely stored, transmitted and audited securely.

Some of the common risk and considerations are:

  • Incomplete visibility and awareness:
    All privileged accounts, applications, tools, containers, or microservices deployed across the environment, and the associated passwords, keys, and other secrets. SSH keys alone may number in the millions at some organizations, which should provide an inkling of a scale of the secrets management challenge. This becomes a particular shortcoming of decentralized approaches where admins, developers, and other team members all manage their secrets separately, if they’re managed at all. Without oversight that stretches across all IT layers, there are sure to be security gaps, as well as auditing challenges.
  • Hardcoded/embedded credentials
    Privileged passwords and other secrets are needed to facilitate authentication for app-to-app (A2A) and application-to-database (A2D) communications and access. Often, applications and IoT devices are shipped and deployed with hardcoded, default credentials, which are easy to crack by hackers using scanning tools and applying simple guessing or dictionary-style attacks. DevOps tools frequently have secrets hardcoded in scripts or files, which jeopardizes security for the entire automation process.
  • Privileged credentials and the cloud
    Cloud and virtualization administrator consoles (as with AWS, Office 365, etc.) provide broad superuser privileges that enable users to rapidly spin up and spin down virtual machines and applications at massive scale. Each of these VM instances comes with its own set of privileges and secrets that need to be managed
  • DevOps tools
    While secrets need to be managed across the entire IT ecosystem, DevOps environments are where the challenges of managing secrets seem to be particularly amplified at the moment. DevOps teams typically leverage dozens of orchestration, configuration management, and other tools and technologies (Chef, Puppet, Ansible, Salt, Docker containers, etc.) relying on automation and other scripts that require secrets to work. Again, these secrets should all be managed according to best security practices, including credential rotation, time/activity-limited access, auditing, and more.
  • Third-party vendor accounts/remote access solutions
    How do you ensure that the authorization provided via remote access or to a third-party is appropriately used? How do you ensure that the third-party organization is adequately managing secrets?
  • Manual secrets management processes
    Leaving password security in the hands of humans is a recipe for mismanagement. Poor secrets hygiene, such as lack of password rotation, default passwords, embedded secrets, password sharing, and using easy-to-remember passwords, mean secrets are not likely to remain secret, opening up the opportunity for breaches. Generally, more manual secrets management processes equate to a higher likelihood of security gaps and malpractices.

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Search any posts

A collection of Encryption related products and resources that every organization should have!

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download

Let's talk