Login/Register
Can AWS CloudHSM-backed systems support EV certs?
Asked Answered
aws-cloud9driver-signing
N

0

6

Recently, my team and I have been exploring the possibility of replacing our windows to build a machine with an Amazon instance. We have come across this article from Amazon (https://aws.amazon.com/blogs/security/signing-executables-with-microsoft-signtool-exe-using-aws-cloudhsm-backed-certificates/) and was hoping it would allow us to build our windows binaries and sign them with the appropriate certs too.

The biggest issue we have right now, though, is that one of our products uses an Extended Validation(EV) certificate for building windows drivers. And that EV certificate is tied up with a USB dongle.

Unfortunately, I have not found any definitive documentation yet to this end. I have found this though, https://forums.aws.amazon.com/thread.jspa?messageID=947339&#947339, but still not definitive.

Has anybody successfully signed EV-certificates on windows binaries using the AWS CloudHSM setup? If so, can you share your experiences? Thank you very much.

Negatron answered 7/10, 2020 at 12:15 Comment(3)
To anyone looking into this, I would just like to state that for Windows 10 and onwards, drivers need both a company signature (an EV-Cert) and a Microsoft signature. That being said, I guess building drivers thru a an automated system running on top of AWS will still require some manual intervention, for the Microsoft signature.Negatron
Did you manage to get your EV Cert on AWS CloudHSM? Or what solution did your team come up with, in the end?Torrid
@Torrid We dropped the initiative. For now, we will continue using physical machines for building. If you are building drivers, I would suggest to use physical machines too. Drivers require counter-signatures from Microsoft, so building in a physical machine is more convenient.Negatron

© 2022 - 2024 — McMap. All rights reserved.