Load required key pairs and certificates for Code Signing

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read

    • Establish the relationship in a designated non-production instance using Code Signing. This first step loads two cryptographic keys into the non-production environment to establish a trusted source for updates to the production instance.

    Before you begin

    Roles required: security_admin and sn_kmf.cryptographic_manager

    About this task

    The first step in establishing the relationship is to establish the trust foundation in a designated non-production instance using Code Signing. To perform this task, you need the following.
    • You must have two 4096-bit RSA public/private key pairs to load into Code Signing cryptographic modules:
      • One pair for the cm_code_signing cryptographic module
      • One pair for the cm_code_attest cryptographic module

      For more information on these keys, see Create Code Signing key pairs and certificates.

      Important:
      These key pairs must be signed by a public certificate authority or signed by your organizations internal certificate authority. The certificate can't be self-signed.
    • A Public Key Cryptography Standard #12 (.p12) file containing your leaf and intermediate certificates.

    Procedure

    1. Import your keys from the keystore.
      1. Navigate to All > Key Management > Cryptographic Modules > All.
      2. Find and open the cryptographic module named cm_code_signing.
      3. In the Crypto Specifications list, select the name of the crypto specification to open it.
      4. In the Import key from keystore screen, select Import key.
    2. Repeat the first step to import the cryptographic module named cm_code_attest.
    3. In the Enter Keystore Password field, enter the challenge password you created when generating your RSA certificate.
      Note:
      The challenge password that you created is referred to here as the keystore password. In other parts of the process, this may be referred to as either a import password or export password. In all cases, this password is the same challenge password that you created in the previous steps.
    4. Select the Browse button next to Import Keystore/Certificate.
    5. Select a Public Key Cryptography Standard #12 (.p12) file containing your distribution certificate (mentioned in the before you begin section at the top of this doc).
    6. Select OK.
      Important:
      If you’re using your own internal certificate authority, you must upload the internal certificate authority’s intermediate certificates using the process in steps 5–6.
      With a successful import of your key and certificate(s), a confirmation message is displayed.

      You can validate that the key and certificates are present on your instance on the X.509 Certificates [sys_certificate] table. These records have a type of Trust Store Cert.

      You can validate your key on the Cryptographic Modules [sys_kmf_crypto_module] table.

    What to do next

    Export the certificate to production. See Prepare Circle of Trust certificatesfor details.