What is AWS KMS?

AWS Key Management Service (KMS) is a cloud service that allows organizations to generate, control, and maintain keys that secure their data. AWS KMS allows organizations to have a common way of dealing with keys by making encryption easier for many AWS services, programs, and operations.

AWS KMS allows users to securely generate and maintain encryption keys, set policies for access, and track use, securing data when it rests and in transit. KMS natively supports AWS services, such as S3, EBS, and Lambda, making encryption simpler without requiring programmers to implement complicated crypto code.

AWS KMS does encryption, and it facilitates digital signing and verification. That enables businesses to validate data, software, or messages. Its hardware security modules (HSMs) are FIPS 140-2 and FIPS 140-3 qualified, so they adhere to strict security standards for cryptography.

Businesses can use KMS to stay in compliance, roll out access controls by role, and make changes to keys automatically. That eliminates work and boosts security.

Using AWS KMS for Cloud Signing

Cloud signing with AWS Key Management Service (KMS) enables organizations to sign software, documents, or other objects digitally without exposure of private keys.

Instead of keeping keys locally in machines or hardware tokens, KMS keeps the keys secure in a dedicated hardware security appliance that is FIPS 140-2/3 compliant, so that the private keys stay secure.

It is especially useful to use with automated build scenarios, where signing needs to be done unsupervised, like with CI/CD pipelines for Windows desktop software programs that need to run under many different platforms.

Dev teams can generate a KMS key pair, generate a Certificate Signing Request (CSR) for it, and get a certificate for the associated public key while controlling possession of the private key.

Steps to Create a CSR and begin Signing Binaries

• Get an EV code signing certificate from a respectable certificate authority such as DigiCert. Make sure that you choose the option for HSM storage to be supplied by the client and choose “Amazon Web Services Key Management Service” for storage.
• It ensures that the private key of the certificate will be stored in a FIPS 140 Level 3 certified environment (AWS KMS), and it won’t be stolen or misused.

Open your AWS account and generate a key pair in KMS, either from the AWS console or the CLI. Use at least 4096-bit RSA for code signing to meet the needs of Microsoft:

aws kms create-key --key-spec RSA_4096 --key-usage SIGN_VERIFY

Give an alias to the key to facilitate easy reference.

aws kms create-alias --alias-name alias/code-signing --target-key-id <your-key-id>

To be used repeatedly during the signing period.

Step 3: Crafting the CSR

Because the private key is not directly accessible within KMS, it is needed to create a temporary CSR and substitute its public key with the KMS public key, through the use of community utilities such as aws-kms-sign-csr:

openssl req -new -nodes -keyout /dev/null -newkey rsa:2048 -out code-signing-request.temp.csr

Set up the aws-kms-sign-csr tool:

git clone [email protected]:g-a-d/aws-kms-sign-csr.git
cd aws-kms-sign-csr
python3 -m venv aws-kms-sign-csr
. aws-kms-sign-csr/bin/activate
pip3 install -r requirements.txt

Sign the temporary CSR with your KMS license key.

./aws-kms-sign-csr.py --region <your-region> --keyid alias/code-signing --hashalgo sha256 ../code-signing-request.temp.csr > ../code-signing-request.csr

This generates a CSR for the KMS key, ready to be sent to your certificate authority.

Submit the CSR to the certificate authority. After it has been validated, you’ll be given the certificate corresponding to your KMS public key. Your private key is stored securely inside AWS KMS.

 You now have:

• A KMS key pair (private key never leaves KMS)
• Certificate from CA that is assigned to the KMS public key

Prep your binaries to sign with tools like the SignTool from Microsoft. Signing is the following process:

• Developing a summary of the binary.
• Signature of the digest by KMS
• To the binary, the signed digest.
• Including a timestamp

Create the binary digest:

signtool.exe sign -dg . -fd sha256 -f ./certificate.cer Application.exe

Sign the Digest using AWS KMS:

aws kms sign --message $(cat Application.exe.dig) --message-type DIGEST --signing-algorithm "RSASSA_PKCS1_V1_5_SHA_256" --key-id alias/code-signing --output text --query "Signature" > Application.exe.dig.signed

Apply the signed digest to the binary:

signtool.exe sign -di . Application.exe

Add a timestamp to ensure long-term validity:

signtool.exe timestamp /tr "http://timestamp.digicert.com" -td sha256 Application.exe

Your code is now signed, trusted, and good to go. The process is all cloud-based and is able to provide high security to automated build pipelines due to the fact that the private key does not ever leave AWS KMS.

Recommended: AWS KMS Embraces the Quantum Era with ML-DSA Digital Signature Support

Conclusion

By getting a DigiCert EV Code Signing Certificate when integrating with AWS KMS, you have absolute security and trust in your Windows application(s).

When you store private keys in a System in AWS KMS, you retain FIPS 140 Level 3 compliance, sensitive signing material is available, yet at the same time, automated and cloud-based circle pipelines are implemented.

This configuration excludes the chances of having key leakage as well, and the signing is easily done too, and your software is trusted by the enterprise users and Windows systems.

Code Signing with Azure Key Vault

Leverage the Cloud Based Software Security by Securely Store your Private Key and Code Signing Certificate to Microsoft Azure Key Vault.

Get Azure Key Vault Code Signing Certificate