Creating a Code Signing Certificate using the Key Storage Provider

2 votes, average: 3.00 out of 52 votes, average: 3.00 out of 52 votes, average: 3.00 out of 52 votes, average: 3.00 out of 52 votes, average: 3.00 out of 5 (2 votes, average: 3.00 out of 5, rated)
Creating a Code Signing Certificate using the Key Storage Provider

Steps to Create a Code Signing Certificate Using KSP

Are you looking to create a Code Signing Certificate using Key Store Provider (KSP) but lack the know-how? Fret not, as we are here to lend a helping hand. You can easily follow a simple seven-step procedure outlined below:

  1. Configuring the Key Storage Provider
  2. Generating the Authentication Key
  3. Preparing the Certificate Request Configuration File
  4. Generating the Certificate Request
  5. Submitting the Certificate Request
  6. Installing the Certificate and Signing Windows Binaries
  7. Binding the Certificate (Optional)

However, before delving into the installation process, let’s familiarize ourselves with the terms YubiHSM 2 and KSP, as they will help you understand the steps outlined in the article. 

What is a Key Storage Provider?

A Key Storage Provider (KSP) is a component that facilitates cryptographic key management and storage for software applications. KSPs abstract cryptographic actions related to key generation, encryption, signing, and hash operations away from the application and the operating system.

Its main objective is to simplify the developer’s development process by providing ready-made functionality for cryptographic operations. KSP complies with industry standards such as FIPS 140-2 & supports algorithms like RSA, Diffie-Hellman, Elliptic Curve Cryptography (ECC), and more.

What is YubiHSM 2?

The YubiHSM 2, developed by Yubico, is a hardware security device that offers advanced cryptographic capabilities for securing vital applications, identities, and sensitive data within enterprise environments. It provides a secure environment for key storage and cryptographic operations, protecting cryptographic keys from unauthorized access and replication.

Key features of YubiHSM 2:

  • Compact size and low power consumption for portability and adaptability.
  • Establishes a tamper-resistant shield for guarding sensitive details.

Advantages of YubiHSM 2:

  • Enhances protection of cryptographic keys.
  • Facilitates secure generation, storage, and management of keys.
  • Safeguards private keys of certificate authorities.
  • Guarantees the integrity of cryptographic operations.

The YubiHSM 2 is appealing to organizations seeking robust security measures and reliable key management solutions in their cryptographic operations.

Read More to Understand HSM (Hardware Security Module)

Creating a Code-Signing Certificate using Key Storage Provider: Step by Step

Step 1: Configuring the Key Storage Provider

The Key Storage Provider typically uses the factory authentication key in slot one as its default setting. However, in cases where the factory authentication key is unavailable or if you prefer to use a different one, it is essential to configure the KSP with the desired key ID and password. This configuration step allows you to personalize the authentication key used by the KSP according to your specific requirements and security preferences.

Step 2: Generating the Authentication Key

To generate a new Authentication Key capable of producing exportable asymmetric keys through the KSP, define the desired capabilities for the key, such as generate-asymmetric-key, sign-pkcs, and exportable-under-wrap.

Step 3: Preparing the Certificate Request Configuration File

To create a certificate request configuration file for the code signing certificate request, it is customary to use the .inf format. This file should include crucial details such as the subject name (CN=My Publisher), the hash algorithm (sha256), the key algorithm (RSA), the key length (2048), and the key usage (Digital Signature). Specifying these details accurately in the configuration file is essential for successfully generating the code signing certificate.

Step 4: Generating the Certificate Request

To generate the certificate request, employ the certreq utility either through the command line or the Certificate Manager MMC snap-in (certmgr.msc). Provide the certificate request configuration file (e.g., sign.inf) as input to certreq. The utility will generate and save the request as a file (e.g., sign.req) for further processing.

Step 5: Submitting the Certificate Request

After generating the certificate request file, submit it to the selected Certificate Authority for signature. The CA will thoroughly verify the provided details, ensuring their accuracy and validity. Once all the necessary details have been validated, the CA will issue the signed certificate file.

Step 6: Installing the Certificate and Signing Windows Binaries

Open the signed certificate file (e.g., sign.crt) and install it into your store using the appropriate tool like the Certificate Manager MMC snap-in (certmgr.msc). After installing the certificate, utilize the signtool utility to sign your Windows binaries. Ensure that signtool is accessible from the command line, then execute the sign command, providing the binary’s name to be signed. In case you possess multiple certificates for code signing, you may need to specify the certificate by its hash.

Step 7: Binding the Certificate (Optional)

In some instances, when importing the certificate to a new computer, you may need to bind the certificate with the private key manually. To accomplish this, utilize the certutil utility provided by Windows and indicate the certificate hash. By running the command “certutil -repairstore my <certificate hash>,” you will bind the YubiHSM private key with the certificate.

Facing Issues while Creating Code Signing Certificate Using Key Storage Provider?

If you encounter any issues during the code-signing process, here are some troubleshooting steps to consider:

  • Use the /v and /debug flags with signtool for more detailed output and error messages. These flags provide extra information to help analyze the problem.
  • Utilize the certutil utility to confirm the validity of the imported certificate and check for any errors. Running “certutil -verifystore my <certificate hash>” will provide information about the certificate’s validity.
  • Check if the Key Storage Provider has been installed accurately by using the command “certutil -csplist.” Ensure that the YubiHSM Key Storage Provider is listed without any errors.


In conclusion, the article offers a comprehensive and detailed guide for developers using the Key Storage Provider to generate a Code Signing Certificate. The article covers all seven steps required to do so – configuration of the KSP, generation of the authentication key, preparation of the certificate request configuration file, submission of the certificate request, installation of the certificate, and signing of Windows binaries. It also provides optional steps for binding the certificate and troubleshooting potential issues. With this guide, developers can effectively utilize KSP and enhance the security of their code signing process.

Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.