How to Setup and Integrate Sectigo Code Signing Certificates in Google KMS?

If you are Still Signing Code on a Local Machine. Your software is only as secure as the key that signs it. If you’re still storing that key on your laptop, or in a random server folder. This can lead to a big security issue. One data breach, and your entire reputation could be lost.

You could store your private keys in a tamper-proof Hardware Security Module (HSM) or Cloud HSM such as Google Cloud Key Management Service (KMS). The feature secures your releases and gives an extra layer of security.

In this post, we will go through the step by step process to install Sectigo Code Signing Certificates on Google Cloud HSM (KMS). Even if you have zero knowledge about this, just we with me till the last.

Sectigo Code Signing Certificate Setup with Google Cloud KMS

Step 1: Purchase a Code Signing Certificate

First things first, you have to buy a code signing certificate from a trusted Certificate Authority (CA). Not just any normal certificate. But you need one that meets today’s strictest security standards, because in 2023, all code signing certificates must be issued and stored on FIPS 140-2 Level 2-compliant hardware.

That’s the law of the land (thanks to new CA/Browser Forum Baseline Requirements). Sectigo is one of the most recognised Certificate Authorities in the world. Sectigo code signing certificates are accepted by all major platforms.

You’re no longer allowed to generate your own private key locally on your laptop. Instead, the private key must be created and stored securely on hardware that attackers can’t access even if your computer gets hacked. And Sectigo plays well with multiple secure key storage options.

Step 2: Create a Digital Safe for Your Code Signing Keys (aka Key Ring in Google Cloud KMS)

Think of a Key Ring as a logical grouping of one or more keys. Key Rings don’t store keys directly, they hold keys securely in HSMs tied to that Key Ring’s region. The best part is you get to decide where that vault lives geographically, giving you flexibility for compliance, performance, and failover reasons. You can use it to:

• Organize keys by purpose (e.g., code-signing, database-encryption, API-tokens)
• Apply security policies across multiple keys at once
• Control where keys live (regionally)

How to Create a Key Ring in Google Cloud KMS (Step-by-Step)?

If you’ve already created a Key Ring in a previous project or step, you can skip ahead to the next step. Here’s how you create a Key Ring in Google Cloud in under 2 minutes:

1. Log into your Google Cloud Console

Make sure you’re signed into the correct project. (Don’t have one? You’ll need to create a GCP project first.)

2. In the left-hand menu, navigate to:

Security -> Key Management

This will bring up Google Cloud KMS.

3. Click the big “Create Key Ring” button.

4. Now fill out the form:

• Key Ring Name: Pick something easy to remember, like code-signing-ring. No spaces allowed.
• Location Type: Choose Regional. (This ensures your key is stored in a single region, perfect for low-latency and compliance.)
• Region: Select a nearby region or one that matches your compliance needs.

5. Click “Create.”

Step 3: Create a Public-Private Key Pair Inside Google Cloud’s HSM

The strength of your code signing security comes down to how you generate and store your keys. Most developers make a huge mistake—they generate their private key on a local device (a laptop, server, or CI/CD agent) and then try to move it somewhere else. That’s not just risky—it’s playing with fire. Anyone who gets access to that key can sign their malware as your software.

You don’t want that. That’s why this step is absolutely critical.

Here’s what we’re doing:

We’re going to generate your Sectigo code signing key directly inside Google Cloud’s Hardware Security Module (HSM)—a military-grade secure box inside Google Cloud’s infrastructure. Your private key will be born, live, and die inside an HSM. It never leaves. That’s FIPS 140-2 Level 3 compliance.

Generate a Key Pair Using Google Cloud HSM

You’re still in the Google Cloud Console under:

Security > Key Management > Key Rings

Now do this

1. Select Your Key Ring

Click on the key ring you created earlier.

2. Click “Create Key”

This will launch the key creation wizard.

3. Fill Out the Key Configuration Form

Purpose: Asymmetric Sign (This means your private key will be used for signing, and the public key will be used for verifying signatures. Exactly what we need for code signing.)

Key Type: You’ve got two main choices here.

1. Elliptic Curve (EC): Smaller size, faster, but some tools may not support it
2. RSA: Slightly bigger, slower, but maximum compatibility

Protection Level: HSM

This is what ensures your private key never touches a regular disk or software process. The key is generated and kept isolated in Google’s FIPS-compliant hardware.

Key Name: Name it something clear, like sectigo-code-key

• Keep it lowercase
• No spaces or special characters
• Use dashes or underscores if needed

Algorithm: Use “RSA_SIGN_PKCS1_3072_SHA256” (recommended)

Here’s why:

• RSA 3072-bit: Stronger than the old 2048-bit (which is still accepted, but 3072 future-proofs you)
• PKCS #1 v1.5 Padding: Still widely accepted in signing tools
• SHA256: The current standard for code signing digests

4. Click “Create”

That’s it, Google Cloud will generate a key pair inside the HSM. Protect it from extraction. Automatically handle permissions, audit logging, and rotation options.

Once complete, you’ll see a new key listed under your key ring with details like (3072-bit RSA key, PKCS #1 v 1.5 padding – SHA256 Digest [recommended]) in your key ring:

Step 4: Download the Key’s HSM Attestation Record

You’ve got your key, but how do you prove it wasn’t just whipped up on some sketchy server? You need receipts. That’s where the HSM attestation bundle comes in, it’s your proof that the key was born in a secure, hardware-backed environment. Here’s how to grab it

• First, head over to the “Actions” column (look for the three vertical dots).
• Click on “Verify Attestation” from the dropdown menu.
• Then hit “Download Attestation Bundle” It’s a handy .zip file that confirms your key is the real deal.

Step 5: Time to Generate Your Certificate Signing Request (CSR)

You’ve got your new key. Now, it’s time to turn that key into something useful, like a Certificate Signing Request (CSR). This is how you tell a Certificate Authority, “Hey, I’ve got a legit key. Let’s get certified!”

You can’t just run any old CSR command. You’re working with a key that lives inside a Google HSM. You can’t see it. You can’t export it. But you can ask it to help you generate a CSR securely.

We’ll walk you through how to do this using Openssl on Linux (Ubuntu).

First, get your tools ready:

• Install OpenSSL and the libengine-pkcs11-openssl package.
• Extract the Google PKCS #11 library. This lets OpenSSL talk securely to your key.
• Set up a YAML config file for the KMS_PKCS11_CONFIG environment variable. (Remember that key_ring value from Step 1? You’ll need it here.)

Set up your authentication:

• Create a JSON key file, then save it securely to the machine that’ll generate your CSR.

Don’t forget this key move:

• Set the environment variable to point to your new key file.

Now, generate that CSR with this command

openssl req -new -subj '/CN=Your Company Name, LLC/' -sha256 -engine pkcs11 -keyform engine -key pkcs11:object=your_key_name > code_signing_request.csr

Swap your_key_name with the actual name of your key (keep it short and sweet under 100 characters, or OpenSSL will throw an error). Make sure the digest algorithm you use here matches the one you picked in “Step 2”

Step 6: Submit Your CSR & Prove Your Key’s Trustworthiness

You’ve generated your CSR. You’ve got your attestation file zipped up and ready from “Step 3”. Now it’s time to submit everything and lock in your code signing certificate from Sectigo. Here’s how to make it happen:

1. Log into SectigoStore.com:

• Go to My Orders.
• Choose the option to generate a certificate.

2. Now, fill in the details:

• Your name and organization info.
• Organizational contact’s details.
• (Optional) An email address if you want verification notifications.
• Select how you’d like to receive the certificate (we’ll get into that in a second).
• Accept the Certificate Services Agreement.

3. Next comes the important part (4th bullet point “Select how you’d like to receive…”):

• When asked if the private key was created using a secure hardware option, click “Yes”.
• Pick Google Cloud KMS (Cloud HSM) as your HSM type.
• Paste your CSR (generated in Step 4).
• Upload your Key Attestation Bundle (.zip file from Step 3).

Sectigo will handle the verification and validation process. Once they give your request the green light, your new code signing certificate will be issued and ready to use.

Step 7: Sign Your Code with Sectigo + SignTool

Now comes the most important part, actually signing your software with your Sectigo code signing certificate using SignTool on Windows.

1. Make sure SignTool is locked and loaded. If you haven’t already, grab the latest version of SignTool. It’s included in the Windows Software Development Kit (SDK). Install that, and you’re good to go.

2. Install the Google Cloud KMS CNG Provider. This lets SignTool securely talk to your key stored in Google Cloud KMS.

3. Authenticate to Google Cloud. Your machine needs permission to access that cloud-based key, so run this command:

gcloud auth application-default login

4. Sign your code with the command:

signtool sign /v /debug /fd sha256 /t http://timestamp.sectigo.com /f path/to/mycscertificate.crt /csp "Google Cloud KMS Provider" /kc projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME/cryptoKeyVersions/1 path/to/file.exe

Conclusion

Still signing code on your local machine? That’s like locking your front door… but leaving the key under the mat.

The modern threats have become advanced. With Google Cloud KMS and Sectigo Code Signing Certificates, you’re not just checking a security box. You’re doing industry best practice and preventing supply chain attacks.