Skip to main content
Perform the following tasks to create the certificate that Futurex CLI can use for code signing in GitLab.
  1. Create an X.509 Certificate Container.
  2. Generate the CA certificates.
  3. Issue a code signing certificate for GitLab.
  4. Create a PKI Signing Approval Bucket to hold requests.
  5. Apply an Issuance Policy to the code signing certificate.

Create an X.509 Certificate Container

Perform the following steps to create an X.509 certificate container that is owned by the GitLab role CryptoHub created for the service:
1
Go to PKI and CA > Certificate Management.
2
Select [ Add CA ].
3
In the X.509 Certificate Container creation dialog, configure the following settings:
  • Name: GitLab Code Signing CA
  • Host: Select None.
  • Type: Select X.509.
  • Owner group: Select the GitLab role CryptoHub created for the service.

Generate the CA certificates

Perform the following steps to generate a self-signed root CA and an issuing CA:
1
Right-click the GitLab Code Signing CA X.509 certificate container and select Add Certificate > New Certificate.
2
Configure the following Subject DN settings:
  • Preset: Select Classic.
  • Common Name: Root
3
Configure the following Basic Info settings:
  • Change the key Size to 4096.
  • Leave all other fields set to the default values.
4
Configure the following V3 Extensions settings:
  • Profile: Select Certificate Authority.
5
Select [ OK ] to generate the certificate.
6
Right-click the Root certificate and select Add Certificate > New Certificate.
7
Repeat steps 5–8 to create an Issuing CA certificate under the Root CA certificate.

Issue a code signing certificate for GitLab

Perform the following steps to issue a code signing certificate for GitLab:
1
Right-click the Issuing CA certificate and select Add Certificate > New Certificate.
2
Configure the following Subject DN settings:
  • Preset: Classic
  • Common Name: GitLab
3
Configure the following Basic Info settings:
  • Change the key Size to 4096.
  • Leave all other fields set to the default values.
4
Configure the following V3 Extensions settings:
  • Profile: Code Signing Certificate
5
Select [ OK ].

Create a PKI Signing Approval bucket to hold requests

Perform the following steps to create a PKI Signing Approval bucket to hold certificate requests:
1
Go to PKI and CA > PKI Signing Approvals.
2
Select [ Add Approval Group ].
3
Enter a Name for the approval group (e.g., GitLab) and select [ OK ].
4
Right-click the PKI Signing Approval bucket (i.e., Approval Group) you just created and select Permission.
5
Select the GitLab role in the dropdown menu, then select [ Add ].
6
Grant the Use permission to the GitLab role.
7
Select [ Save ].

Apply an Issuance Policy to the GitLab code signing certificate

Perform the following steps to apply an issuance policy to the GitLab code signing certificate:
1
Right-click the GitLab code signing certificate and select Issuance Policy > Add.
2
Configure the following Basic Info settings:
  • Alias: code-signing
  • Approvals: 1
3
Configure the following X.509 settings:
  • Default approval group: Select the PKI Signing Approval group you just created.
4
Configure the following Object Signing settings:
  • Allow object signing: Select the checkbox to enable it.
5
Configure the following Code Signing settings:
  • Allowed Profiles: Select the checkbox next to each code signing profile you want to allow.
6
Select [ OK ] to save and apply the issuance policy you have configured.