Skip to main content
This section describes the following methods for issuing or importing a code-signing certificate on the Vectera Plus:
  1. Issue a code-signing certificate by using a CA on the Vectera Plus.
  2. Import an existing code-signing certificate as a PKCS #12 file onto the Vectera Plus.
Microsoft Signtool can subsequently use the code-signing certificate to sign files by using the private key stored on the Vectera Plus. Select the appropriate method and follow the instructions:

Issue a code-signing certificate

This section uses FXCLI to create a new Certificate Authority (CA) on the Vectera Plus. A later section uses the new CA to issue a code signing certificate.
1
Run the fxcli-hsm program.
2
Connect to the Admin TLS port on the HSM by using the connect tcp command.
Before connecting, you must configure the TLS certificates in FXCLI by using the tls commands. For additional details, see the FXCLI HSM technical reference on the Futurex Portal.
3
Log in with both default Admin identities. When prompted, enter the username and password. Run the following command twice (once for Admin1 and once for Admin2):
FXCLI
  login user
4
Run the following command to generate a new key in the next available key slot on the Vectera Plus. Use this key in the next task to create a self-signed CA.
FXCLI
  generate --algo RSA --bits 2048 --usage mak --name SigntoolCaKeyPair --slot next
5
Run the following command to create a CA certificate using the key that was generated on the HSM in the previous step:
FXCLI
  x509 sign --private-slot SigntoolCaKeyPair --key-usage DigitalSignature --key-usage KeyCertSign --ca true --dn 'O=Futurex\CN=Signtool CA' --out C:\Integration-Testing-Sandbox\SigntoolCa.pem
The preceding command outputs the CA certificate to the location specified in the —out flag.
6
Run the following command to generate a new key in the next available key slot on the Vectera Plus. Use this key in a later task to create a CSR for the code signing certificate.
FXCLI
  generate --algo RSA --bits 2048 --usage mak --name CodeSigningKeyPair --slot next
7
Run the following command to assign CodeSigningKeyPair to the label PKCS #11 attribute of the key created in the preceding step:
FXCLI
  keytable extdata --slot 1 --p11-attr label --p11-value "CodeSigningKeyPair"
The value set in the —slot flag must match the key slot where you created the CodeSigningKeyPair.
8
Run the following command to generate a CSR by using the CodeSigningKeyPair:
FXCLI
  x509 req --private-slot CodeSigningKeyPair --out C:\Integration-Testing-Sandbox\CodeSigning.csr
9
Run the following command to issue a code signing certificate using the CA certificate created in step 5:
FXCLI
  x509 sign --private-slot SigntoolCaKeyPair --issuer C:\Integration-Testing-Sandbox\SigntoolCa.pem --key-usage DigitalSignature --key-usage NonRepudiation --eku CodeSigning --ca false --dn 'O=Futurex\CN=Code Signing' --csr C:\Integration-Testing-Sandbox\CodeSigning.csr --out C:\Integration-Testing-Sandbox\CodeSigning.pem
You must move the code signing certificate and CA certificate to the computer where you use Microsoft Signtool.

Import an existing certificate

This section uses FXCLI to import an existing code-signing certificate in PKCS #12 format onto the Vectera Plus.
The code signing certificate PKCS #12 file must contain only the code signing certificate and its associated private key. Do not include CA certificates in the file.
1
Run the fxcli-hsmprogram.
2
Connect to the Admin TLS port on the HSM by using the connect tcp command.
Before connecting, you must configure the TLS certificates in FXCLI by using the tls commands. For additional details, see the FXCLI HSM technical reference on the Futurex Portal.
3
Log in with both default Admin identities. When prompted, enter the username and password. Run the following command twice (once for Admin1 and once for Admin2):
FXCLI
  login user
4
Run the following command to import the private key of an existing code-signing certificate that is in PKCS #12 format:
The code-signing certificate passed into this command must be in PKCS #12 format because this format contains the private key of the code-signing certificate in the file, encrypted under a password.
FXCLI
  pkcs12 import --file C:\Integration-Testing-Sandbox\code_signing_cert.p12 --password safest --slot next --label ImportedCodeSigningKeyPair --win-system-dacl