Configuring the PKCS#11 driver
- Set the Trust Protection Platform authentication and virtual HSM URLs
- Establish trust with the Trust Protection Platform server
- Obtain a grant enabling client access to the virtual HSM
- List Trust Protection Platform-protected code signing certificates that are available for you to use
Prerequisites
-
Trust Protection Platform is already installed and CodeSign Protect is licensed. You have the URL to your Trust Protection Platform server. The following service modules are enabled:
- Certificate Lifecycle and Monitoring
- Key Lifecycle and Monitoring
- HSM Backend
- Authentication Server
- Web Console
- Web SDK
- A CodeSign Protect Project is configured with at least one Certificate & Key Environment, and the person or group using the private keys have Key User permission.
- The CodeSign Protect client is installed on the code signing workstation.
NOTE All of the
On Windows, the configuration is stored in the registry. For Linux and macOS, the configuration is stored in the ~/.venafipkcs11config file, and trust is stored in the ~/.libhsmtrust file.
The paths to the pkcs11config utility are:
- Linux: /usr/local/bin
- macOS: /usr/local/bin
- Windows: c:\Program Files\Venafi CodeSign Protect
Steps
TIP The next three examples (setting the URLs, establishing trust, and getting a grant) provide examples of several pkcs11config commands to help familiarize you with the usage. Each of the next three examples, however, can be completed using just the following command:
$ pkcs11config getgrant --authurl=https://TPP_SERVER_URL/vedauth --hsmurl=https://TPP_SERVER_URL/vedhsm \
--username=sample-user --password=Passw0rd --force
Set the authentication server and virtual HSM server URLs
$ pkcs11config seturl --authurl=https://TPP_SERVER_URL/vedauth --hsmurl=https://TPP_SERVER_URL/vedhsm
INFO: HSM Url: https://TPP_SERVER_URL/vedhsm/
INFO: Authentication Url: https://TPP_SERVER_URL/vedauth/
If you don't specify the URLs on the command line, you will be prompted for them.
NOTE To set the URLs at the machine level rather than at the user level, add the machine option.
pkcs11config seturl --machine --authurl=https://TPP_SERVER_URL/vedauth --hsmurl=https://TPP_SERVER_URL/vedhsm
Using the machine option stores the URLs in /etc/venafi/libhsm.conf. To use the machine option, you must have root rights on Linux and admin rights on Windows.
You can verify the URLs using the following:
$ pkcs11config option --show
User configuration holds 2 values:
HSM SERVER URL = https://TPP_SERVER_URL/vedhsm/
AUTH SERVER URL = https://TPP_SERVER_URL/vedauth/
Establish trust with the Trust Protection Platform server
Establish trust by adding the server TLS certificate(s) to the local trust store. Having the certificates in the local trust store provides protection against man-in-the-middle attacks and ensures the library is only communicating with trusted backends.
$ pkcs11config trust --hsmurl=https://TPP_SERVER_URL/vedhsm
INFO: Requesting certificates from https://TPP_SERVER_URL/vedhsm.
Server presented 2 certificates:
Certificate 1:
Subject: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
Issuer : C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
Serial : 01:FD:A3:EB:6E:CA:75:C8:88:43:8B:72:4B:CF:BC:91
Certificate has CA constraint
Certificate 2:
Subject: C=US, ST=Utah, L=Salt Lake City, O=Venafi, Inc., OU=Engineering, CN=CodeSignDev.vfidev.com
Issuer : C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
Serial : 0D:49:B8:FB:FC:47:43:2D:F3:82:6C:47:EA:2A:9A:85
Add these certificates to the user store? (y/N) :
The presented certificates will be displayed, and you will be prompted whether you want to add the certificates to the logged-in user's store. Answer y only after ensuring the certificates match the Trust Protection Platform backend certificates. The certificates are stored in ~/.libhsmtrust.
NOTE To establish trust at the machine level rather than at the user level, add the machine option.
pkcs11config trust --machine --hsmurl=https://TPP_SERVER_URL/vedhsm
Using the machine options stores the certificates in /etc/venafi/trust. To use the machine option, you must have root rights on Linux and admin rights on Windows.
You can verify your trust settings using the pkcs11config trust -show command:
$ pkcs11config trust --show
User store certificates (/root/.libhsmtrust):
Certificate 1:
Subject: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
Issuer : C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
Serial : 01:FD:A3:EB:6E:CA:75:C8:88:43:8B:72:4B:CF:BC:91
Certificate has CA constraint
Certificate 2:
Subject: C=US, ST=Utah, L=Salt Lake City, O=Venafi, Inc., OU=Engineering, CN=CodeSignDev.vfidev.com
Issuer : C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
Serial : 0D:49:B8:FB:FC:47:43:2D:F3:82:6C:47:EA:2A:9A:85
Get grant
$ pkcs11config getgrant --username=sample-user --password=Passw0rd
INFO: Requesting a new grant.
INFO: Valid grant and refresh token available. Grant expires Wed Feb 12 01:14:43 2020, 90 days from now
SUCCESS: Grant is valid.
SUCCESS: New grant obtained.
This command queries the authentication server, and if the user credentials are valid, returns a grant.
You can verify the validity of a grant using the checkgrant option:
$ pkcs11config checkgrant
INFO: Authentication Url: https://TPP_SERVER_URL/vedauth/
INFO: HSM Url: https://TPP_SERVER_URL/vedhsm/
INFO: Valid grant and refresh token found. Grant expires Sun Feb 9 22:11:34 2020, 89 days from now
SUCCESS: Grant is valid.
List available code signing keys and certificates
To verify that your pkcs11 library is ready for use, you can list the available code signing certificates and public keys.
$ pkcs11config listobjects
Public Key 1:
Label: Sample-Production-Environment
Key-Type: RSA (4096 bits)
ID: 53616D706C652D50726F64756374696F6E2D456E7669726F6E6D656E74
Environment: Certificate
Public Key 2:
Label: Sample-Development-Environment
Key-Type: RSA (2048 bits)
ID: 53616D706C652D446576656C6F706D656E742D456E7669726F6E6D656E74
Environment: Certificate
Certificate 1:
Label: Sample-Production-Environment
Subject: C=US, ST=Utah, L=Salt Lake City, O=Sample, Inc., CN=Sample, Inc.
ID: 53616D706C652D50726F64756374696F6E2D456E7669726F6E6D656E74
Certificate 2:
Label: Sample-Development-Environment
Subject: C=US, ST=Utah, L=Salt Lake City, O=Sample Code Signers Are Us, LLC, CN=Sample Code Signers Are Us, LLC
ID: 53616D706C652D446576656C6F706D656E742D456E7669726F6E6D656E74
This command queries the HSM backend Trust Protection Platform server and returns a list of code signing certificates that are available to the logged-in user.