Introduction

The Entrust nShield Hardware Security Module (HSM) integrates with Microsoft Authenticode to enable you to identify the publisher of a software component before it is downloaded from the Internet, and to verify that no one has altered the code after it has been signed. Authenticode relies on proven cryptographic techniques and the use of one or more private keys to sign and time-stamp the published software. It is important to maintain the confidentiality of these keys.

The benefits of using an HSM with Microsoft Authenticode include:

Protection for the organizational credentials of the software publisher.
Secure storage of the private key.
FIPS 140 Level 3 validated hardware.
Provision of a trusted time-stamp to Authenticode.

Product configurations

Entrust has successfully tested nShield HSM integration with Microsoft Authenticode in the following configurations:

Product	Version
Base OS	Windows Server 2019 Datacenter
Microsoft .NET Framework	4.8
Windows SDK	10.1

Product

Version

Base OS

Windows Server 2019 Datacenter

Microsoft .NET Framework

4.8

Windows SDK

10.1

Supported nShield features

Entrust has successfully tested nShield HSM integration with the following features:

Feature	Support
Operator Card Set (OCS)	Yes
Softcard Protection	Yes
Module	Yes
nSaaS	Yes
FIPS 140 level 3	Yes

Feature

Support

Operator Card Set (OCS)

Yes

Softcard Protection

Yes

Module

Yes

nSaaS

Yes

FIPS 140 level 3

Yes

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield hardware and software versions:

Product	Security World Software	Firmware	Image	OCS	Softcard	Module
Connect XC	12.80.4	12.50.11 (FIPS 140-2 certified)	12.80.4	✓	✓	✓
Connect XC	12.80.4	12.72.1 (FIPS 140-2 certified)	12.80.5	✓	✓	✓
nShield 5c	13.2.2	13.2.2	13.2.2	✓	✓	✓

Product

Security World Software

Firmware

Image

OCS

Softcard

Module

Connect XC

12.80.4

12.50.11 (FIPS 140-2 certified)

12.80.4

✓

Connect XC

12.80.4

12.72.1 (FIPS 140-2 certified)

12.80.5

✓

nShield 5c

13.2.2

✓

Requirements

Entrust recommends that you familiarize yourself with the Microsoft Authenticode documentation and setup process, and have the nShield documentation available.

Entrust also recommends that the following aspects of HSM administration are taken into account:

The Administration Card Set (ACS) K-of-N and management of the card set.
The type of protection for the application keys, that is, module protection or Operator Card Set (OCS) protection.
The Operator Card Set K-of-N and management of the card set.
Any requirement for a FIPS 140 Level 3 Security World.
Key attributes, such as the key size, persistence, and time-out.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

This document

This document explains how to set up and configure Microsoft Authenticode with an HSM. The instructions in this document have been tested and provide an integration process. There may be other untested ways to achieve interoperability.

This document may not cover every step in the process of setting up all the software. Entrust assumes you have read the HSM documentation and that you are familiar with the documentation and setup process for Microsoft Authenticode. For more information about installing Microsoft Authenticode, refer to the Microsoft documentation.

More information

For more information about OS support, contact your Microsoft sales representative or Entrust nShield Support, https://nshieldsupport.entrust.com.