CodeSafe 5 FAQ

Development requires the generation of the following keys:

These keys should be kept in a Security World on an nShield HSM.

An existing seeinteg key can be used as an Application Signing Key if it is an ECDSA key using the NIST P521 curve. If not, a new ASK must be generated.

However, the csadmin image signextra command allows an existing seeinteg key to add additional signatures to a CodeSafe 5 application, which will permit that application to use existing working keys which are bound to that seeinteg key.

We strongly recommend that the Developer ID key be a newly-created Security World key, that has not been used to create signatures for other purposes. This must also be an ECDSA key using the NIST P521 curve.

Yes. The Developer ID Key and the ASK do not need to share a Security World, and these do not need to be the same world deployed on the HSM which is running the application itself. All the signatures and the information required to verify them is contained within the .cs5 application file itself.

See Offline signing using the Developer ID key for more details.

A Developer ID certificate is issued by Entrust nShield Technical Support to certify a Developer ID key as belonging to a particular organization.

The csadmin ids create command can create a new Developer ID key within a Security World, then generate a CSR (Certificate Signing Request) file. You should then contact Technical Support and upload the CSR file.

Entrust will then send a signed Developer ID certificate (another short text file), which is needed during application development and deployment. This does not contain secret data; it identifies your organization but note we do not normally accept CSRs which include Personally Identifiable Information (PII).

Yes. Developer ID certificates issued by Entrust have a validity period of 3 years from date of issue, and will need to be renewed before this period expires.

This expiry period is to provide protection for the whole CodeSafe 5 ecosystem in the event that a Developer ID key is misused, and to allow organizations to exercise control over the lifespan of their keys and CodeSafe 5 applications.

The Developer ID certificate’s validity is checked by the HSM when a CodeSafe 5 machine is loaded (using csadmin create), and when it is started (using csadmin start, or if auto-start is enabled). It is not checked at other times, so:

Loading an updated Developer ID certificate is done via the csadmin ids add command. This can be done at any time (including while the machine is running). The HSM allows multiple certificates for the same Developer ID key in its database, and will accept whichever certificate which is currently valid.

The expected usage is that, at any time before the expiry of the current Developer ID certificate, you run csadmin ids create to create a new CSR for the existing key, and obtain a new certificate from Entrust Support. This can be uploaded at a convenient time, and when this is done the old certificate can be removed. There is no system downtime required to complete this process.

You may wish to allow a Developer ID certificate to expire if: