PKI Proxy and Code Signing Best Practices
PKI Proxy allows you to remotely sign code, documents, and drivers using your own keys via a secure API. PKI Proxy is an intermediary between the signing application and the certificate store and does not issue, maintain, or export certificates. PKI Proxy is designed to be secure, but meeting the best practice recommendations in the PKI Consortium's "Code Signing Whitepaper" are primarily the responsibility of the customer.
| Recommendation | Comments |
|---|---|
| Minimize access to private keys | Access to keys via PKI Proxy is an allowlist that is maintained by customers. PKI Proxy only accesses the shared private keys when necessary and never exports the keys in plain or encrypted form. |
| Protect private keys with cryptographic hardware products | PKI Proxy can access certificate stores, USB tokens, or HSMs. It is up to the customer to select their preferred technology with this recommendation and current certificate requirements in mind. |
| Time-stamp code | Time stamps are controlled by the code-signing application; PKI Proxy is agnostic of this operation. |
| Understand the difference between test-signing and release-signing | PKI Proxy enables administrators to establish hard boundaries between the test and release certificates, whether by hosting the certificates on different systems or using dedicated user credentials for each. |
| Authenticate code to be signed | The end user determines what is being signed. PKI Proxy does log evidence of all signing operations for incident-response purposes. |
| Virus scan code before signing | This is entirely up to the customer. Please note that these recommendations were released in 2016 and since then other types of malicious code injections have emerged. We recommend using a code scanning tool with coverage for more than viruses. |
| Do not over-use any one key | PKI Proxy will let the user share any number of the certificates to any number of configured KeyId/KeySecret pairs. Customers should decide whether to delineate logins and certificates by developer, by environment, or a combination of factors. |
We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at kb@nsoftware.com.