Time flows and my file based certificate is about to expire soon. Can you give some recommendations for a certificate provider and hardware that can be used with Signotaur in a VM on an ESX server?
Also, I am switching to Proxmox in the near future combined with a hardware change. So it should work with that, too.
Hi Uwe
I can’t give any real advice on ESX, however I have read that it supports USB Passthrough - which is what you need to expose the usb token to a VM.
I have used Safenet 5110+ fips and Yubikey 5 tokens with Proxmox and configuring USB passthrough with proxmox is trivial and from memory it just worked.
What token hardware you get depends on where you buy your certificate from.
ssl.com typically uses Yubikeys - if you go with them, buy the Yubikey yourself (much cheaper, they charge more than double the retail cost) - I prefer the Yubikey 5 Nano as it’s inconspicuous when plugged into a server. Make sure you get one with the latest *firmware (5.7+) as that supports 4096 bit RSA keys (still undergoing FIPS approval but thinking of the future). Older firmware versions only support 2048 bit RSA keys which is not sufficient for code signing so ssl.com typically issues ECDSA certificates - these work fine but do not support clickonce or nuget signing which only allow RSA certs. I do not know if ssl.com is issuing RSA based certificates on yubikey’s yet, might be worth enquiring. ssl.com also allow you to install the certificate on multiple keys, I installed it on 3 devices - you have to go through the attestation process for each token - was resonably easy (given their aweful web interface). This gives you a hardware backup you can store safely.
Digicert and it’s resellers typically provide Safenet 5110+ fips tokens - these are almost the industry standard now (because of Digicerts market dominance). Whilst these tokens are very common and work very well, my biggest gripe is the incredibly bright blue LED that screams “take me” when plugged into a server. For this reason ours is actually plugged into a machine in my home and we use https://www.virtualhere.com/ to connect to it from our servers in the data center (over vpn of course).
We got our safenet token from gogetssl - cheaper than Digicert.
Note that if you buy your own token - you need to be aware of what tokens the CA will support (check with them).
Edit : * FYI, token firmware cannot be updated, you get what you get when you buy the token!
Thanks a lot for your help, Vincent.
Finally I managed to get my YubiKey certificate working on ESXI, although I had to tweak its configuration at places I would rather avoid. I hope getting the spare key ready will turn out a bit smoother.
BTW, I tried to get the 5.7 firmware for the YubiKey, but for FIPS keys (which is required for SSL.COM) it is still validated, so they shipped with 5.4. I don’t bother as long as it works.