Creating CodeSign Protect Projects

At any point during project creation, you can click Save. When you return to work on your project, it will appear in the project list in the Draft state. When you submit the project for approval, the Code Signing Administrator receives notification that the project is ready to be reviewed.

1. Log into CodeSign Protect by going to https://[tpp-server]/Aperture/codesign.

2. In the menu bar, click Projects.

   If there are already projects configured, you'll see the list of projects. If not, you'll see a welcome screen.

3. Click either Get Started on the welcome screen or Add Project on the project list screen to start creating a new project.

4. In the Create New Project modal, enter a Project Name and Description for this project.

5. Click Create. The Project screen opens and is ready to be completed.

6. Complete the project details using the instructions below.

   Properties Tab

   This tab displays information about the Project, allows you to add users to specific roles, and allows you to limit code signing applications that are permitted to use this Project.

   Properties

   This section displays the Project Name and Description that you entered in the previous step. You can edit the Description here, but not the Project Name.

   Users & Approvers

   For each role, enter the users or groups responsible for fulfilling that role.

   Role	Responsibility summary
   Owner	Requests code signing projects, and once the project is approved, maintains the project. During project creation, this field is pre-populated with the person requesting the project.
   Key User	Uses the private keys managed by Trust Protection Platform to sign code. The Code Signing Administrator has the option disallow project key users from having any other roles in the project.
   Auditor	Currently, can only view project settings.
   Key Use Approver	When configured in Flow, approves or denies use of private code signing keys.

   Permitted Applications

   (Optional) If you want to restrict what signing applications are allowed to use this project, enter them in the Permitted Applications field. If you leave this field blank, all signing applications will be permitted.

   Environments Tab

   NOTE  As you proceed through these steps, note that some of the fields may be pre-selected and not editable. This is based on Environment Template settings that your Code Signing Administrator has established.

   From the Add Environment drop-down, select the type of Environment you want to add to this Project. Environment-specific instructions are included in the sections below.

   Certificate and Key Environment

   1. Enter an Environment Name.

   2. Select an Environment Template. If you are unsure which template to select, contact your Code Signing Administrator.

   3. In the IP Restrictions field, enter the allowed IP addresses or IP address ranges that are allowed to use the keys associated with this Environment. This field accepts IP addresses and CIDR notation. Each entry will appear in its own pill box.

      NOTE  The TCP stack will prefer IPv6 over IPv4. If IPv6 is working on the network, IPv6 addresses will need to be entered.

   4. In the Time Constraint Window box, select one or more time constraints that you want to apply to this environment.

      What are time constraints?

      Time constraints allow Project Owners to restrict use of environments to certain times of the day, days of the week, days of the month, or any combination of these.

      Time constraints are configured by Code Signing Administrators. If there aren't any to select, that means your administrator hasn't configured any.

      NOTE  If you apply more than one time constraint, only one of them must be met in order for the environment to be used.

   Select whether you are creating a new key or importing an existing key, and follow the applicable instructions below.

   Create New Key

   1. Click the Create New radio button.

   2. Complete the remaining fields using the following guidelines.

      Field	Guidelines
      Key Storage Location	Select where the key should be stored once generated. Selecting Software stores the key in the Trust Protection Platform Secret Store. Other options, such as HSMs, may be available based on key storage locations configured by your Code Signing Administrator.
      Include Certificate Chain checkbox	Select this checkbox if you want the certificate's chain pushed down from Trust Protection Platform to the workstations that use this environment. DID YOU KNOW?   Many signing applications will either report an error or report that the certificate isn't available if it doesn't trust the entire chain.
      Certificate Provider	The Certificate Authority (CA) that should be used for this Environment.
      Key Algorithm	Select the encryption algorithm to use for the keys associated with this Environment. This becomes the Algorithm and Key Length that appear on the certificate.
      Common Name	Most CAs use the Organization (O) name as the common name. You can leave this blank unless your CA allows you to specify your own Common Name. For per-user environments, only macros are allowed to avoid duplicate certificates.
      Organization	The Organization (O) name that appears as part of the Subject DN of the certificate. For per-user environments, this field supports macros. Learn more about using macros Using suggested macros (available in the user interface) Following are commonly-used macros, which are suggested in the user interface: "$Identity[$Sign.User$]$" Resolves to the username for the key user from the identify provider "$Identity[$Sign.User$,Given Name]$" Resolves to given name for the key user from the identity provider "$Identity[$Sign.User$,Surname]$" Resolves to surname for the key user from the identity provider "$IdentityEmail[$Sign.User$]$" Resolves to surname for the key user from the identity provider "$Sign.User$" Resolves to the prefix universal GUID "$Sign.Project$" Resolves to the CodeSign Protect Project name, which is set by the Project Owner "$Sign.Environment$" Resolves to the CodeSign Protect Environment name, which is set by the Project Owner "$Sign.EnvironmentType$" Resolves to the environment type Using custom macros You can also use your own macro. For example, the following macro would resolve to the key user's Department value from your identify provider: "$Identity[$Sign.User$,Department]$ Learn more For additional information on macros, see Macro overview.
      Organizational Unit	The Organizational Unit (OU) name that appears as part of the Subject DN of the certificate. For per-user environments, this field supports macros. Learn more about using macros Using suggested macros (available in the user interface) Following are commonly-used macros, which are suggested in the user interface: "$Identity[$Sign.User$]$" Resolves to the username for the key user from the identify provider "$Identity[$Sign.User$,Given Name]$" Resolves to given name for the key user from the identity provider "$Identity[$Sign.User$,Surname]$" Resolves to surname for the key user from the identity provider "$IdentityEmail[$Sign.User$]$" Resolves to surname for the key user from the identity provider "$Sign.User$" Resolves to the prefix universal GUID "$Sign.Project$" Resolves to the CodeSign Protect Project name, which is set by the Project Owner "$Sign.Environment$" Resolves to the CodeSign Protect Environment name, which is set by the Project Owner "$Sign.EnvironmentType$" Resolves to the environment type Using custom macros You can also use your own macro. For example, the following macro would resolve to the key user's Department value from your identify provider: "$Identity[$Sign.User$,Department]$ Learn more For additional information on macros, see Macro overview.
      SAN Email	The email address that appears as part of the Subject DN of the certificate. For per-user environments, this field supports macros. Learn more about using macros Using suggested macros (available in the user interface) Following are commonly-used macros, which are suggested in the user interface: "$Identity[$Sign.User$]$" Resolves to the username for the key user from the identify provider "$Identity[$Sign.User$,Given Name]$" Resolves to given name for the key user from the identity provider "$Identity[$Sign.User$,Surname]$" Resolves to surname for the key user from the identity provider "$IdentityEmail[$Sign.User$]$" Resolves to surname for the key user from the identity provider "$Sign.User$" Resolves to the prefix universal GUID "$Sign.Project$" Resolves to the CodeSign Protect Project name, which is set by the Project Owner "$Sign.Environment$" Resolves to the CodeSign Protect Environment name, which is set by the Project Owner "$Sign.EnvironmentType$" Resolves to the environment type Using custom macros You can also use your own macro. For example, the following macro would resolve to the key user's Department value from your identify provider: "$Identity[$Sign.User$,Department]$ Learn more For additional information on macros, see Macro overview.
      City	The city name that appears as part of the Subject DN of the certificate. This field is also known as the locale.
      State	The state (ST) name that appears as part of the Subject DN of the certificate. For per-user environments, this field supports macros. Learn more about using macros Using suggested macros (available in the user interface) Following are commonly-used macros, which are suggested in the user interface: "$Identity[$Sign.User$]$" Resolves to the username for the key user from the identify provider "$Identity[$Sign.User$,Given Name]$" Resolves to given name for the key user from the identity provider "$Identity[$Sign.User$,Surname]$" Resolves to surname for the key user from the identity provider "$IdentityEmail[$Sign.User$]$" Resolves to surname for the key user from the identity provider "$Sign.User$" Resolves to the prefix universal GUID "$Sign.Project$" Resolves to the CodeSign Protect Project name, which is set by the Project Owner "$Sign.Environment$" Resolves to the CodeSign Protect Environment name, which is set by the Project Owner "$Sign.EnvironmentType$" Resolves to the environment type Using custom macros You can also use your own macro. For example, the following macro would resolve to the key user's Department value from your identify provider: "$Identity[$Sign.User$,Department]$ Learn more For additional information on macros, see Macro overview.
      Country	The two character country code that appears as part of the Subject DN of the certificate. For a list of valid country codes see Country codes.

   3. Click Create.

   Use Existing Key in HSM

   NOTE  This option requires an Environment Template that has a connection the HSM that contains the key. Also, only Code Signing Administrators and Master Admins have rights to create environments that use existing HSM keys.

   1. Select Use Existing Key in HSM.
   2. In the Key Storage Location drop-down, select the HSM that contains the key you want to use in this Environment.

   3. In the HSM Settings section, choose whether you want to import a certificate PEM file or manually enter your certificate information. If you are manually entering your certificate information, use the descriptions below to complete the fields.

      Field descriptions

      Field	Guidelines
      Include Certificate Chain	Select this checkbox if you want the certificate's chain pushed down from Trust Protection Platform to the workstations that use this environment. DID YOU KNOW?   Many signing applications will either report an error or report that the certificate isn't available if it doesn't trust the entire chain.
      Certificate Provider	Select the CA to use for this template.
      Common Name	Most CAs use the Organization (O) name as the common name. You can leave this blank unless your CA allows you to specify your own Common Name. For per-user environments, this field supports macros. Learn more about using macros Using suggested macros (available in the user interface) Following are commonly-used macros, which are suggested in the user interface: "$Identity[$Sign.User$]$" Resolves to the username for the key user from the identify provider "$Identity[$Sign.User$,Given Name]$" Resolves to given name for the key user from the identity provider "$Identity[$Sign.User$,Surname]$" Resolves to surname for the key user from the identity provider "$IdentityEmail[$Sign.User$]$" Resolves to surname for the key user from the identity provider "$Sign.User$" Resolves to the prefix universal GUID "$Sign.Project$" Resolves to the CodeSign Protect Project name, which is set by the Project Owner "$Sign.Environment$" Resolves to the CodeSign Protect Environment name, which is set by the Project Owner "$Sign.EnvironmentType$" Resolves to the environment type Using custom macros You can also use your own macro. For example, the following macro would resolve to the key user's Department value from your identify provider: "$Identity[$Sign.User$,Department]$ Learn more For additional information on macros, see Macro overview.
      Organization	The Organization (O) name that appears as part of the Subject DN of the certificate. For per-user environments, this field supports macros. Learn more about using macros Using suggested macros (available in the user interface) Following are commonly-used macros, which are suggested in the user interface: "$Identity[$Sign.User$]$" Resolves to the username for the key user from the identify provider "$Identity[$Sign.User$,Given Name]$" Resolves to given name for the key user from the identity provider "$Identity[$Sign.User$,Surname]$" Resolves to surname for the key user from the identity provider "$IdentityEmail[$Sign.User$]$" Resolves to surname for the key user from the identity provider "$Sign.User$" Resolves to the prefix universal GUID "$Sign.Project$" Resolves to the CodeSign Protect Project name, which is set by the Project Owner "$Sign.Environment$" Resolves to the CodeSign Protect Environment name, which is set by the Project Owner "$Sign.EnvironmentType$" Resolves to the environment type Using custom macros You can also use your own macro. For example, the following macro would resolve to the key user's Department value from your identify provider: "$Identity[$Sign.User$,Department]$ Learn more For additional information on macros, see Macro overview.
      Organizational Unit	The Organizational Unit (OU) name that appears as part of the Subject DN of the certificate. For per-user environments, this field supports macros. Learn more about using macros Using suggested macros (available in the user interface) Following are commonly-used macros, which are suggested in the user interface: "$Identity[$Sign.User$]$" Resolves to the username for the key user from the identify provider "$Identity[$Sign.User$,Given Name]$" Resolves to given name for the key user from the identity provider "$Identity[$Sign.User$,Surname]$" Resolves to surname for the key user from the identity provider "$IdentityEmail[$Sign.User$]$" Resolves to surname for the key user from the identity provider "$Sign.User$" Resolves to the prefix universal GUID "$Sign.Project$" Resolves to the CodeSign Protect Project name, which is set by the Project Owner "$Sign.Environment$" Resolves to the CodeSign Protect Environment name, which is set by the Project Owner "$Sign.EnvironmentType$" Resolves to the environment type Using custom macros You can also use your own macro. For example, the following macro would resolve to the key user's Department value from your identify provider: "$Identity[$Sign.User$,Department]$ Learn more For additional information on macros, see Macro overview.
      SAN Email	The email address that appears as part of the Subject DN of the certificate. For per-user environments, this field supports macros. Learn more about using macros Using suggested macros (available in the user interface) Following are commonly-used macros, which are suggested in the user interface: "$Identity[$Sign.User$]$" Resolves to the username for the key user from the identify provider "$Identity[$Sign.User$,Given Name]$" Resolves to given name for the key user from the identity provider "$Identity[$Sign.User$,Surname]$" Resolves to surname for the key user from the identity provider "$IdentityEmail[$Sign.User$]$" Resolves to surname for the key user from the identity provider "$Sign.User$" Resolves to the prefix universal GUID "$Sign.Project$" Resolves to the CodeSign Protect Project name, which is set by the Project Owner "$Sign.Environment$" Resolves to the CodeSign Protect Environment name, which is set by the Project Owner "$Sign.EnvironmentType$" Resolves to the environment type Using custom macros You can also use your own macro. For example, the following macro would resolve to the key user's Department value from your identify provider: "$Identity[$Sign.User$,Department]$ Learn more For additional information on macros, see Macro overview.
      City	The city name that appears as part of the Subject DN of the certificate. This field is also known as the locale.
      State	The state (ST) name that appears as part of the Subject DN of the certificate. For per-user environments, this field supports macros. Learn more about using macros Using suggested macros (available in the user interface) Following are commonly-used macros, which are suggested in the user interface: "$Identity[$Sign.User$]$" Resolves to the username for the key user from the identify provider "$Identity[$Sign.User$,Given Name]$" Resolves to given name for the key user from the identity provider "$Identity[$Sign.User$,Surname]$" Resolves to surname for the key user from the identity provider "$IdentityEmail[$Sign.User$]$" Resolves to surname for the key user from the identity provider "$Sign.User$" Resolves to the prefix universal GUID "$Sign.Project$" Resolves to the CodeSign Protect Project name, which is set by the Project Owner "$Sign.Environment$" Resolves to the CodeSign Protect Environment name, which is set by the Project Owner "$Sign.EnvironmentType$" Resolves to the environment type Using custom macros You can also use your own macro. For example, the following macro would resolve to the key user's Department value from your identify provider: "$Identity[$Sign.User$,Department]$ Learn more For additional information on macros, see Macro overview.
      Country	The two character country code that appears as part of the Subject DN of the certificate. For a list of valid country codes see Country codes.

   4. From the Private HSM Key drop-down, select the private key to associate with this Environment. This list is populated from the HSM.

   5. From the Public HSM Key drop-down, select the public key to associate with this Environment. This list is populated after you select the private key.
   6. Click Save.

   Import Key from PKCS#12/PFX

   NOTE  The Key Storage Location for imported keys will be Software. Importing existing keys to an HSM is not supported.

   1. Select Import Key from PKCS#12/PFX.
   2. Upload your PKCS#12 or PFX file.
   3. Click Save. The Environment is automatically created and added to the Project.

   Key Pair Environment

   1. Enter an Environment Name.

   2. Select an Environment Template. If you are unsure which template to select, contact your Code Signing Administrator.

   3. In the IP Restrictions field, enter the allowed IP addresses or IP address ranges that are allowed to use the keys associated with this Environment. This field accepts IP addresses and CIDR notation. Each entry will appear in its own pill box.

      NOTE  The TCP stack will prefer IPv6 over IPv4. If IPv6 is working on the network, IPv6 addresses will need to be entered.

   4. In the Time Constraint Window box, select one or more time constraints that you want to apply to this environment.

      What are time constraints?

      Time constraints allow Project Owners to restrict use of environments to certain times of the day, days of the week, days of the month, or any combination of these.

      Time constraints are configured by Code Signing Administrators. If there aren't any to select, that means your administrator hasn't configured any.

      NOTE  If you apply more than one time constraint, only one of them must be met in order for the environment to be used.

   If you are creating a per-user environment, you won't see the options to create a new key or import existing keys. For per-user environments, you can save the environment, and then keys can be uploaded from individual workstations using the storekey option on the CSPconfig.exe, pkcs11config, tkdriverconfig, or gpgconfig utilities.

   Create New Key

   1. Click the Create New radio button.

   2. Complete the remaining fields using the following guidelines.

      Field	Guidelines
      Signing Flow	Specify the Flow associated with this environment. Click the drop-down list, and then search for the Flow you want to add.
      Keys expire in	Set the number of days allowed before the keys expire. Leaving this at 0 gives the keys no expiration.
      Signing Key Algorithm	Select the encryption algorithm to use for the keys associated with this Environment. This becomes the Algorithm and Key Length that appear on the certificate.
      Key Storage Location	Select where the key should be stored once generated. Selecting Software stores the key in the Trust Protection Platform Secret Store. Other options, such as HSMs, may be available based on key storage locations configured by your Code Signing Administrator.

   3. Click Create.

   Import Keys

   NOTE  The Key Storage Location for imported keys will be Software. Importing existing keys to an HSM is not supported.

   1. Select Import Keys.

   2. Complete the remaining fields using the following guidelines.

      Field	Guidelines
      Signing Flow	Specify the Flow associated with this environment. Click the drop-down list, and then search for the Flow you want to add.
      Keys expire in	Set the number of days allowed before the keys expire. Leaving this at 0 gives the keys no expiration.

   3. Upload your key file in the Signing Key File Upload space.
   4. Click Save. The Environment is automatically created and added to the Project.

   GPG Environment

   1. Enter an Environment Name.

   2. Select an Environment Template. If you are unsure which template to select, contact your Code Signing Administrator.

   3. In the IP Restrictions field, enter the allowed IP addresses or IP address ranges that are allowed to use the keys associated with this Environment. This field accepts IP addresses and CIDR notation. Each entry will appear in its own pill box.

      NOTE  The TCP stack will prefer IPv6 over IPv4. If IPv6 is working on the network, IPv6 addresses will need to be entered.

   4. In the Time Constraint Window box, select one or more time constraints that you want to apply to this environment.

      What are time constraints?

      Time constraints allow Project Owners to restrict use of environments to certain times of the day, days of the week, days of the month, or any combination of these.

      Time constraints are configured by Code Signing Administrators. If there aren't any to select, that means your administrator hasn't configured any.

      NOTE  If you apply more than one time constraint, only one of them must be met in order for the environment to be used.

   Create New

   Complete the fields using the following guidelines:

   Field	Guidelines
   Key Storage Location	Select the location where the GPG keys should be stored. Selecting Software stores the keys in the Trust Protection Platform secret store. Other options, such as HSMs, may be available based on key storage locations configured by your Code Signing Administrator.
   Real Name	Real name of the person using the GPG key. Together with the E-mail address, this becomes part of the user ID (UID). The user ID is used to associate the key with a real person and is used to identify the key when signing. For per-user Environments, this field supports macros.
   Email Address	E-mail address of the person using the GPG key. Together with the Real Name, this becomes part of the user ID (UID). The user ID is used to associate the key with a real person and is used to identify the key when signing. For per-user Environments, this field support macros.
   Key Expires In	Number of days until the key expires. A value of zero (0) means the key will not expire.
   Signing Key Algorithm	Select the encryption algorithm for the GPG signing key.
   Encryption Key	Select the encryption algorithm for the GPG encryption key.
   Authentication Key	Select the encryption algorithm for the GPG authentication key.

   Click Save.

   Import Keys

   NOTE  These steps outline what you need to do to add an existing key to a single key GPG environment, such as for signing RPM packages. To import user-based GPG keys, follow the steps in Create New above, and then refer to Configuring GPG clients with per user Environments.

   Step 1: Prepare GPG Key for Import

   GPG keys must be prepared for import in order to complete this procedure. Follow these steps to prepare your key:

   1. Remove the passphrase from your gpg secret key.

      If a gpg secret key has a passphrase set then it will be exported as an encrypted secret key using that passphrase. An encrypted secret key cannot be converted to a format that can be imported by CodeSign Protect.

      $ gpg --passwd <uid>

      This command will ask you to enter the current passphrase to unlock the key and will then ask you for a new passphrase. Press enter to remove the passphrase. When prompted select Yes, protection is not needed.

      If your key contains subkeys then you will be prompted once for each.

      This process can be repeated after exporting in order to restore the original passphrase if desired.

   2. Export your gpg secret key

      $ gpg --export-secret-key <uid> > <filename>.pgp

      This will write the contents of your key to the specified filename.

   3. Convert your gpg into an SSH2 key file.

      1. Download and build pgpdump, with the Venafi modifications:

         $ wget https://github.com/Venafi/pgpdump/archive/master.zip

         $ unzip master.zip

         $ cd pgpdump-master

         $ ./configure && make

      2. Run the tool with the -e option to perform the conversion:

         ./pgpdump -e <filename>.pgp

      3. The export writes files named secret-key.x, where x is the key number. In most cases secret-key.0 is the signing key and secret-key.2 is the encryption key if an encryption subkey was present.

   The keys are now ready for import.

   Step 2: Complete the Environment configuration fields

   Complete the fields according to the following guidelines.

   NOTE  The Key Storage Location for imported keys will be Software. Importing existing keys to an HSM is not supported.

   Field	Guidelines
   Real Name	Real name of the person using the GPG key. Together with the E-mail address, this becomes part of the user ID (UID). The user ID is used to associate the key with a real person and is used to identify the key when signing.
   Email Address	E-mail address of the person using the GPG key. Together with the Real Name, this becomes part of the user ID (UID). The user ID is used to associate the key with a real person and is used to identify the key when signing.
   Key Expires In	Number of days until the key expires. A value of zero (0) means the key will not expire.

   Step 3: Import Existing Keys

   NOTE  Be sure to complete Step 1: Prepare GPG Key for Import before uploading existing keys.

   In the Keys section, import secret-key.0 as your signing key, and optionally import any subkeys that were present.

   Click Save.

   Once this Project is approved, the original keys should be available to those who have the Key User role for this project.

   Apple Environment

   1. Enter an Environment Name.

   2. Select an Environment Template. If you are unsure which template to select, contact your Code Signing Administrator.

   3. In the IP Restrictions field, enter the allowed IP addresses or IP address ranges that are allowed to use the keys associated with this Environment. This field accepts IP addresses and CIDR notation. Each entry will appear in its own pill box.

      NOTE  The TCP stack will prefer IPv6 over IPv4. If IPv6 is working on the network, IPv6 addresses will need to be entered.

   4. In the Time Constraint Window box, select one or more time constraints that you want to apply to this environment.

      What are time constraints?

      Time constraints allow Project Owners to restrict use of environments to certain times of the day, days of the week, days of the month, or any combination of these.

      Time constraints are configured by Code Signing Administrators. If there aren't any to select, that means your administrator hasn't configured any.

      NOTE  If you apply more than one time constraint, only one of them must be met in order for the environment to be used.

   Import Key from PKCS#12/PFX

   NOTE  The Key Storage Location for imported keys will be Software. Importing existing keys to an HSM is not supported.

   1. Select Import Key from PKCS#12/PFX.
   2. Upload your PKCS#12 or PFX file.
   3. Click Save. The Environment is automatically created and added to the Project.

   Use Existing Key in HSM

   NOTE  This option requires an Environment Template that has a connection the HSM that contains the key. Also, only Code Signing Administrators and Master Admins have rights to create environments that use existing HSM keys.

   1. Select Use Existing Key in HSM.
   2. In the Key Storage Location drop-down, select the HSM that contains the key you want to use in this Environment.

   3. In the HSM Settings section, choose whether you want to import a certificate PEM file or manually enter your certificate information. If you are manually entering your certificate information, use the descriptions below to complete the fields.

      Field descriptions

      Field	Guidelines
      Include Certificate Chain	Select this checkbox if you want the certificate's chain pushed down from Trust Protection Platform to the workstations that use this environment. DID YOU KNOW?   Many signing applications will either report an error or report that the certificate isn't available if it doesn't trust the entire chain.
      Certificate Provider	Select the CA to use for this template.
      Common Name	Most CAs use the Organization (O) name as the common name. You can leave this blank unless your CA allows you to specify your own Common Name. For per-user environments, this field supports macros. Learn more about using macros Using suggested macros (available in the user interface) Following are commonly-used macros, which are suggested in the user interface: "$Identity[$Sign.User$]$" Resolves to the username for the key user from the identify provider "$Identity[$Sign.User$,Given Name]$" Resolves to given name for the key user from the identity provider "$Identity[$Sign.User$,Surname]$" Resolves to surname for the key user from the identity provider "$IdentityEmail[$Sign.User$]$" Resolves to surname for the key user from the identity provider "$Sign.User$" Resolves to the prefix universal GUID "$Sign.Project$" Resolves to the CodeSign Protect Project name, which is set by the Project Owner "$Sign.Environment$" Resolves to the CodeSign Protect Environment name, which is set by the Project Owner "$Sign.EnvironmentType$" Resolves to the environment type Using custom macros You can also use your own macro. For example, the following macro would resolve to the key user's Department value from your identify provider: "$Identity[$Sign.User$,Department]$ Learn more For additional information on macros, see Macro overview.
      Organization	The Organization (O) name that appears as part of the Subject DN of the certificate. For per-user environments, this field supports macros. Learn more about using macros Using suggested macros (available in the user interface) Following are commonly-used macros, which are suggested in the user interface: "$Identity[$Sign.User$]$" Resolves to the username for the key user from the identify provider "$Identity[$Sign.User$,Given Name]$" Resolves to given name for the key user from the identity provider "$Identity[$Sign.User$,Surname]$" Resolves to surname for the key user from the identity provider "$IdentityEmail[$Sign.User$]$" Resolves to surname for the key user from the identity provider "$Sign.User$" Resolves to the prefix universal GUID "$Sign.Project$" Resolves to the CodeSign Protect Project name, which is set by the Project Owner "$Sign.Environment$" Resolves to the CodeSign Protect Environment name, which is set by the Project Owner "$Sign.EnvironmentType$" Resolves to the environment type Using custom macros You can also use your own macro. For example, the following macro would resolve to the key user's Department value from your identify provider: "$Identity[$Sign.User$,Department]$ Learn more For additional information on macros, see Macro overview.
      Organizational Unit	The Organizational Unit (OU) name that appears as part of the Subject DN of the certificate. For per-user environments, this field supports macros. Learn more about using macros Using suggested macros (available in the user interface) Following are commonly-used macros, which are suggested in the user interface: "$Identity[$Sign.User$]$" Resolves to the username for the key user from the identify provider "$Identity[$Sign.User$,Given Name]$" Resolves to given name for the key user from the identity provider "$Identity[$Sign.User$,Surname]$" Resolves to surname for the key user from the identity provider "$IdentityEmail[$Sign.User$]$" Resolves to surname for the key user from the identity provider "$Sign.User$" Resolves to the prefix universal GUID "$Sign.Project$" Resolves to the CodeSign Protect Project name, which is set by the Project Owner "$Sign.Environment$" Resolves to the CodeSign Protect Environment name, which is set by the Project Owner "$Sign.EnvironmentType$" Resolves to the environment type Using custom macros You can also use your own macro. For example, the following macro would resolve to the key user's Department value from your identify provider: "$Identity[$Sign.User$,Department]$ Learn more For additional information on macros, see Macro overview.
      SAN Email	The email address that appears as part of the Subject DN of the certificate. For per-user environments, this field supports macros. Learn more about using macros Using suggested macros (available in the user interface) Following are commonly-used macros, which are suggested in the user interface: "$Identity[$Sign.User$]$" Resolves to the username for the key user from the identify provider "$Identity[$Sign.User$,Given Name]$" Resolves to given name for the key user from the identity provider "$Identity[$Sign.User$,Surname]$" Resolves to surname for the key user from the identity provider "$IdentityEmail[$Sign.User$]$" Resolves to surname for the key user from the identity provider "$Sign.User$" Resolves to the prefix universal GUID "$Sign.Project$" Resolves to the CodeSign Protect Project name, which is set by the Project Owner "$Sign.Environment$" Resolves to the CodeSign Protect Environment name, which is set by the Project Owner "$Sign.EnvironmentType$" Resolves to the environment type Using custom macros You can also use your own macro. For example, the following macro would resolve to the key user's Department value from your identify provider: "$Identity[$Sign.User$,Department]$ Learn more For additional information on macros, see Macro overview.
      City	The city name that appears as part of the Subject DN of the certificate. This field is also known as the locale.
      State	The state (ST) name that appears as part of the Subject DN of the certificate. For per-user environments, this field supports macros. Learn more about using macros Using suggested macros (available in the user interface) Following are commonly-used macros, which are suggested in the user interface: "$Identity[$Sign.User$]$" Resolves to the username for the key user from the identify provider "$Identity[$Sign.User$,Given Name]$" Resolves to given name for the key user from the identity provider "$Identity[$Sign.User$,Surname]$" Resolves to surname for the key user from the identity provider "$IdentityEmail[$Sign.User$]$" Resolves to surname for the key user from the identity provider "$Sign.User$" Resolves to the prefix universal GUID "$Sign.Project$" Resolves to the CodeSign Protect Project name, which is set by the Project Owner "$Sign.Environment$" Resolves to the CodeSign Protect Environment name, which is set by the Project Owner "$Sign.EnvironmentType$" Resolves to the environment type Using custom macros You can also use your own macro. For example, the following macro would resolve to the key user's Department value from your identify provider: "$Identity[$Sign.User$,Department]$ Learn more For additional information on macros, see Macro overview.
      Country	The two character country code that appears as part of the Subject DN of the certificate. For a list of valid country codes see Country codes.

   4. From the Private HSM Key drop-down, select the private key to associate with this Environment. This list is populated from the HSM.

   5. From the Public HSM Key drop-down, select the public key to associate with this Environment. This list is populated after you select the private key.
   6. Click Save.

   Strong-name Environment

   1. Enter an Environment Name.

   2. Select an Environment Template. If you are unsure which template to select, contact your Code Signing Administrator.

   3. In the IP Restrictions field, enter the allowed IP addresses or IP address ranges that are allowed to use the keys associated with this Environment. This field accepts IP addresses and CIDR notation. Each entry will appear in its own pill box.

      NOTE  The TCP stack will prefer IPv6 over IPv4. If IPv6 is working on the network, IPv6 addresses will need to be entered.

   4. In the Time Constraint Window box, select one or more time constraints that you want to apply to this environment.

      What are time constraints?

      Time constraints allow Project Owners to restrict use of environments to certain times of the day, days of the week, days of the month, or any combination of these.

      Time constraints are configured by Code Signing Administrators. If there aren't any to select, that means your administrator hasn't configured any.

      NOTE  If you apply more than one time constraint, only one of them must be met in order for the environment to be used.

   Select whether to create new keys, use existing keys in an HSM, or import existing keys.

   Create New

   1. Click Create New.

   2. Complete the fields using the following guidelines:

      Key Storage Location	Select the location where the key should be stored. Selecting Software stores the key in the Trust Protection Platform secret store. Other options, such as HSMs, may be available based on key storage locations configured by your Code Signing Administrator.
      Signing Key Algorithm	Select the encryption algorithm for the signing key.
      Key Expires In	Number of days until the key expires. A value of zero (0) means the key will not expire.

   3. Click Save.

   Import Keys

   1. Click Import Keys.

   2. Specify the number of days the Key Expires in. A value of zero (0) means the key will not expire.

   3. Upload your existing signing key in the Signing Key File Upload box.
   4. Click Save.

   Use existing key in HSM

   NOTE  This option requires an Environment Template that has a connection the HSM that contains the key. Also, only Code Signing Administrators and Master Admins have rights to create environments that use existing HSM keys.

   1. Select Use Existing Key in HSM.
   2. In the Key Storage Location drop-down, select the HSM that contains the key you want to use in this Environment.
   3. In the HSM Settings section, select the HSM Private Signing Key, and then select the HSM Public Signing Key.
   4. Click Save.

If you are ready to submit this project for approval, click Submit for Approval. If you still have work to do on it, click Save.

Next Steps for Key Users

Key Users should do the following:

• If not already completed, install the code signing client on the signing workstations. See Install CodeSign Protect Clients on signing workstations.
• Once the Project is approved, configure the code signing workstation to use keys protected by CodeSign Protect. See Setting up the CodeSign Protect clients.