Importing an attestation file to a Sectigo Environment

After your Sectigo Environment is created and approved, you need to upload your Sectigo attestation file to Code Sign Manager - Self-Hosted before a certificate can be issued.

IMPORTANT  This procedure contains instructions on using third-party vendor products. CyberArk cannot always verify the accuracy of these instructions. For the most up-to-date information, see the vendor documentation.

NOTE  Generate the attestation file on a Trust Protection Foundation server that has the Luna client installed and a connection to the Luna HSM where the Sectigo key is stored.

A best practice is to perform all steps directly on the Trust Protection Foundation server.

Step 1: Get HSM Key Label from Code Sign Manager - Self-Hosted

  1. Sign in to Code Sign Manager - Self-Hosted by going to https://[trust-protection-server]/codesign-protect.

  2. Click Projects, and then open the Project that contains your Sectigo Environment.

  3. Click the Environments tab, and then open your Sectigo Environment.

  4. In the Environment details pane, click Instances.

  5. Copy the entire HSM Key Label value. The value should look similar to RSA 4096 xxxxxxxxx.... This value will be used in the next step.

You will return to this UI in Step 3 below.

Step 2: Generate attestation file

  1. Open a command prompt, and navigate to the directory where the Luna client is installed. Generally, this is installed in C:\Program Files\SafeNet\LunaClient.

  2. Using the HSM Key Label from Step 1, run the following command to generate a handle:

    cmu list -class private -label="<hsm-key-label>"

    Your result should look similar to handle=2000346 label=<hsm-key-label>. You will use the handle in the next step.

  3. Using the handle, run the following to generate your attestation file:

    cmu getpkc -handle=2000346 -outputfile=C:\<path>\attestation.p7b

    After completion, you should have an attestation.p7b file in the output file location you specified.

Step 3: Import your attestation file to your Environment

  1. In Code Sign Manager - Self-Hosted, open the Sectigo Environment.

  2. Click Import Attestation.

  3. Select your attestation file, and then click Save.

The attestation file is now added to this Environment. Repeat these steps for each Sectigo Environment.

What's Next

This request will now be processed through Trust Protection Foundation's normal processes, and a CSR will be sent to Sectigo. It may take several minutes for the job to be picked up and run. During that time, the Environment will show Certificate or key not issued state.

After the CSR has been sent, the Environment moves to the Retrieve Certificate state. At this point, the certificate request must be approved in Sectigo Certificate Manager. Once approval has been given, the certificate will be available in the Environment in Code Sign Manager - Self-Hosted.