Rate this article: 
(1 votes, average: 5.00)
(1 votes, average: 5.00)
Loading...How to Set Up Google Cloud KMS for Cloud Code Signing in 4 Steps (2025 Guide)
Loading...This article will simplify the process of generating a Comodo Code Signing Certificate and its public-private key pair for use in Google Cloud Key Management Service (Google Cloud KMS).
Technical Users: Follow our guide on how to generate the CSR and download the key attestation in Google Cloud.
Step One: Get a Code Signing Certificate
It’s hard to set up a Google Cloud KMS account with a code signing key if you don’t have a certificate! While this step may be a no-brainer for more experienced developers, it’s an important step to mention for our newer dev readers who may not be as familiar with code signing certificates.
The good news is that you can get a Comodo Code Signing Certificate without breaking the bank. This is because we offer discounts of up to 14% on top of our already discounted prices via coupons for code signing certificates, email signing certificates, and SSL/TLS certificates.
Save Up to 42% on a Google KMS-Compatible Signing Certificate
Ready to start signing your software and other executables in the cloud? You can with a Comodo Code Signing Certificate + Google Cloud KMS.
Shop Code Signing CertificatesHow to Buy a Comodo Code Signing Certificate
When purchasing a Comodo Code Signing Certificate for cloud code signing from ComodoSSLstore.com, you’ll need to select the preferred certificate delivery method. Code signing certificate keys must be securely generated and stored on FIPS-compliant secure hardware devices such as USB tokens and physical and cloud-based hardware security modules (HSMs).
Get a Comodo Code Signing CertificateTo select Google Cloud KMS when purchasing a certificate from ComodoSSLstore.com, you can make the selection on the certificate’s product page. Using the drop-down menu, select Install on Existing HSM and complete the checkout process.
Once your order is complete, you’ll be guided through the certificate generation process on CertificateGeneration.com that we’ll go over in Step Five.
Step Two: Set Up a Key Ring and Key in Google Cloud KMS
If you wish to use an existing Google Cloud KMS key ring, jump to Step Three. Otherwise, you’ll need to set up a new key ring following the directions provided by Google Cloud KMS. (NOTE: This set up process will require using an authorized Cloud KMS Admin account.)
- In Google KMS, create a key ring using Google Cloud’s directions.
- Create a new key (https://cloud.google.com/kms/docs/create-key) with these settings:
- HSM protection
- HSM-generated
- Asymmetric signing
- 3072-bit RSA, PKCS#1 v1.5 padding – SHA256 Digest (recommended)
Step Three: Gather Your Key Attestation Resources
Code signing certificates must be generated and stored on secure hardware. This means that if you’re using a hardware security module (HSM), then you must provide attestation documentation to the certification authority (CA).
To collect your key attestation files:
- Open the page for the newly created key
- Select the Actions icon (looks like three stacked periods) next to the key version
- In the drop-down menu, select Verify Attestation
- Click Download Attestation Bundle to download the zip file (you’ll need this later)
Step Four: Generate the Certificate Signing Request (CSR)
Next, you’ll need to generate a certificate signing request using the key you just generated. There are several different ways you can generate the CSR.
For this tutorial we’ll walk you through doing it with OpenSSL on Linux (Ubuntu).
- Set up a Linux computer or server with OpenSSL. If you don’t have it, it’s integrated within the Windows Software Development Kit (SDK).
- Install the libengine-pkcs11-openssl package. You can do this using the Linux Ubuntu command: sudo apt-get install libengine-pkcs11-openssl.
- Download the Google PKCS #11 library and extract it. You don’t need to run any install command — simply reference the file location directly in the next step.
- Configure OpenSSL to use the Google PKCS library. Do this using a modified version of the command export PKCS11_MODULE_PATH=”/path/to/libkmsp11.so” (so it directs to the extracted library).
- Create a YAML config file and set the environment variable KMS_PKCS11_CONFIG to point to it. (Learn more about how to do this from Google Cloud.) You’ll need the key_ring value, so grab that from the Google Cloud console.
- Establish an authentication method for Google KMS using either Workload Identity Federation or by creating a Service Account. To create a Service Account:
- Go to IAM-Admin > Service Accounts and select the applicable project
- Click Create Service Account
- Grant Cloud KMS Admin and Crypto Operator roles these specific permissions.
- After creating the service account, create a new JSON key.
- Download the key file and place it on the computer/server you’re using to create the CSR
13. Set the environment variable to point to your key file. You can do this using a modified version of the command: export GOOGLE_APPLICATION_CREDENTIALS=”/root/gckms_auth.json” (Be sure to replace the JSON file’s example location path with the real one.)
You’ve now configured OpenSSL to use Google KMS as a PKCS #11 provider. If you need to troubleshoot your connection to Google KMS:
- Install the pkcs11-tool with the Linux Ubuntu command sudo apt install opensc
- Run pkcs11-tool –module /path/to/libkmsp11.so –list-objects to see the list of keys you can access. (You must update this path as well to point to where the file is stored.)
14. You can now generate the CSR. Do this using a modified version of the following command that reflects your specific variables: openssl req -new -subj ‘/CN=Your Company Name, LLC/’ -sha256 -engine pkcs11 -keyform engine -key pkcs11:object=your_key_name > code_signing_request.csr
- your_key_name is the key name listed in Google KMS, for example “mysectigocodesigningkey” without the resource name (“projects/project-name/locations/us-east1/keyRings/ring-name/cryptoKeys/keyname/cryptoKeyVersions/1”)
- While it’s possible to use id=entire_resource_name, but there’s a 100-character limit so that is prone to errors.
- Be sure that the digest algorithm variable (i.e., -sha256 in the example above) matches what you chose when generating the key.
Step Five: Complete the CSR Submission and Validation Processes
Send the Certificate Signing Request and Key Attestation to the CA
When you purchase a certificate from ComodoSSLstore.com, you’ll be directed to a certificate enrollment wizard on CertificateGeneration.com. You’ll need the attestation documentation for this step (i.e., the .zip file you downloaded earlier in Step Three).
To complete the CSR submission process, log into your account on ComodoSSLstore.com and access your orders in the dashboard and choose the option to generate a certificate. This will take you to CertificateGeneration.com page. Here, you’ll be asked to do the following:
- Enter your name and organizational information
- Provide the contact information for your company’s organization contact
- Enter an email address (optional) to receive a verification email
- Select your certificate collection method
- Agree to the Certificate Services Agreement
It’s in step #4 of this process (as shown in the screenshot below) that you’ll need to do the following:
- Answer Yes to the question “Was the private key generated by a YubiKey 5 FIPS, Luna HSM, or Google Cloud KMS (Cloud HSM)?”
- Select Google Cloud KMS (Cloud HSM) in the field “Please select your existing HSM Type”
- Paste your CSR details
- Upload your Key Attestation file(s)
The CA Will Validate Your Organization’s Digital Identity
Once your identity has been verified and all T’s are crossed and I’s are dotted, the CA will issue your certificate.
That’s it! You can now start adding your digital signature to executables in the cloud using your code signing key that’s securely stored in Google KMS.
