USB token not recognised on Windows Server in Cloud

Submitted by Leigh Wardle on #1

I am attempting to access a Sectigo Code Signing Certificate that is on a USB Token.

This article on this Forum implies it is possible: USB tokens not recognised on Windows Server in Cloud, but well on local network.
The article implied that RDP could be an issue, so I’ve connected with AnyViewer.
This may be irrelevant - I only need to connect locally to the token.

I’ve installed the Safenet software, so the Token has a driver.

I managed to get it functioning through another PC on my local network using VirtualHere.

However, I haven’t been successful in accessing it from Windows Server running on AWS EC2.

I’m using EasyFind - maybe I still need open port(s) on the EC2 instance? 

I can see and use the device (“Token JC (in use by you)”) on Windows Server.

However, the certificate is not showing up.

Any suggestions are most welcome.

Regards,

Leigh

Submitted by Michael on Mon, 2024/03/25 - 17:35

#2

Hi Leigh, yes i think i know the issue

You need to switch the driver of the dongle to use WUDF instead of UMDF2

Find the dongle in Windows device manager  on the virtualhere client side and select update driver and select from list

 

Submitted by Leigh Wardle on Mon, 2024/03/25 - 22:12

#3

Hi Michael,

Thanks for the tip.
The driver of the dongle is now using WUDF.
But the certificate is still not showing up.

Submitted by Michael on Tue, 2024/03/26 - 11:19

#6

OK seems win22 is missing some drivers, not sure which. I did try it on azure and it wont bind the token driver correctly. I suspect its missing some other software

 

Submitted by Leigh Wardle on Tue, 2024/03/26 - 11:27

#7

Thanks, Michael.

What is Win22? A release of Windows?

Where do we go from here?

Submitted by Michael on Tue, 2024/03/26 - 11:33

#8

Windows 2022 Server i meant. I started a windows 2022 datacenter VM in azure and loaded virtualhere client and connected to my Token JC at my office. I can see the token connects fine but windows wont load the scfilter driver. I dont know how thats setup and this is outside the bounds of virtualhere so i suggest just using some other os like windows 11 or 10 as the signing vm instead.

 

Submitted by Michael on Tue, 2024/03/26 - 12:00

#10

No that wont work. The reason is that the token contains the private key which never leaves the token. I took a quick search of google and it confirm that its impossible. You cant "upload" the private key from the token to the vault. Not only that, the token enforces password expiry (at least my Token JC does every month)

 

 

Submitted by Leigh Wardle on Tue, 2024/03/26 - 12:03

#11

Thanks, Michael.

I'm looking at forking out for a new cert, delivered via Azure Key Vault.
I will probably need to move my development tools from EC2 to Azure?

Submitted by Michael on Tue, 2024/03/26 - 12:21

#12

I dont know sorry. im not an expert on signing. Other than using Token JC to sign virtualhere. 

 

From my quick research it seems EV certificates require a USB token, whereas non-EV certificates token is optional and you can use something like digicert vault to hold the private key. But again, its not clear on their website. They talk about Code Signing Certificates and dont mention EV code signing certificates...

https://www.google.com.au/search?q=does+EV+code+signing+require+a+token