Using the PKI Proxy KSP to Replace SafeNet Authentication Client

Requirements: PKI Proxy

Introduction

PKI Proxy Server along with PKI Proxy KSP can be used to replace SafeNet Authentication Client and create a more seamless code signing experience.

The SafeNet Authentication Client adds certificates to the Personal (MY) certificate store so they can be used for code and document signing. However, SafeNet Authentication Client requires the user to respond to a prompt every time the user accesses the certificate, which can be intrusive if the signing is happening within an automated process.

PKI Proxy and the PKI Proxy KSP can act as a solution for that issue, allowing you to add the certificate to the Windows Certificate Store in a more accessible way. For information on sharing a certificate and adding it to the Windows Certificate Store, see the Getting Started article sections for PKI Proxy Server Configuration and PKI Proxy KSP Configuration.

If PKI Proxy KSP and SafeNet Authentication Client are both configured to display certificates in the Personal store this can cause conflicts. To avoid that, you can select a different certificate store when adding a certificate with the PKI Proxy Certificate Manager.

Selecting a Certificate Store

You can select which certificate store to add a certificate to by setting the Certificate Store field while adding a certificate. For example, you could set it to "Trusted People" instead of the default "My":

You would then select the certificate from that store when signing. For example, to choose the certificate store that Microsoft SignTool will use, set the "/s" parameter to the name of the store:

signtool sign /fd sha256 /n "PKI Proxy Signing Cert" /s TrustedPeople /v /debug installer.exe

Creating and Using a Custom Certificate Store

If you would prefer, you can also create a custom certificate store to keep your PKI Proxy certificates in their own category. To do that, go to one of the following locations in the registry, right-click the SystemCertificates key, and add a new key with the name of the store you want to create:

For Machine-wide certificate stores: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates

For User-specific certificate stores: HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates

Once you've added that key, you should be able to pick the new custom certificate store when adding a certificate in the PKIProxy Certificate Manager. However, please note that not all applications support custom certificate stores. For example, you can use SignTool with the same command as above by simply replacing "TrustedPeople" with the custom certificate store's name, but the NuGet CLI only supports the default Windows Certificate stores.