If you want Next-Gen Trust Security to issue a code signing certificate along with the key, you will need to select a certificate authority (CA) when creating the Signing Key. Some CAs require no setup, while others require configuration before they can be used:
None -- creates only a key pair with no certificate
Built-in CA -- requires no configuration and is suitable for internal trust use cases, such as development builds. Certificates issued by the Built-in CA are not implicitly trusted by browsers or operating systems.
Microsoft AD CS, DigiCert, and Zero Touch PKI -- require certificate authority connectors to be configured before use
Notes:
If you plan to obtain a certificate from a public certificate authority, you must select AWS KMS as the key storage type when creating the Signing Key. Public CAs will not sign a CSR for a key that is not stored on a hardware HSM.
Certificate authority connectors must be configured in the parent TSG. Once configured, the CA is available for selection when creating a Signing Key in any child TSG.
While Next-Gen Trust Security supports additional certificate authorities for issuing TLS certificates, only the CAs listed above are supported for issuing code signing certificates through the code signing capability.
