Secure license consumption with signing certificates

Using signing certificates improves the security of license consumption in checkout and heartbeat flows. Signing certificates allow you to establish a root of trust in your applications. By embedding trusted certificate information, your applications can verify the integrity of public keys received from 10Duke Scale.

This article provides guidance on how to use signing certificates to secure license consumption in your applications, covering both the application development and releasing phase, and the runtime license consumption phase.

Application development and releasing

During application development and releasing, establish a root of trust and protect your application from tampering.

Establish root of trust by embedding signing certificates

To establish a root of trust in your application, embed the signing certificate information into your application binary. This enables your application to verify that license token signing keys received from 10Duke Scale are trustworthy.

You can embed the full signing certificate, the unique fingerprint (x5t thumbprint), or both.

Note: Embed the signing certificate, not the license token validation key certificate. The signing certificate is used to sign the certificates of individual license token validation keys.

You can request and manage signing certificates using the 10Duke Scale UI console.

Obfuscate and encrypt embedded resources

To protect the embedded signing certificate information from being easily extracted or modified, use the following methods.

Obfuscate the embedded certificate or fingerprint data in your application binary.
If possible, encrypt the embedded resources.
Apply code obfuscation techniques to make reverse engineering more difficult.

The specific techniques depend on your development platform and security requirements.

Protect application binary from modifications

Protect your application binary from unauthorized modifications. We recommend that you use code signing on applicable operating systems (Windows, macOS). Code signing helps ensure that the application binary has not been modified after it was built and released.

In addition, you can implement integrity checks to detect tampering.

Manage application lifecycle and certificate rotation

10Duke Scale signing certificates are valid for a maximum of five years at a time. If the certificate is embedded in your code, its expiration effectively determines the end-of-life for that specific application version.

To manage your application’s lifecycle:

Generate a new signing certificate every two to three years.
Update your applications to trust the new certificate before the old one expires. During the transition period, maintain backward compatibility by trusting both the old and new certificates. This can be done by embedding multiple signing certificates with overlapping validity periods into your application.
Plan application updates to embed new certificate information.
Consider the deployment timeline for updates to reach all users.

When you rotate signing certificates in 10Duke Scale, you need to symmetrically update the trusted certificates embedded in your applications.

Run your application and consume licenses

During runtime, your application needs to verify the certificate chain and validate the license token signing keys.

Verify certificate chain from JWKS endpoint

When your application retrieves license token signing keys from the 10Duke Scale JSON Web Keys (JWKS) endpoint, verify the certificate chain as follows.

Retrieve the public keys from the JWKS endpoint using the License Management API operation GET /licensing-signing-keys/.well-known/jwks.json.
Extract the x5c certificate chain from the JWKS response for each license token signing key.
Verify that the certificate chain leads to a signing certificate that your application trusts (the one that was embedded during development).

The x5c claim in the JWKS response contains the full certificate chain for each license token signing key when a certificate has been issued. See more details on the x5c certificate chain in RFC 7517.

See more about setting up and retrieving license token validation keys.

Verify certificate validity

Before accepting a license token signing key, verify that all certificates in the certificate chain for the signing key used to sign the license token are active and valid as follows.

Check that the current time is within the validity period of each certificate in the certificate chain.
Verify that none of the certificates in the certificate chain have expired.

Verify public keys match leaf certificate

After verifying the certificate chain, verify that the public key in the JWKS response matches the public key in the leaf certificate by completing the following steps.

Extract the public key from the JWKS response.
Extract the public key from the leaf certificate (the first certificate in the x5c chain).
Verify that both public keys are identical.

This ensures that the public key you use for license token signature verification actually corresponds to the certificate chain you just validated.

Security benefits

By verifying the certificate chain and matching it against trusted signing certificates embedded in your application, the following security benefits are achieved.

You can be confident that the public keys you use for verifying license tokens actually come from 10Duke Scale and have not been tampered with or substituted.
Even if an attacker intercepts the JWKS response, they cannot substitute their own keys because they lack the private key required to sign a new certificate. Without this key, they cannot produce a valid certificate chain that leads back to your trusted root certificate.
The certificate chain verification provides a cryptographically secure way to establish trust without requiring pre-shared secrets or out-of-band key distribution.

When using the 10Duke Scale Local License Server product, your application can use the certificate chain that the JWKS endpoint returns and validate that the chain leads to a trusted signing certificate, enabling secure offline license consumption.