In modern vehicle architectures, every delivered control unit is secured with an individual cryptographic key. At Continental, these keys are managed centrally. My assignment was to automate the image signing process so that every image is securely signed with the appropriate key from the Continental server.
The Challenge
The manual handling of individual keys for thousands of vehicles is error-prone and a security risk. The challenge was to create a solution that:
- Requests the correct key for every specific control unit/vehicle automatically from the Continental Key Server.
- Designs the communication with the server to be absolutely secure (protection of intellectual property and cryptographic integrity).
- Integrates the entire signing process seamlessly into the existing CI/CD pipeline.
The Solution: Automated Cloud Signing
I developed a highly secure interface that connects the build process directly with Continental’s backend systems.
1. Secure Server Communication via mTLS
To ensure that only authorized build instances have access to the key server, communication was secured via mutual TLS (mTLS). This guarantees both the identity of the client and the encryption of the transport path.
2. Automated Signing Workflow
The workflow I implemented handles the following steps:
- Identification: Determination of the target hardware type and the required key set.
- Request: Secured request to the central Key Server.
- Signing: Execution of the cryptographic signing of the firmware image using the key provided by the server or via remote signature request.
- Validation: Local verification of the signature before the image goes into delivery.
3. CI/CD Integration
The entire tooling was integrated as a stage in the Jenkins pipeline. This realized the “touchless” approach: From code change to signed release image, no manual intervention occurs anymore, which massively increases process security.
Result
The automation not only saved significant time resources but also minimized the risk of misconfigurations in key assignment. The system meets the strict requirements of ISO 21434 and is today an integral part of software production for modern driver assistance systems.