How do I create a self-signed certificate for code signing using tools from the SDK?
views:
6017answers:
3
+3
A:
There's a PowerShell script over on HuddledMasses.org which asks you a few questions up front and then generates everything and imports them ...
Also, it uses OpenSSL rather makecert, so you can use it on machines where the devtools/sdk haven't been installed....
Jaykul
2008-09-17 16:22:00
+22
A:
While you can create a self-signed code-signing (SPC) certificate in one go, I prefer to do the following:
Creating a self-signed Certificate Authority (CA)
makecert -r -pe -n "CN=My CA" -ss CA -sr CurrentUser
-a sha1 -sky signature -sv MyCA.pvk MyCA.cer
(watch for line-breaks)
This creates a self-signed (-r) certificate, with an exportable private key (-pe). It's named "My CA", and should be put in the CA store for the current user. We're using the sha1 algorithm. The key is meant for signing (-sky).
The private key should be stored in the MyCA.pvk file, and the certificate in the MyCA.cer file.
Importing the CA Certificate
Because there's no point in having a CA certificate if you don't trust it, you'll need to import it into the Windows certificate store. You can use the Certificates MMC snapin, but from the command line:
certutil -user -addstore Root MyCA.cer
Creating a code-signing (SPC) Certificate
makecert -pe -n "CN=My SPC" -a sha1 -sky signature
-ic MyCA.cer -iv MyCA.pvk
-sv MySPC.pvk MySPC.cer
Pretty much the same as above, but we're providing an issuer key and certificate (the -ic and -iv switches).
We'll also want to convert the certificate and key into a PFX file:
pvk2pfx -pvk MySPC.pvk -spc MySPC.cer -pfx MySPC.pfx
If you want to protect the PFX file, add the -po switch, otherwise PVK2PFX creates a PFX file with no passphrase.
You can now use this certificate for signing code:
signtool sign /v /f MySPC.pfx MyExecutable.exe
If you import the PFX file into the certificate store (you can use PVKIMPRT or the MMC snapin), you can sign code as follows:
signtool sign /v /n "Me" /s SPC /d http://www.me.me
/t http://timestamp.url MyExecutable.exe
Roger Lipscombe
2008-10-14 14:03:13
+1 for examples and for using timestamping.
Bratch
2009-05-30 20:23:48
Should CA.cer in the certutil command be MyCA.cer?
Jon Drnek
2009-06-03 16:19:03
Yep. Fixed. My original scripts have CA.cer, but I thought it'd be clearer to put "My" on stuff, so you could tell where it came from.
Roger Lipscombe
2009-06-04 05:27:11
A:
i am trying to create a SSL certificate using the mentioned steps but i am not able to do that . Some of the Cmd line options are not available with my system such as -r -sky. Is there any solution for this ?
Coder
2010-05-03 09:25:39
Which version of MAKECERT are you using? Does it list `-sky` when you type `MAKECERT -!` for extended help?
Roger Lipscombe
2010-05-03 10:09:12