How can I sign an ActiveX control with a code signing certificate and be a verified publisher?

Question

I'm trying to sing an ActiveX control with a code signing certificate issued by Thawte. I was able to successfully sign the control using signtool.exe.

When I look at the file properties, it says "The certificate in the signature cannot be verified."

When I view the certificate it says "Windows does not have enough information to verify the certificate."

On the certification path tab, it says "The issuer of this certificate cannot be found."

In internet explorer, the certificate is recognized as signed but the user receives warnings that the publisher is not verified.

I've tried creating a single PFX file containing my certificate along with the root and intermediate certificates that chain to my Thawte developer certificate, and then re-signing the control using that PFX file. No dice.

Any suggestions?

Answer 1

The question actually contains the correct procedure-- do the signing using a PFX file that contains the root certificate, intermediate certificate, developer certificate, and private key. Also, use a timestamp server. My problem was that I had the wrong root certificate included in my PFX, so the certificate used to sign couldn't chain back to the root.

After creating the appropriate PFX file-- which was an odyssey in itself-- the command I used to do the signing was:

signtool sign /f my_certificates.pfx /p my_passphrase /t http://timestamp.verisign.com/scripts/timstamp.dll my_activex_control.ocx