Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles / operating-systems / Windows
 

How To Be Your Own Certificate Authority and Create Your Own Certificate to Sign Code Files

4.86/5 (27 votes)
20 Sep 2019CPOL4 min read 196.3K  
Step-by-step instructions to create and install a Certificate Authority certificate and a signing certificate as well as a BAT file to sign a program

Introduction

A signing certificate is purchased from a Certificate Authority (like VeriSign). The Certificate Authority verifies your identity. The certificate they issue to you is derived from their Certificate Authority certificate that is already installed on your user's Windows computer. It is a best practice to buy your signing certificate.

If you do not want to buy a signing certificate, then you must create your own Certificate Authority certificate and a signing certificate derived from it. The Certificate Authority certificate must be installed on all of the PCs that will run your application. Many system administrators will not want to do this. If you are the system administrator for all of the Windows computers that will run your application, then it is something you may decide to do.

Background

I do not claim to be a certificate expert. This is the procedure that I followed to create the Certificate Authority certificate and the signing certificate for a small non-profit organization that did not want to purchase a signing certificate. I have used the signing certificate to sign Click Once deployment manifests and SETUP.EXE programs that have subsequently been executed on Windows XP SP2, Windows 7, Windows 8 and Windows 10 computers.

Using the Procedure

In all of the steps below, replace COMPANYNAME with an abbreviation of your organization name (no embedded spaces).

Certificate creation and code signing software tools referenced in C:\"Program Files (x86)"\"Windows
Kits"\8.0\bin\x86\ in the examples below are part of the Windows SDK. The Windows 8 SDK can be found here.

At least Internet Explorer 7 must be installed on the PC used to execute the code signing. Any earlier version of Internet Explorer will not work.

1. Create Certificate Authority Certificate

The following should be all on one line:

C:\"Program Files (x86)"\"Windows
 Kits"\8.0\bin\x86\makecert -n "CN=COMPANYNAME" 
 -cy authority -a sha512 -len 4096 -sv "COMPANYNAME.pvk" -r "COMPANYNAME.cer" -m 600

Makecert will ask you for a Certificate Authority password. Don't forget it!

2. Run MMC.EXE

  1. Click File then Add/Remove Snap-in
  2. Select Certificates from the left list, click Add
  3. Select My user account, click Finish
  4. Select Certificates from the list again and Add it
  5. Select Computer account
  6. Save this configuration of MMC (File, then Save As) as Certificates.msc in the Start Menu, Programs, Administrative Tools directory so that you can access it in the future

3. Install the new Certificate Authority Certificate

The Certificate Authority certificate is stored in the trusted store Certificates (Local Computer) / Trusted Root Certification Authorities area of the computer that will do the signing and all of the computers that will run your application.

  1. Double-click Certificates (Local Computer)
  2. Right click on Trusted Root Certification Authorities
  3. Select All Tasks, then Import
  4. Select the new certificate (COMPANYNAME.cer) to place it into Trusted Root Certification Authorities area

The computer now implicitly trusts all certificates signed by that new Certificate Authority.

In a Microsoft Active Directory environment, you can enroll your Certificate Authority certificate so that it will be distributed to all of your Windows computers. Details on how to enroll your Certificate Authority certificate in Active Directory are beyond the scope of this article.

4. Create the Signing Certificate

The following should be all on one line:

C:\"Program Files (x86)"\"Windows
Kits"\8.0\bin\x86\makecert -n "CN=COMPANYNAME Software" -ic
"COMPANYNAME.cer" -iv "COMPANYNAME.pvk" -a sha512 -len 4096 -sky
signature -pe -sr currentuser -ss my "COMPANYNAMESoftware.cer"

Makecert will ask you for a password for the new signing certificate's private key.

Makecert will ask you for the password to the Certificate Authority's private key from Step 1 above.

5. Install the Signing Certificate

The signing certificate is derived from the new Certificate Authority certificate and stored in the Certificates - Current User / Personal area on the Windows computer that will do the signing.

You do not have to and should not install this signing certificate on your user's computers.

  1. Right-click on Personal in Certificates - Current User
  2. Select All Tasks, then Import.
  3. Select the new signing certificate COMPANYNAMESoftware.cer to place it in the Certificates - Current User / Personal area

6. Create a BAT File named SIGNCODE.BAT

I put my SIGNCODE.BAT file in a folder named C:\BAT so that it would be easy to type C:\BAT\SIGNCODE.BAT rather than a long folder path.

@ECHO OFF
REM create an array of timestamp servers...
REM IMPORTANT NOTE - The SET statement and the four servers should be all on one line.
set SERVERLIST=(http://timestamp.comodoca.com/authenticode 
http://timestamp.verisign.com/scripts/timstamp.dll 
http://timestamp.globalsign.com/scripts/timestamp.dll http://tsa.starfieldtech.com)
REM sign the file...
C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\signtool.exe 
sign /n "COMPANYNAME Software" %1
set timestampErrors=0
for /L %%a in (1,1,300) do (
    for %%s in %SERVERLIST% do (
        Echo Try %%s
        REM try to timestamp the file. 
        This operation is unreliable and may need to be repeated...
        C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\signtool.exe timestamp /t %%s %1
        REM check the return value of the timestamping operation and retry
        if ERRORLEVEL 0 if not ERRORLEVEL 1 GOTO succeeded
        echo Signing problem - timestamp server %%s
        set /a timestampErrors+=1
        Rem Wait 6 seconds
        choice /N /T:6 /D:Y >NUL
    )
    REM wait 12 seconds...
    choice /N /T:12 /D:Y >NUL
)
REM return an error code...
echo SignCode.bat exit code is 1. %timestampErrors% timestamping errors.
exit /b 1
:succeeded
REM return a successful code...
echo SignCode.bat exit code is 0. %timestampErrors% timestamping errors.
exit /b 0

7. Example of How to Sign a Program

In a CMD window, navigate to the directory that contains the program to be signed and run the BAT file.

C:\BAT\SIGNCODE.BAT SETUP.EXE

Where SETUP.EXE is the program to be signed.

Points of Interest

I read many articles on both Microsoft and non-Microsoft web sites to piece together these instructions. Thanks to all of those that posted information that allowed me to learn how to do this and subsequently publish this step-by-step procedure of all of the steps that I followed.

History

  • 24th February, 2013 - Initial version
  • 25th February, 2013 - Added link to Windows 8 Windows SDK
  • 1st March, 2013 - Added reference to Active Directory's CA distribution capability
  • 17th October, 2014 - Added statement requiring at least Internet Explorer 7 to be installed
  • 20th September, 2019 - Changed Makecert option from -sky exchange to -sky signature.
    I found that the "exchange" option caused an error when a PFX exported from the signing certificate was used to sign an Assembly in Visual Studio. Changed -a sha1 to -a sha512 -len 4096

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



Permalink

Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Article Copyright 2013 by Mike Meinz
Everything else Copyright © CodeProject, 1999-2024

Web01 2.8:2024-10-19:1