A PKI Code Signing Certificate question.

Hello,
Can someone please help me with the following question.
I have created and used a code Signing certificate from our Microsoft Enterprise CA before which works OK, but I am not sure I did it correctly, and have a few related questions please.
what I did.
1: Logged on the CA directly, went to the CertSvc web site, requested a code signing cert, issued it and exported it along with the private key.
2: Imported the above certificate into CurrentUser/My store on PC and used it to sign code
3: Took the came certificate (along with the private key, and this is where perhaps I made at least one mistake) and imported it into the 'Trusted Publishers' store the PC that will be running the signed code. This step was done so the user does not receive
a message asking if they want to run the code signed by "AAnotherUser" as it were, as although the code is signed by a trusted CA, the user still gets this warning message as the 'Publisher' is not in the 'Trusted Publishers' list. Therefore the
way I sorted this at the time was to take the whole certificate as above and import to this store.
The first mistake I made (as far as I can see as I am new to this area) I think I should have not imported the certificate 'along with its private key' into the trusted publishers store? in other words should I have imported the certificate 'minus its
private key' into the trusted publishers store?
Also, I understand you have to have the certificate along with is private key to sign code. I am 'assuming' a Hash of the code is taken and this is signed (encrypted) with the private key (in the same way a CA signs a CSR for a WEBServer cert for example),
is that correct i.e. is that what it mean to sign code?
if the above is correct then I assume you only need the 'public' key of the code signed cert in the 'Trusted Publishers Store' to verify the code was signed by a trusted CA and it has not been altered e.g. the Hash code still computes to the same value.
Is this correct?
My next question is regarding the private key. As I need to 'Login' to AD in order to request a code signing cert, can the 'private key' not be stored securely in AD along with my AD User account?
if the above is possible (which would make good sense to me I think) then I do not have to worry about looking after the safety of the private key as the system 'AD' can do this for me. It would also mean which every computer I logon to in the domain I would
have access to the private key (but no other user) and therefore be able to sign code I assume. Does this last paragraph make sense can this be done/is this done?
Basically I need to understand the above, in order to understand more about Crypto.
I also need create a code signing cert for a 'department' of about 10 people. Therefore I was thinking about creating and AD account called 'XYZCorpCodeSigning' or what ever, and issuing a code singing cert to this entity. If the private key could be stored
in AD then accessed used once signed in as this account (these 10 people would need to know the password for the account) this would make life easier/more secure, I think.
I know there are several question above, but it would be great it they would be answered as I would help me understand more about how it all works and to solve a problem too
Thanks very much
AAnotherUser__
AAnotherUser__

> The first mistake I made (as far as I can see as I am new to this area) I think I should have not imported the certificate 'along with its private key' into the trusted publishers store
yes, it is not correct. Only public part should be imported to a Trusted Publishers container.
> is that correct i.e. is that what it mean to sign code
exactly. Encryption with private key and decrypting with public key is called "digital signature".
> if the above is correct then I assume you only need the 'public' key of the code signed cert in the 'Trusted Publishers Store' to verify the code was signed by a trusted CA and it has not been altered e.g. the Hash code still computes to the same
value. Is this correct?
yes. Client uses only public part of the certificate to validate the signature.
> As I need to 'Login' to AD in order to request a code signing cert, can the 'private key' not be stored securely in AD along with my AD User account?
normally code signing certificates are not stored in Active Directory and should not be there, because signing certificate is included in the signature field.
> I do not have to worry about looking after the safety of the private key as the system 'AD' can do this for me.
this is wrong assumption. A user is responsible to protect signing private key from unauthorized use.
> If the private key could be stored in AD then accessed used once signed in as this account (these 10 people would need to know the password for the account) this would make life easier/more secure
wouldn't, because if something happens -- you will never know who compromised the key.
as a general practice, we recommend to purchase at least few smart cards to store signing keys. Depending on a particular code development practice, there might be a dedicated employee (for example, manager of devs) who the only has access to a smart card
(and PIN) and signs the code upon dev request. Or issue a dedicated smart card with unique signing certificate to each developer. However this will add a complexity in signing certificate trust management.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell FCIV tool.

Similar Messages

What code signing certificate has to be added for Adobe Air Native Installer?

Hi,
I'm developing Adobe Air application. I need to digitally verify the application to add the publisher's name with the product. I did a little research and came to know that Symantec, Thawte, Comodo, Comodo-Tucows, Digicert, Godaddy and couple of others are doing this.
Yes. I'm talking about the Code Signing Certificate. My question is, What code signing certificate has to be added for Adobe Air Native Installer? The reason is, The native installer will have an extension .exe ( Windows ) and .dmg ( MAC OS X ).
These guys are providing certificate for Adobe Air. For instance, If the application is exported using Native Installer in Windows, The application will have an .exe extension. For this, Can I use the same Adobe Air code signing certificate or Should I go for Microsoft Autheticode ( for .exe ) certificate?
Thanks in advance.

I think comodo code signing certificate is one of the nice option to be added for Adobe Air, as i have seen comodo code signing certificate in other adobe programs. Recently i bought comodo code signing from https://cheapsslsecurity.com/comodo/codesigningcertificate.html, to sign one of my adobe application and it works fine, you can use microsoft authenticode technology with comodo code signing.

Applocker and expired code signing certificates

Is it possible to allow applocker to use expired code signing certificates for old applications ?
Thanks, Magnus
Magnus

Hi Magnus,
>>Is it possible to allow applocker to use expired code signing certificates for old applications ?
As far as I know, we should be unable to do this. If a certificate is expired, it is no longer considered an acceptable or usable credential.
Regarding this question, the following thread can be referred to as reference.
AppLocker Issue in Windows 7
https://social.technet.microsoft.com/Forums/windows/en-US/2c78848d-2601-40d2-99c0-9b5c23b735e4/applocker-issue-in-windows-7?forum=w7itprosecurity
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Windows Code Signing Certificate

How to convert Windows Code Signing Certificate from p7s format to AET format

Where did you get this 'p7s' file? Did someone try to send you an AET in an SMIME encoded message?
File extension: p7s, is usually associated with a file containing PKCS #7 signed data and 'AET' usually refers to an 'Application Enrollment Token', which is associated with Windows Phone Enterprise application management.
To create an AET for Windows Phone you need to have a proper code signing certificate from Symantec. (...you can't use just any code signing certificate.)
When you obtain a code signing certificate from Symantec it should be installed into your computers certificate store. You can then export the certificate and private key to a *.pfx file to use for signing apps or if you need to move it to a different
computer.
see:
Windows Phone 8: Steps to acquire an Enterprise Mobile Code Signing Certificate required to sign LOB or company apps
and:
Frequently asked questions about Windows Phone Company Hub apps
Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast
your votes for existing suggestions.

Using a Code Signing Certificate for download on Azure

Currently, I have a hosted web application and Web API on a VM that I use to allow users to download an executable file that is signed with a Code Signing certificate. My question is how would I do the same thing with a Web Role or Cloud Service? The
goal is to move to PAAS in Azure with our web application.
Thanks for any help in advance.

I appreciate the link to the article, but I don't need an SSL certificate, I need a code signing certificate. I'm afraid this post does not help me at all. What I need is a certificate to sign my downloadable applications with. I have
an .exe file that users can download, and I need those people to know my code can be trusted, which is why I need the code signing certificate. My problem is how do I utilize this with a Web Role or Cloud Service?

The name ("common name") of a valid code-signing certificate in a keychain within your keychain path. A missing or invalid certificate will cause a build error. [CODE_SIGN_IDENTITY]

The name ("common name") of a valid code-signing certificate in a keychain within your keychain path. A missing or invalid certificate will cause a build error. [CODE_SIGN_IDENTITY]

If you could ask a coherent question, maybe...
Perhaps you should be posting in the developers forums...

How to use Java code signing certificate in oracle 11i

Hello,
I am try to configure java code signing certificate in 11.5.10.2 application. we got java sign certificate from verisgin. SA's imported the certificate and created alias XXX_XXX with password and passphrase.
I am able to see the my certificate. keytool -list -v -keystore xxx_xxxx.jks -storepass Password.
how do I use it. I am using Enhance Jar Signing for EBS DOC ID 1591073.1.
could you please give me some advice on it?
Thanks
Prince

Hussien,
I find out apps keystore keypassword and storepassword, I imported the java code sign certificate. I generated Jar files through adadmin, but I am getting warning error
adogif() unable to generate Jar Filers under JAVA_TOP.
executing /usr/jdk/jdk1.6.0_45/bin/java sun.security.tools.JarSigner keysotre **** -sigfile CUST Signer /apps/......
Error JarSigner subcommand Exited With status 1.
No standard output from jarsigner JarSigner error output: Exception in thread "main" java.lang.NoClassDefFoundError: sun/security/tools/JarSigner Caused by: java.lang.ClassNotFoundException: sun.security.tools.JarSigner at java.net.URLClassLoader$1.run(URLClassLoader.java:202) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:190) at java.lang.ClassLoader.loadClass(ClassLoader.java:306) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301) at java.lang.ClassLoader.loadClass(ClassLoader.java:247) Could not find the main class: sun.security.tools.JarSigner. Program will exit. WARNING: The following path(s), defined in /apps2/property/product/tst/appl/cz/11.5.0/java/make/czjar.dep as elements of the output: oracle/apps/cz/runtime/tag WARNING: Copying cztag.lst from the old fndlist.jar ... About to Analyze flmkbn.jar : Fri Nov 22 2013 10:45:51
Please let me know if you have any idea. Thanks Prince

Adobe AIR 3 Performance Issues and Code Signing Certificate Problem

I recently updated to Adobe AIR 3.0 SDK (and runtime) doing HTML/Javascript development using Dreamweaver CS5.5 in a Windows 7 Home Premium (64 bit).
The AIR app I'm developing runs well from within Dreamweaver. But when I create/package the AIR app and install it on my machine:
1. The app literally CRAWLS running it in my Windows 7 12G RAM machine (especially when I use the mouse to mouse over a 19-by-21 set of hyperlinks on a grid) --- IT IS THAT SLOOOOWWWW...
2. The app runs fine in my Mac OS X 10.6.8 with 4G RAM, also using the Adobe AIR 3 runtime.
About the Code Signing Certificate problem:
When I try to package the AIR app with ADT using AIR's temporary certificate feature, I get the error message "Could not generate timestamp: handshake alert: unrecognized_name".
I found some discussions on this problem in an Adobe AIR Google Groups forum, but no one has yet offered any resolution to the issue. Someone said Adobe is using the Geotrust timestamping service --- located at https://timestamp.geotrust.com/tsa --- but going to this page produces a "404 --- Page not found" error.
The Google Groups Adobe AIR page is here:
http://groups.google.com/group/air-tight/browse_thread/thread/17cd38d71a385587
Any ideas about these issues?
Thanks!
Oscar

I recently updated to Adobe AIR 3.0 SDK (and runtime) doing HTML/Javascript development using Dreamweaver CS5.5 in a Windows 7 Home Premium (64 bit).
The AIR app I'm developing runs well from within Dreamweaver. But when I create/package the AIR app and install it on my machine:
1. The app literally CRAWLS running it in my Windows 7 12G RAM machine (especially when I use the mouse to mouse over a 19-by-21 set of hyperlinks on a grid) --- IT IS THAT SLOOOOWWWW...
2. The app runs fine in my Mac OS X 10.6.8 with 4G RAM, also using the Adobe AIR 3 runtime.
About the Code Signing Certificate problem:
When I try to package the AIR app with ADT using AIR's temporary certificate feature, I get the error message "Could not generate timestamp: handshake alert: unrecognized_name".
I found some discussions on this problem in an Adobe AIR Google Groups forum, but no one has yet offered any resolution to the issue. Someone said Adobe is using the Geotrust timestamping service --- located at https://timestamp.geotrust.com/tsa --- but going to this page produces a "404 --- Page not found" error.
The Google Groups Adobe AIR page is here:
http://groups.google.com/group/air-tight/browse_thread/thread/17cd38d71a385587
Any ideas about these issues?
Thanks!
Oscar

Differences between SSL and Code-Signing Certificates

Hello,
I unsuccessfully tried to use a SSL - certificate for signing an applet (converting from X.509 to PKCS12 prior to signing) and learned, that SSL certificates and code-signing certificates are different things (after seeking the web for ours). Can somebody point out some source of information about this topic ? What are these differences ? Can I convert my SSL certificate into a code-signing certificate ?
Things got even more confusing for me, since my first attempt with an wrongly converted SSL cetificate (I used my public and private key for conversion only, omitting the complete chain) at least worked partly: the certificate was accepted, but marked as coming from some untrustworthy organisation. After making a correct conversion (with the complete chain) the java plugin rejected the certificate completely ...
Ulf

yep, looks like it.
keytool can be used with v3 x509 stores:
Using keytool, it is possible to display, import, and export X.509 v1, v2, and v3 certificates stored as files, and to generate new self-signed v1 certificates. For examples, see the "EXAMPLES" section of the keytool documentation ( for Solaris ) ( for Windows ).
jarsigner needs a keystore so I would assume public and private key pair.
you could list the keys from your store:
C:\temp>keytool -list -keystore serverkeys.key
Enter keystore password: storepass
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
client, Jul 5, 2005, trustedCertEntry,
Certificate fingerprint (MD5): 13:50:77:64:94:36:2E:18:00:4B:90:65:D0:26:22:C8
server, Jul 5, 2005, keyEntry,
Certificate fingerprint (MD5): 20:90:49:6F:46:BA:AB:11:75:39:9F:6F:29:1F:AB:58
The server is the private key, this can be used with jarsigner (alias option).
C:\temp>jarsigner -keystore serverkeys.key -storepass storepass -keypass keypass
-signedjar sTest.jar test.jar client
jarsigner: Certificate chain not found for: client. client must reference a val
id KeyStore key entry containing a private key and corresponding public key cert
ificate chain.
C:\temp>jarsigner -keystore serverkeys.key -storepass storepass -keypass keypass
-signedjar sTest.jar test.jar server

Code Signing certificate expired

Hello,
I please need an information about SGDEE 4.1 login applet: it seems
applet code signing certificate was expired on September 2, 2005.
I have no problem (after I deleted all expired root certificates from
local client repository) with Internet Explorer 6SP1, but Mozilla Firefox
always prompt me a warning with this contents:
Serial:
[62374265099632433790334794162326322759]
Issuer:
N=VeriSign Class 3 Code Signing 2001 CA,
OU=Terms of use at https://www.verisign.com/rpa (c)01,
OU=VeriSign Trust Network,
O="VeriSign, Inc."
Valid From: Wed Sep 01 02:00:00 CEST 2004,
To: Fri Sep 02 01:59:59 CEST 2005
Subject:
CN="Tarantella, Inc.",
OU=Digital ID Class 3 - Netscape Object Signing,
O="Tarantella, Inc.",
L=Santa Cruz,
ST=California,
C=US
Thank you very much in advance,
Best Regards,
Valerio Morozzo

I know this is an older post, but it helped me find out how to make the migration procedure for native installer. I tried it with self signed certificate created by ADT tool and everything went fine.
But now, we obtained a commercial AIR signing certificate from Thawte and the process failes in step 3) ADT saying
'Certificate in PATH_TO_P12 could not be used to sign setup.msi' on Windows.
On mac, it says that signing native installer on OSX is not supported, so I skipped the signing option in step 3) and it worked fine.
I can skip the signing option on Windows as well and the process succeeds, but running the installer on machines with previous versions of application results in "Installer mis-configured' error message - the same error as if the migration process was not applied.
I already contacted Thawte if it is a certificate issue, reply from them was 'AIR certificate can only sign .air applications'. But when I build a native application directly from FlashBuilder and sign it with the Thawte certificate the whole process seem to succeed. The application can be installed on machines without previous version of the application. Those who already have the older version get the 'Installer mis-configured' error message.
I want to mark out again, that the same process but with a self signed certificate created with ADT, is successfull and the application can be installer as an update on machines with older version of the app. So I assume the workflow is correct.
Any ideas? Or somebody having the same issue?
Thanks

Code Signing Certificate

Generate a Code Signing Certification using he openssl application:
* Generate code signing key
* Generate code signing certificate request
* Generate code signing certificate
please can you help me in finding the commands for doing so plzzzzzzzzzzzzzzzzzzzzze

These are called "code signing certificates" and are emitted by "certificate authorities", such as VeriSign, Entrust, Thawte, Digicert, Comodo and many others.

Code Signing Certificate Options

Hi Guys,
Have just finished and Air application and need to sign it before distribution. Anyone got any good advice on the pros and cons of the various Code Signing options for Adobe Air out there?
Richard

I have just created a self-signed code-signing certificate, I used XCA to generate it which is a front-end for openssl. Obviously being generated from a self-signed rootCA it is not going to be trusted by the outside world but it is good enough for an internal Profile Manager setup since the enrollment process will automatically trust your own self-signed rootCA.
Anyway, when trying to install it I did come across a gotcha which might help you and others here. I found that if I imported the certificate in to Keychain Access e.g. by double-clicking on it, then Server.app did not list it as an available certificate for Profile Manager code-signing. However if instead I used the option in Server.app under Profile Manager to import the code-signing certificate it was accepted.
In theory importing via Keychain Access should work as well but it did not, so if you have been doing it that way try importing via Server.app instead.
If you have already imported it via Keychain Access just delete it from your Keychain and try again.
With regards to the suggestion from ajm_from_WA for buying one from www.ssls.com I could not find any code-signing certificates listed on their website. These are different to ordinary website certificates.

Code-signing Certificate Renew issue

We recently renewed our Verisign code-signing certificate, only to discover that it breaks the auto-update process with the notorious error "This application cannot be installed because this installer has been mis-configured." We were able to make it work by using the ADT -migrate command. That is all well and wonderful. But there are two issues I see. First, there is a 180 day cut-off, beyond which users can no longer be updated. Then, when our certificate gets renewed again next year we might be stuck in a situation where we have to choose which users get to be updated and which are orphaned and are forced to uninstall/re-install.
Furthermore, how much of this pain we have to live with becomes a function of how long a certificate we are willing to pay for. If we're a small company forking out the money for a 3 year certificate might be kind of painful. Why should this be a factor? Why is it not straight-forward to renew the same certificate and have installations back to the beginning of time be alright with it?
It could be there is something about the renewal process that is not right. However, when I renewed my Verisign cert their process pretty much forced me to keep everything about the renewed cert the same as the original, otherwise it would not be a 'renewal'.
If there is an arcane trick we are missing I would be most appreciate to know what it is. This should not be this difficult.
Thanks
Kevin

Hi Kevin,
I've asked around and learned that the process as you describe is "as designed". However, there are stratigies for minimizing the downsides.
For more information, please see the following documents:
AIR 2.6 Extended Migration Signature Grace Periods
Update Strategies for Changing Certificates
Update Your Applications Regularly
Code Singing in Adobe AIR
Hope this helps,
Chris

Thawte code signing certificate problem

Hi everyone!
I wonder if someone here could help me out a little bit?
I just received a code signing certificate from Thawte, but nobody mentioned that I should have enrolled it with Firefox (I have mac). So I used my default browser Safari. And now I can´t find any instructions how to change that certificate to a file that I can use in my Flex 3 when I export an AIR installer. All the instructions tell me to use Firefox, but it´s too late. I have to use same browser I have used earlier.
I send this answer to Thawte too, but I´m not sure when they answer...

Well, yes, apparently Keychain Access doesn't let you export the entire certificate chain.
See http://forums.adobe.com/thread/234000 for a post on essentially the same issue.
I haven't tried it, but maybe you can import the certificate into Firefox and then re-exported it with the entire certificate chain. Or do the same with the Java keytool utility. You could also set the ADT command line parameters to access the Mac Keychain directly, but then you couldn't use the built-in Flash/Flex Builder export. Those are the only options I can think of if you can't get help from Thawte.

Configuration Profile Code-Signing Certificates

Today, I learned that the Code-Signing Certificate used for signing Device Configuration Profiles is _different_ (and much more expensive) than the SSL Certificate used by other Lion Server services.
I understand that these certificates follow a trust _chain_, and that Lion Server creates a default Code-Signing certificate based on the self-signed certificate it creates during setup. Since then, I've replaced my self-signed SSL Cert with a fully verified one.
How can I use OpenSSL to create a Code-Signing certificate based on my purchased SSL Certificate, just like Lion Server did?

You must obtain a code-signing cert from a trusted authority or it won't be trusted by any of your clients.
** Code-signing your profiles is kind of pointless if you're a small business or school. This is only useful if you're a large enterprise (or maybe a college or university) deploying profiles to many devices and are worried about tampering. A signed SSL cert more useful than a code-signing cert.
** (This is totally my opinion but that's how I see it. Code-signing certs allow your clients to determine that the code is in fact from you and it hasn't been altered in transit to the client. If this is really a concern for you then you would need to obtain a cert from a trusted authority, but I bet it's not...)

A PKI Code Signing Certificate question.

Similar Messages

Maybe you are looking for