Posts Tagged ‘Code Signing’

8
July
2010

The process of code signing confuses not only those who do it for the first time but those too who have done it earlier probably because documentation is proportionately fairly low for the complexity of the steps involved. Here, I’ve tried to describe the procedure in a little detail:

Combining the private key and code signing certificate files:

It’s your prerequisite to download the PVK Digital Certificate Files Importer from Microsoft. You need to run the following command from a command prompt after you change the working directory to the folder containing the PVK and SPC files and replace the file names with the appropriate names of the private key and code signing certificate files. Make sure that the order of the two files is as specified here.

pvkimprt -PFX mycert.spc mykey.pvk

Now proceed as follows:

#1. Enter the password associated with your private key (if any). The certificate export wizard will display. Click Next.

#2. Select “Yes, export the private key” in the Export Private Key window. Click Next.

#3. The export file format window will display. Select Personal Information Exchange – PKCS #12 (.PFX). Make sure that the following are checked: “Include all certificates in the certification path if possible” and “Enable strong protection” (requires IE 5.0, NT 4.0 SP4 or above). Click Next.

#4. The Password window will display. Enter a password (preferably a strong password to safeguard the PKCS#12 (PFX) file created by the wizard since your private key is contained in it). Click Next.

#5. The File Export window will display. Specify the location for the file using the .PFX extension. Click Next.

#6. Install the PFX File into the Windows Certificate Store.

Caution: Do not attempt to use the import feature of PVKImprt.exe since it creates problems with proper installation of the intermediates certificates that may be contained in the PFX file. Now Microsoft also discourages the use of PVKImprt.exe for importing due to platform differences between the various versions of Windows.

#7. Select Tools and then Internet Options in Internet Explorer. Click the Content tab and press the Certificates button. The Certificates window will display.

#8. Click Import and select your .PFX file in the Certificates window. Click Next.

#9. The Password window will display. Enter the password you assigned to that .PFX file. Make sure that the following are selected: “Enable strong private key protection” and “Mark this key as exportable.” Click Next.

#10. The Certificate Store window will display. Accept the defaults and click Next.

Whew! Your code signing certificate is now installed.

Whew! Your code signing certificate is now installed.

15
June
2010

Certificates are with multiple usages (particularly called Certificate Key Usage). Code signing certificate is different from just a security certificate or SSL Certificate and you may not get it issued by the ones usually issuing SSL Certificates, like godaddy.com. Similar keys and all the same math applies in a code signing certificate, but the validation key will allow a key to be used for only its declared (purchased) purpose/usage.

SSL CertificateHow much does it cost to get a code signing certificate? Well, an FOSS (open source) developer can get it for free from Certum. But, mostly you will have to pay the issuer to validate your identity. Your identity is to be established to serve as a trust anchor. Though code signing certificates are expensive, you may look for the cheapest one in the default certification authority (CA) trees/roots that are loaded by default on most machines/browsers, and that seems to be Comodo. Several others, including Thawte and Verisign, though are good are very expensive.

They have to make sure that “you are who you say you are.” Hence, the process of checking your identity will be requiring a lot of tos and fros to check all the boxes and can be time-consuming. Individuals need to give a proof of their identity, and corporations need a proof of the corporation’s identity. The physical (street) address on the certificate must match the address for the domain if you are listing a domain name as yours. It’s fair if more vigilance is observed by the more expensive code issuers.

Talking about Comodo, it provides 2048 bit keys for code signing.