I've created self-signed CA-certificate and added it to "trusted root certification authorities".
Then I've created another certificate that was signed by created earlier CA-certificate.
Then I've signed my exe with first certificate, download this file on the computer and try to launch. But Windows thinks that it is untrusted file. In the file properties I can see digital sign with my certificates' hierarchy.
So, the question is what I'm doing wrong?
Thanks.
Related
I've created a UWP app using Xamarin Forms in Visual Studio. It is ready for release, and I do not intend publishing it to the Windows Store. Under the "Packaging" tab of Package.appxmanifest, I created a test certificate via
Configure Certificate... >> Create test certificate...
and then created the app package. I can install the application on my own device (that was used to create and publish the app) using the .appxbundle file in the package, but any other device will not install the app, saying that "Either you need a new certificate installed for this app package, or you need a new app package with trusted certificates. Your system administrator or the app developer can help. A certificate chain processed, but terminated in a root certificate which isn't trusted (0x800B0109)"
On the devices giving this error, I have installed the certificate using the Certificate Import Wizard to both the local machine's "Trusted Publishers" and "Trusted Root Certification Authorities" stores, as well as whatever stores were chosen using the automatic option, then restarted the device. When I go into Digital Signature Details under the .appxbundle file's properties, it says that "The difital signature is OK", but still gives me the same error when I try to install the app.
If there is an issue with my certificate, which says it expires on 1/7/2019, how can I create a certificate that will work? Otherwise, have I incorrectly installed the certificate on the device? I have double and triple checked and the device is set to Developer Mode. It is also on the same version of Windows 10 that my device is on.
I have also tried right clicking the .ps1 file and running with powershell, which gives me the same error. I have been following these instructions to this point: https://learn.microsoft.com/en-us/windows/uwp/packaging/packaging-uwp-apps#before-packaging-your-app
I've discovered the issue on my own. I had mistakenly installed the certificate to "Third-Party Certification Authorities" instead of "Trusted Root Certification Authorities". Once I installed the certificate to the proper stores the app was able to install.
For UWP apps, the certificate must be placed in the Trusted People store.
In my case I have installed certificate for current user instead of local machine. I installed for local machine and it works .
Also installed for for all 3 types of as shown below
Personal
Trusted root ....
Trusted Publisher
and things start working for me after 2 hours of effort.
I've a self-extracting .exe created with 7zip (7z.sfx). I've signed it with signtool. The signing certificate is in my Local Machine store, and it's root certificate is in the "Trusted root certificate authorities" and "Trusted publishers" folders.
I would like the signature details to appear in the publisher field of the UAC prompt, but it still shows "Unknown Publisher". Anyone know what's going on? The certificate does not have the "Code signing" EKU. Will this cause the problem?
This person had a similar problem, with no answers. This question covers code signing in detail but it's still not working for me.
Ok, perhaps as I suspected, the EKU for code signing is essential for UAC. There's no problem generating the signature with a vanilla certificate, but UAC will ignore signatures generated with non code-signing certificates, even if those certificates are in Trusted Publisers, Trusted Root Authorities etc..
the eku for code signing is 1.3.6.1.5.5.7.3.3
The following PowerShell command gets you a self signed code signing cert...
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname sby-port -type CodeSigningCert
I am using a standard (i.e. not EV) Authenticode code signing certificate to sign a Windows desktop application in the hope that Smartscreen Filter will eventually stop blocking it.
I was hoping to certify the application but since my code signing certificate was issued by GoDaddy it appears that I can't do that since you need a certificate from Symantec, Entrust, GlobalSign, WoSign or Digicert in order to create a Windows Certification Dashboard account (the first step in the certification process).
So here's my question: Will my non-certified Windows application signed with a standard GoDaddy SHA-2 code signing certificate still accumulate reputation?
According to these article, most likely yes, but you need to check details in your certificate
https://social.technet.microsoft.com/wiki/contents/articles/51151.microsoft-trusted-root-certificate-program-participants-as-of-january-30-2018.aspx
I make a network client in C and normaly I work with linux and I don't know how work CA certificate on windows. And the windows manual is not very good.
A CA certificate directory (root) exist by default on windows?
Like the directory /etc/ssl/certs/ under linux, which is a list of CA certificate.
I need this for adapted a programme which work with openSSL.
can you help me? Thank you in advance.
I don't believe Windows stores your Certificates in a default file location, but rather in a registry entry. Check out this link - it's for Windows Server 2003, but I believe most of the information is still relevant.
The basic tools typically used to manage certificates are Certreq.exe and Certutil.exe.
Here is a basic C++ program example for how to insert/create a certificate for Windows. It does not address the network portion of your question, but I think you might find it useful.
Good luck.
A CA certificate directory (root) exist by default on windows? Like
the directory /etc/ssl/certs/ under linux, which is a list of CA
certificate.
No. You must provide a file with root and intermediate certificates with your app on Windows. It can be from Linux or you can export nessecity certificates from Windows Store manually through certmgr. Or you can create a list of trusted root and intermediate certificates programmatically with help's of WinAPI like Qt does, for example.
you can acces to the Windows certificate store (which contain CA cert) and manipulate certificate whith this functions:
CertOpenSystemStore()
CertEnumCertificatesInStore()
CertCloseStore()
and convert DER certificate to OpenSSL X509 structure with:
d2i_X509()
for exemple, see in this link:
TLS client:
.
I have successfully installed a self-signed certificate to Windows 7.
The procedure was to install it first to the Trusted Root Certification Authorities (Local Computer)
and then to install it to the Trusted People (Local Computer).
(Without installing it to Trusted People Internet Explorer 11 was still issuing a warning that it cannot be verified up to a trusted certification authority).
I tried repeating the same procedure on a Windows XP machine (yes, they still exist even after their support ended:) without luck.
I still get a warning the certificate cannot be verified up to the trusted certification authority.
When I look at the Certificates Internet Explorer 8 shows me. The certificate itself is missing (although when looking in certmgr.msc, I can see the certificate).
For some reason Internet Explorer chooses to ignore this certificate.
Any ideas what's going on?
Looking at certificate in the Windows Certificate Manager (certmgr.msc). Windows says it "does not have enough information to verify this certificate".
When looking at the certificate path, the only certificate that is shown is the certificate itself (with a yellow exclamation mark), and the Certificate status indicates:
"The issuer of this certificate could not be found".
I looked carefully at the details of the faulty certificate to find why is it different from other certificates.
The issuer's name was clearly correct so this wasn't the problem.
The field that drew my attention was "Authority Information Access"
The reason was is that it contained extra data with a "URL=http:...name_of_domain.cer".
This link is to the intranet the organization uses. I've downloaded the certificate on the intranet and installed it on the client.
The certificate became valid, and now it shows two certificates in the "Certification Path"
Conclusions.. It turns out Windows XP is dumb for two reasons:
Installing a certificate that has a chain to the Trusted Root Certificates is not enough for Windows XP. it tries to validate the Root Certificates up to their top of the chain (This doesn't make a lot of sense, since it should be a Root Certificate, and since Windows 7 doesn't follow this behave and accepts the certificate as valid).
Since both the certificates held the same Common Name, Windows XP fails to show that the original certificate does have a chain. and made it alot more difficult to track down the issue.
Hope this helps anyone who will encounter this in the future. (or not since Windows XP supported ended, as we all know:) )