Scenario: I create my own root certificate for Authenticode (used to sign executable only). Easy. Unfortunately, it will only work on computers where I have installed the certificate!
So, I want to become an official CA (the root certificate will be present on all Windows of the world). As a bonus, I can sell this service to others :)
TL;DR: I want to become a official CA recognized by Microsoft for signing executables only (Authenticode, not SSL/TLS).
Questions: is it possible to submit its root certificate to Microsoft for they integrate with Windows? What are the costs? Is it possible for an individual and/or small business?
Thank you in advance!
Related
I distribute a Windows desktop app which has all executable files digitally signed by a Verisign Class 3 Code Signing certificate. For the vast majority of users, this seems to work fine.
However a small number of users report the certificate is invalid. They say it comes up with the message "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider". This corresponds to error code CERT_E_UNTRUSTEDROOT (0x800B0109). This has also been reported on a fully-updated Windows 7 machine. So presumably my certificate is OK, but Windows sometimes doesn't trust VeriSign certificates.
Why does Windows sometimes not trust VeriSign? Is there anything I can add to my installer (also signed) which will tell Windows to trust the certificate?
There are frequent updates of the Root Certificates which Microsoft rolls out via Windows Update, but which are tagged as "optional update". Hence not all users may have them installed and may need to install them manually. This also holds for "fully updated" machines, as the automatic installation is often set to only install "important updates", which the Root Certificate updates are not.
Depending on the type of desktop application, you may have to follow certain rules when signing, too. For example applications interacting with the Windows Security Center require essentially the same signing method as drivers. That is, the certificate chain gets embedded along with the signature (/ac switch to signtool). You can get the MSCV-VSClass3.cer applicable to VeriSign certificates here.
The process is often called cross-signing, which seems to be a misnomer. While this is one step in getting your driver binary or catalog cross-signed, the vital step is that Microsoft signs the driver (or more usually the catalog file these days), which is the actual cross-signing.
For my Windows-based application, I would like to use ClickOnce as the deployment technology. My application will be distributed via the Internet.
In the article ClickOnce and Authenticode, I read that:
For ClickOnce applications, you must have an Authenticode certificate
that is valid for code signing. You can obtain a certificate for code
signing in one of three ways:
Purchase one from a certificate vendor.
Receive one from a group in your organization responsible for creating
digital certificates.
Generate your own certificate with MakeCert.exe, which is included
with the Windows Software Development Kit (SDK).
In my case, number 2 is not applicable.
As I read a few rows later:
By default, ClickOnce applications signed with self-certs and deployed
over the Internet cannot utilize Trusted Application Deployment.
(Emphasis mine.)
I cannot understand the meaning of this by default. Is the option #3 possible or not in my case?
And then, to understand all the possibilities, what does the #1 imply ? ("Purchase one from a certificate vendor") What kind of certificate should I buy? Which certificate authority can be recommended? Depending on what I should choose? How much does a certificate cost?
It must be a "Microsoft Authenticode Certificate". It allows us to sign all kinds of Windows executables and code, including .exe, .cab, .dll, .ocx, and .xpi files.
It is not mandatory to sign an application, but if we do it our users won’t see a warning message stating that the author of the software is unknown.
Microsoft Authenticode Certificates need to be issued by a trusted certificate authority. Unfortunately, the prices are quite expensive. More information and some examples
are on page Microsoft Authenticode Certificates.
UPDATE I purchased the certificate through KSoftware, which is a Comodo retailer. The price is quite good compared to alternatives: $95/year. The process is faster than I expected: I applied in the morning and in the evening my certificate was already available. (For those interested, I followed this step-by-step guide.)
See my answer to Stack Overflow question How to sign a ClickOnce application.
I would definitely suggest getting a proper code-signing certificate - your application install screen will look much nicer in this case.
StartCom CA is closed since Jan. 1st, 2018 I got my code-signing certificate from http://startssl.com - and it was $100 or so in total (and you get wild-card domain certificate for your website as well as a bonus).
It's much cheaper than going with VeriSign or TrustWave.
How would I sign a Visual C# executable?
SignTool.exe can't find a certificate.
How would I create a self signed key and certificate, and have signtool be able to see the certificate and use it?
OpenSSL and Visual Studio 2010 Express are installed. Running Windows 7 Ultimate x64.
Using SignTool.exe from Windows Driver Kit.
Using self-signed certificates for digitally signing your binaries pretty much goes against the concept of using digital certificates with programs. The basic idea is to prove the code was created by you (authenticity) and has not been modified since you released it (integrity). This must be done by using a signed certificate that is signed by a trusted Certificate Authority (CA).
With .Net, when a binary is digitally signed, it is automatically verified for integrity and authenticity during startup. While I have not personally tested this, using a self-signed certificate is probably going to cause you a great deal of problems.
If you want to digitally sign your programs, you need to invest in a code signing certificate from a CA. There are a number of companies out there that can provide this service (Verisign, Thawte), for a fee.
While the fee might seem a bit extreme in price, remember that you are not just purchasing a digital certificate but also 24/7 validation of that certificate. Any time someone starts your program it will ensure the program was written by you and that the program has not been changed since you released it.
Once you have a certificate, you can digitally sign your program by following the steps in How to: Sign Application and Deployment Manifests.
Update: If this program is strictly an internal application (limited to you or your business), you can created your own CA. Since you would be the only one running it, only you would need to validate it. The CA certificate would need to be installed as a Trusted Root Certificate on all the machines that would run the program (or if you have access to Windows Server, you could set up a real working CA).
ClickOnce is suppose to use a signing cert for distribution. If I was developing a major app, I could understand purchasing a cert. However, my app is for a small sized company and I cannot justify the expensive.
My question is, when my app first installs, how might I install my self signed Root CA into Trusted Root Certificates automatically so there are no issues with my self signed program?
My current self signed CA Root and program cert were setup between Exchange 2010/IIS 7.0 and OpenSSL. The clients will be remote so I do not want to use Microsoft's Certificate Authority. You can see how I developed the certs at http://www.tekcrack.com/creating-your-own-self-signed-sans-certificate-for-exchange-2010-and-iis-70-1of3.html
Has anyone encountered the same problem? What route did you take to work around it...for free?
I don't know if that certificate will work for ClickOnce deployment. What you need is a code-signing certificate. I think you can buy one from GoDaddy for less than a hundred bucks, which is pretty inexpensive for giving your customers that nice warm feeling of having a trusted publisher.
If your customer has a domain administrator and any kind of central IT group, they can create a certificate for you that will be trusted.
You can't install a certificate programmatically on the user's computer. A ClickOnce application will not have that level of privilege. You have to have the customers install the certificate. Plus, it would be a huge security gap if people could install certificates without the user's knowledge.
And my last words of wisdom -- be sure your certificate is password-protected, and nobody can get their hands on it. If they do, and the certificate is installed in the store on the users's computer, they will be able to install applications on the user's computer in your name.
Having said all of that, I think this article will be helpful to you:
http://msdn.microsoft.com/en-us/library/ms996418.aspx#clickoncetrustpub_topic1
I have made an application for Windows & everytime I run the application by opening the executable file I get the "Publisher Unverified" warning in Windows. It is fine if I was the only audience for this app but thats not the case. Is there any way to program my app such that this message does not show up for the users.
The only way to do this is to obtain and use a code signing certificate from a trusted source. Microsoft calls this Authenticode.
Unfortunately for the little guy, these cost. Verisign sells theirs for about four hundie a year.
Here are some starting points you should read about Authenticode:
http://msdn.microsoft.com/en-us/library/ms537359(VS.85).aspx
http://technet.microsoft.com/en-us/library/cc750035.aspx
http://msdn.microsoft.com/en-us/library/aa379872(VS.85).aspx
Some certificate dealers:
http://www.verisign.com
http://www.thawte.com
http://www.globalsign.net
http://www.geotrust.com
For a cheaper code signing certificate, you can use Comodo. There is a reseller called KSoftware which sells their certificates for $99/yr:
http://www.ksoftware.net/code_signing.html
I used them a few years ago and had no problems.
You can then use SignTool from the .net SDK to sign your EXE files. There is a tutorial here:
http://www.tech-pro.net/code-signing-for-developers.html
I think there is a way to resolve this. We need to add digital signature to the executables. The way to add digital signatures is very nicely outlined at,
http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/
http://blog.didierstevens.com/2008/12/31/howto-add-a-digital-signature-to-executables/
Basically we will use OpenSSL to create our own digital signatures and then use the SignTool application by Microsoft to add it to our executable.