How does one generate the original public/private keys used for Authenticode signing? I see commans like this in the tutorials:
pvk2pfx.exe -pvk mykey.pvk -pi <password> -spc mycert.spc -pfx mycert.pfx -po <password>
but they don't say how to get the private key in the first place.
For testing you can generate a self sign certificate:
REM May change depending of your installed Windows SDK
cd "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin"
REM Generate the root certificate
.\makecert.exe -r -pe -n "CN=Sample.CA" -ss CA -sr CurrentUser -a sha1 -cy authority -sky signature -sv d:\Sample.CA.pvk d:\Sample.CA.cer
REM Add the Root certificate to the user store
certutil.exe -user -addstore Root d:\Sample.CA.cer
REM Create the certificate for code signing
.\makecert.exe -pe -n "CN=Sample.CodeSigning" -eku "1.3.6.1.5.5.7.3.3,1.3.6.1.4.1.311.10.3.13" -a sha1 -cy end -sky signature -ic d:\Sample.CA.cer -iv d:\Sample.CA.pvk -sv d:\Sample.CodeSigning.pvk d:\Sample.CodeSigning.cer
REM Convert to certificate to pfx file format
.\pvk2pfx.exe -pvk d:\Sample.CodeSigning.pvk -spc d:\Sample.CodeSigning.cer -pfx d:\Sample.CodeSigning.pfx
According to a Twitter answer, "You need to get a Class 3 Code Signing cert from a CA."
Related
I exported certificates from keychain to a PEM file. I want to handle information of each certificate in a loop by writing a shell-script file.
When I run this command to check the file:
openssl crl2pkcs7 -nocrl -certfile [file name here].pem | openssl pkcs7 -print_certs -text | grep -E '(Subject:|Not After)'
All certificates's information will be printed. But when I run this command:
openssl x509 -in certs.pem -text
It only shows information of the first certificate in the file. I tried to get count of certificate in the PEM file with a shell, it returned 1.
#! /bin/bash
i=0;
for cert in [PEM file path]; do
let "t=$i + 1";
echo $t;
done
Could anyone help me to handle certificates in PEM file?. Thank you so much.
Usually the certificates are separated by the BEGIN/END-comments. You could split the PEM-string like this:
IN="-----BEGIN CERTIFICATE-----..."
CERTS=( $(IFS="-----BEGIN CERTIFICATE-----" echo "$IN") )
echo ${CERTS[0]}
echo ${CERTS[1]}
...
I am using makecert.exe to create an RSA certificate and I am wondering what the significance is of this option? -sk KeyName
The documentation says "Specifies the subject's key container location, which contains the private key. If a key container does not exist, it will be created"
But I don't know what that means. Is it used as some kind of seed for creating the certificate? This is my current command line:
makecert.exe -r -sr LocalMachine -ss my -a sha256 -pe -sky exchange -n "CN=Mycert"
Under what circumstances might I want to specify a KeyName?
I am following step 2 in this tutorial.
After entering this command,
makecert -r -pe -n "CN=PC-Name" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
I a getting ERROR: Too many parameters
How to solve this issue? Help please
The command looks like the following:
Makecert -r -pe -n CN="www.example.com" -b 05/10/2010 -e 12/22/2011 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
If you copy the sample command from the MSDN page above and run it via the command-line, you'll get error "Too many parameters". It turns out the dash used in the MSDN post above is actually character: \u2013 (DASH-EN) and not minus \u002D and it's the minus character that the tool is expecting.
So to make this work, simply replace the hyphen with the minus sign when keying in the command as defined above. In the above sample, I have replaced the incorrect character with the correct one so feel free to just copy and paste it.
I created a self-signed CA certificate and placed it in the Current User Trusted Root Certification Authorities Certificate Store. I then created a Software Publisher Certificate using:
makecert -n "CN=Temp Name, O=Temp Corporation, C=US" -h 0 ^
-eku "1.3.6.1.5.5.7.3.3,1.3.6.1.4.1.311.10.3.13" ^
-e 01/01/2015 -ic "Temp CA.cer" -iv "Temp.pvk" ^
-sv "Temp SPC.pvk" -a sha256 "Temp SPC.cer"
... And merged the resulting files into a pfx file like so:
Pvk2Pfx /pvk "Temp SPC.pvk" /spc "Temp SPC.cer" /pfx "Temp SPC.pfx"
I went on to use this pfx file for signing the ClickOnce Manifests of a simple console application with Visual Studio (2013), and all was well. However, when testing the resulting Setup.exe, I noticed that Application Install - Security Warning dialog reported the publisher to be unknown.
Following this MSDN guide, I managed to get things working as expected by excluding the -a sha256 flag, resulting in:
makecert -n "CN=Temp Name, O=Temp Corporation, C=US" -h 0 ^
-eku "1.3.6.1.5.5.7.3.3,1.3.6.1.4.1.311.10.3.13" ^
-e 01/01/2015 -ic "Temp CA.cer" -iv "Temp.pvk" ^
-sv "Temp SPC.pvk" "Temp SPC.cer"
I don't get this. Why does specifying -a sha256 for the SPC result in the publisher being "unknown" (and a much angrier looking dialog, yellow shield and all)?
Edit: Actually, it gets a bit weirder still; I just tried changing to -a sha512, and that works too:
makecert /n "CN=Temp Name, O=Temp Corporation, C=US" /h 0 ^
/eku "1.3.6.1.5.5.7.3.3,1.3.6.1.4.1.311.10.3.13" ^
/e 01/01/2015 -ic "Temp CA.cer" -iv "Temp.pvk" ^
/sv "Temp SPC.pvk" -a sha512 "Temp SPC.cer"
Is it possible to use makecert to create self-signed certificates with a specific key usage property?
I need to generate a self-signed certificate for testing. It must have the "Digital Signature" and "Non-repudiation" values on the "Key Usage" property such as described in RFC 3280 section 4.2.1.3.
I have tried some variations with the "-sky" option, such as "3" (bit 0 and bit 1 set) and "1,2". The first is not accepted and the second creates a certificate but it doesn't seem to have the "KeyUsage" property set.
Please notice that this doesn't refer to "-eku" (extended key usage).
This is the script I'm using:
makecert -r -pe -n "CN=cte-dev-CA" -ss CA -sr CurrentUser -a sha1 -sky signature -sv cte-dev-CA.pvk cte-dev-CA.cer
certutil -user -addstore Root cte-dev-CA.cer
makecert -pe -n "CN=cte-dev-SPC" -eku 1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -a sha1 -sky signature -ic cte-dev-CA.cer -iv cte-dev-CA.pvk -sv cte-dev-SPC.pvk cte-dev-SPC.cer
pvk2pfx -pvk cte-dev-SPC.pvk -spc cte-dev-SPC.cer -pfx cte-dev-SPC.pfx -po my-password
There is no argument for makecert that affects the "Key Usage" field of the created certificate. At least, I have also been unable to find one.