Cannot see self created certificate in certmanager? - windows

I followed the steps in my answer to create a certificate. I will use this cert on my own computer. The command succeeded, but I see no personal certificate in cert manager (certmgr.msc). Answer - How do I create client certificates for local testing of two-way authentication over SSL?
Steps:
Launch Vs2010 Command Prompt: Start ► All Programs ► Visual Studio 2010 ► Visual Studio Tools ► Visual Studio Command Prompt (right click and Run as Administrator)
Create a self-signed (-r), private key exportable (-pe), saving to personal folder (-ss my) under local machine (Local Computer, sr localmachine), named (-n) "YangsoftCA",common name (-in) "Yangsoft.com" with private key file (-sv) as "YangsoftCA.pvk" and public key file "YangsoftCA.cer"
Command:
C:\Windows\system32>makecert -r -pe -ss my -sr LocalMachine -n "CN=YangsoftCA" -sv "YangsoftCA.pvk" YangsoftCA.cer
Above succeeded
Password was prompted to secure the private key file
This is what my cert manager looks like. There is nothing under personal certificates.
I was hoping that yangsoft would appear there.
How do I find out what happened and how do I see my cert ?

make sure you are checking under user certificate, not in computer certificate:

Go to mmc.exe. Follow the steps:
MMC > File > Add/remove snap-in > Certificates > You get three options:
My user account
Service account
Computer account
I don't know what it means, so I took My user account. It seems to be my lucky card in other problems.
Finish.
Then you will need to activate IIS server manager on your system:
control panel > programs and features > turn windows features on or off > IIS, the full name > ok
Once done, it can be seen in mmc.exe. In IIS server, under IIS list, click server certificates > create self signed certificate. Enter some stuff and you should be done.

Related

Why does signtool.exe only find certificate when run as admin?

I'm setting up a new development laptop, and have installed a self-issued code signing certificate. I can see it in certmgr under my Current Users's Personal Certificates.
When I try to build from the Developer Command Prompt For Visual Studio 2017 I get:
error : SignTool Error: No certificates were found that met all the given criteria.
This always worked fine on my old laptop.
I have found if I run the same build from the command prompt after starting it as admin that signtool succeeds and can find the cert.
This has happened to 3/4 colleagues when we've set up new laptops. One guy is ok and can sign without running as admin. On our old laptops we never had to run as admin.
I've tried googling to find what could be the cause because I wasn't aware that running as admin or not should have any affect over this. I haven't found any reference to this problem.
How can we use signtool.exe without running it as admin?
When not running as admin it appears to be at the Private Key filter step where the cert I'm expecting to be selected gets filtered out:
**********************************************************************
** Visual Studio 2017 Developer Command Prompt v15.9.12
** Copyright (c) 2017 Microsoft Corporation
**********************************************************************
C:\>signtool sign /v /debug /ph /i "<issuedby>" /fd sha256 /td sha256 "C:\TestSign.dll"
The following certificates were considered:
Issued to: Scott Langham
Issued by: <issuedby>
Expires: Sun Sep 25 09:54:55 2022
SHA1 hash: <a_hash>
Issued to: Scott Langham
Issued by: <issuedby_somethingelse>
Expires: Wed May 13 15:51:14 2020
SHA1 hash: <b_hash>
After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Issuer Name filter, 1 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
I've ensured the version of signtool.exe I'm using is the same as the one that my colleague who has this working is using (10.0.18362.1). I've been able to spot any other differences between our systems.
I ran into this today and here is how I am now able to run signtool.exe via command line without elevating to admin.
Run 'mmc' and add the 'Certificates' snap-in
Select the correct key store location
(mine is in Local Computer so I select 'Computer account' here)
Find and select the certificate
Right click on the certificate, select All Tasks > Manage Private Keys...
In the 'Permissions for private keys' dialog, Add your user account and then give yourself 'Full Control'. You will now be able to sign using a normal command prompt.
Note: If you use a build machine, do the above steps for the account that performs the builds.
Similar to what #Baget said, I'd compare the certificates on your machine to that of your colleague who can successfully run the SignTool.exe command without the elevation token. Here's a chunk of PowerShell to assist you:
get-childitem -Path Cert:\ | foreach-object ({
$location = $_.Location
foreach($store in $_.StoreNames.Keys) {
get-childitem -Path "Cert:\$location\$store" | foreach-object ({
$thumb = $($_.ThumbPrint)
$issuer = $($_.Issuer)
if ($issuer -eq "CN=EXAMPLE, DC=EXAMPLE, DC=EXAMPLE, DC=EXAMPLE") {
write-host "$location $store $issuer"
}
})
}
})
Bear in mind that the output of the above may differ slightly if you run as a normal user and 'run as admin'.
Finally, do you and your colleague have the same UAC settings?
I found myself in a similar situation with signtool, it refused to work with an admin user but does work as actual Administrator.
In my case, I am not actually importing the certificate into the certificate store, but using a .pkcs12 file exported from a comodo certificate in firefox, so this makes things even stranger, as no permissions on any keys in the store are involved.
I tried granting myself permissions on some server key, but that did nothing.
I hope someone finds a solution to this problem.
In the meantime, I am signing my exe with osslsigncode instead, which works perfectly.
I extracted the exe and dependent dlls from the msys2 mingw64 build, here is a zip of everything in case it is of use to anyone, just extract it to a directory and put it in your PATH.
http://cachemiss.com/files/osslsigncode.zip
To extract this program yourself from an msys2 installation, you can use this command:
pacman --noconfirm -S mingw-w64-x86_64-osslsigncode
cd /mingw64/bin
mkdir ~/osslsigncode
cp osslsigncode.exe $(ldd osslsigncode.exe | sed -n 's,^.*\(/mingw64/[^ ]*\).*,\1,p' | sort -u) ~/osslsigncode/
cd
zip -9r osslsigncode.zip osslsigncode
I am using this in Visual Studio cmake builds with no issue.
There are two Certificate Store in Windows, User Store, and a machine store, you probably installed the certificate to the local machine, or you installed it when you run as elevated user.
Firstly you are getting such an error and you are using visual studio then See the signing tab in project properties. You will see a previously assigned signature (strong assembly)
If you enter the correct password here:
If your environment is the same as the environment in which the project is written, you will skip this error. Look the post on about the error
The reasons behind this error are:
1- Visual Studio needs some features when using certificate file to sign strong assembly.
ClickOnce Manifest Signing and Strong-Name Assembly Signing Using Visual Studio Project Designer's Signing Page
You can try this code to determine
signtool sign /debug /f mypfxfile.pfx /p <password> (mydllexectuable).exe
2- These settings can vary from machine to machine, and windows does not write these settings to the environment setting by default. check the config path
This part is just a deep note! not interested with the question you should add your private keystore file to request header and those all for this. My favorite steps about the creation of a certificate on this post

Tizen WebApplication failed to install on device

Sorry for my english.
I have an application and Samsung UE32M5500.
I do the following CLI commands:
path to certificate
call C:\tizen-studio\tools\ide\bin\tizen.bat cli-config -g "default.profiles.path=...\profiles.xml"
packaging a Tizen Application with signing
call C:\tizen-studio\tools\ide\bin\tizen.bat package -t wgt -s zaykov_cert
connect to device
c:\tizen-studio\tools\sdb connect 10.5.0.119:26101
install app to device
call C:\tizen-studio\tools\ide\bin\tizen.bat install -n app.wgt -t UE32M5500
All commands are executed without errors, right up to the install command.
result of install command
What could be the cause of the error?
If you install through Tizen Studio with the same certificate, then there are no errors. But when importing the project, there are no source files in the Tizen studio. There is only one huge main.js file and folder with media.
Also Following this Tip&Tech document should help:
Sample Web Application development using Command Line Interface
First of all, Set the Date/time correctly on both your PC and TV. connect your device using sdb first.Now, the Issue could be certificate related. I would suggest you to generate author and distributor certificate from Tizen Studio. (Install TV related & Certificate Manager related packages from package manager before that)
From Tizen Studio > Tools > Certificate Manager > + > Samsung >
TV > Create New Certificate Profile (suppose 'x') > Create New author certificate > Sign In to Samsung Account > You will be notified
location of your author certificate (Suppose C:\x\ )(May be a hidden
folder, select 'show hidden folders' to explore )
Create New distributor certificate > (your TV should be on the DUID
list) > > You will be notified location of your distributor
certificate (Same C:\x\ )
Let's get back to CLI. As explained on Managing Security Profile Section of CLI Guide, Add new Security profile using the author & distributor certificates you just created using Certificate Manager tools. Example command:
tizen security-profiles add -n NewProfileX -a C:\x\author.p12 -p ********
-d C:\x\distributor.p12 -dp ********
Then Clean, Build, Package with NewProfileX profile, Install, Run.

Do you want the application "WebStorm.app" to accept incoming network connections?

Webstorm keeps asking to accept incoming network connections on Mac OS X Yosemite.
I had to create my own certificate on Keychain Access then 'codesign' Webstorm via terminal.
Open Keychain Access (Applications/Utilities)
Keychain Access > Certificate Assistant > Create a Certificate
Add 'your certificate name' > Identity Type 'Self Signed Root' > Certificate Type 'Code Signing'
Open Terminal
$ sudo codesign -s "your certificate name" -f /Applications/WebStorm.app/
Restart computer (not always)
Open WebStorm.app
Accept incoming network connections for the last time
The same process should work for any JetBrains IDE e.g. PhpStorm, PyCharm, etc.
Such errors usually indicate broken application signature. They may occur after changing info.plist or other files in WebStorm installation directory

Cannot import the following key file error when importing pfx

I researched this question thoroughly on stackoverflow and I have seen numerous answers but none of them have worked for us yet. We recently bought a code signing certificate from comodo that we are going to use to sign our c# WPF .net4 application. We have followed the instructions on the following URL
and have then imported the certificate in visual studio under 'project properties->singing->sign the assembly'. We then try to build the project and get the following error:
Cannot import the following key file: comodo.pfx. The key file may be password protected. To correct this, try to import the certificate again manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_xxxxxxxxxxxxxxx.
We have found numerous solutions on the internet and have tried the following:
Click on Change Password and use the same password in all 3 places
sn -i [comodo].pfx VS_KEY_xxxxxxxxxxxxx
tried converting it to password-less snk file and use that instead of .pfx
Tried running visual studio as admin and importing key
Tried creating very simple barebones project and signing with that
Tried visual studio 2010 as well as 2012
We tried adding the following to the assembly [assembly: AssemblyKeyFile("path to key file")]
Added event in postbuild "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe" sign /f "$(ProjectDir)[keyfile].pfx" /p [thepassword] /v "$(ProjectDir)obj\Release\$(TargetFileName)"
Added in a section in the .csproj file:
Downloaded http://visualstudiogallery.msdn.microsoft.com/a83505c6-77b3-44a6-b53b-73d77cba84c8 and clicked 'Apply Fix' on the error
We have had no success thus far. We can import the key just fine using the password so we know the password is correct. We also know that this works fine for signing the manifest in a clickonce publish. Just to make sure we weren't having any other issues, we turned off the cilckonce signing and are just trying to sign the assembly.
You can simply open "Project > Property > Signing" and uncheck the "Sign the ClickOnce manifests" checkbox.
I have learned that Visual Studio doesn't seem to handle subordinate certificates very well. I tried several certs on multiple machines (different OS/VS combinations) with the same results. I finally found this as a workaround:
Sign the assembly with
signtool sign /f "[path to pfx]" /p [password] /v "[path to assembly]"
Build your installer with mageUI (see "Manually Deploying a ClickOnce Application")
The issue with Visual Studio seems to be that it does not like certificate chaining. This you can solve by importing/exporting the certificate without the chaining. The next issue is addressed by using the certutil and export with the AT_SIGNATURE. I was able to import it into VS and build, however it doesn't seem to sign the assembly.
I got similar error. Solved it by choosing Install PFX from a context menu in Windows Explorer.
Another 'worked for me' ...
Right-clicked on the PFX in Windows Explorer, chose 'Install PFX' and in the wizard supplied the password. Then in the project properties in VS, under 'Signing' chose 'Change Password' and re-entered the password. Prior to this only running VS as administrator would work.
Best solution I can think of is go to Project --> Properties --> Choose a strong name key file dropdown and select "New" --> Create the key and then go to Certificate section on top --> click Select from File and choose the new Key you created --> Build Solution --> Publish.
For me following worked,
First Install certificate by double clicking on it. then,
Project Properties -> Signing -> If 'Sign the ClickOnce manifests' is checked -> click on 'Select from file' and select .pfx file and it should show all the certificate valid details like Issued to, Issued By, Intended Purpose etc.
I had the same issue. I am building the application from a thumb drive on numerous computers and believe this is the cause.
I found success with the "sn -i [comodo].pfx VS_KEY_xxxxxxxxxxxxx" method.
I did the following steps:
Run "Developer Command Prompt" as administrator (found in Start->All Programs->Visual Studio->Tools)
Navigate to your key directory (for me this was the root of my project directory, not the solution directory)
Execute "sn -i mykey.pfx VS_KEY_xxxxxxxxxxxxx" (mykey.pfx and VS_KEY_xxxxxxxxxxxxx are both found in the build error message)
Enter the password if required
When I tried this without running "Developer Command Prompt" as an administrator, I get the help display text when running "sn -i mykey.pfx VS_KEY_xxxxxxxxxxxxx" and it does not work. The trick was to make sure I ran the develop prompt as an administrator.
For context, I am using VS Community 2013.5, Window 7 x64 Professional, and NET Framework 4.7
Navigate to Project Properties --> Signing
Please select corresponding *.pfx file from drop down.
Enter the previous password used for code signing. (password: ask the person who has signed the assembly and created the self signed certificates and code signed)
(optional) It automatically adds your certificate as trusted. It can
be seen using Management console window ( run MMC command and add
certificate add-snaps to see the certificate)

How to make and deploy a self-signed ClickOnce manifest with Visual Studio 2012

Let's get this out of the way... I :
use Visual Studio 2012
develop VB.NET applications - mostly .NET framework 3.5, some 2.0.
use Windows 7 for development (users are also using Windows 7. There are a small number of internal users (less than 40).
I am also going to state that I am new at this and don't fully understand this process. I do understand the underlying concepts of encryption/hashing/keys etc., but I can't tell you why you might need a .cer file and not a .pfx file.
Now then...
We have an application that uses a certificate to sign its manifest that has worked for three (or so) years. We recently upgraded from Visual Studio 2008 to Visual Studio 2012, having basically skipped Visual Studio 2010. Somewhere in that process the certificate is now invalid or corrupted.
The proposed solution: Make a new one with makecert.exe "just like we did last time". No sense paying for a certificate when all we need it for is our own small set of users and the small convenience of not seeing that "do you trust this publisher?" message (I think?).
When trying to publish, the exact error is:
Cannot publish because a project failed to build.
An error occurred while signing: Failed to sign
bin\Release\app.publish\setup.exe. SignTool Error: The signer's
certificate is not valid for signing. SignTool Error: An error
occurred while attempting to sign: bin\Release\app.publish\setup.exe
Now, the article Support Certificates In Your Applications With The .NET Framework 2.0 says:
for desktop applications, you typically install certificates in the
user store.
So when I look at the user store (via MMC with certificate snap-in) I see:
Where the red line is is the OLD/INVALID certificate. One other one is still unexpired, with my username on it (2013-06-20).
When I go to select from the store, I see this:
And in case you are curious, the other intuitive place to put one of these looks like this:
So how do I add another one where the old/bad one is?
Here is what I have tried:
Following these instructions, I executed
makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer
Now I have a .pvk file, and a .cer file. Then I followed the instructions in Pvk2Pfx (Windows Drivers) and ran
pvk2pfx.exe -pvk TempCA.pvk -spc TempCA.cer -pfx TempCA.pfx
Now I have a .pfx file... (is this what I need?), but when trying to import to the certificate store using MMC, the password I used is supposedly wrong no matter what - even if I copy and paste it in. (It sounds like a bug in the import program... I can reproduce this.)
Trying another route, after importing the .cer file, it will not show up in the "select from store" window in Visual Studio, so that's useless.
I've spent a day on this and am ready to give up, but I can't. What do I need to do?
The article Using Makecert to Create Certificates for Development helped about 90% of the way...
The rest was understanding that I could do one of two things (both of these options require the certificate must be in a "trusted root" area like "Trusted Root Certification Authority", or must be signed by one that is there):
In Visual Studio, under the "signing" tab I could just use "Select from file" and use the .cer file.
If I just put my .cer file in the "personal" folder, it will appear as an option from the "select from store" button (I may need to restart the computer or Visual Studio).
The answer by Watki02 is quite helpful but missing a few details. Also, key information in that blog post should also be posted here. So...
Create your own root authority certificate:
CD \path\to\whereyouwant
makecert -n "CN=Make Up A Name" -a sha1 -r -sv MakeUpANameCertificateAuthority.pvk MakeUpANameCertificateAuthority.cer -ss MakeUpANameCertificateAuthority -sr localMachine
Password prompts
You will be prompted to create a password and then submit a password. I used the same password for both prompts
User certificate
makecert -pe -n "CN=CN=Make Up A Name User" -ss MY -a sha1 -iv MakeUpANameCertificateAuthority.pvk -ic MakeUpANameCertificateAuthority.cer -sv MakeUpAName.pvk MakeUpAName.cer
Password prompts again
I used the same password as above again
Make a portable file for exchange
pvk2pfx -pvk "MakeUpAName.pvk" -spc "MakeUpAName.cer" -pfx "MakeUpAName.pfx" -pi SamePasswordAgain
Send the file to your private clients
"MakeUpAName.pfx"
Install the certificate
c:> MMC.EXE
MENU FILE -> Add / Remove Snapin
Certificates -> Add -> Computer Account -> Finish -> OK
MENU Action->All Tasks->Import
Go through the wizard
Choose *.pfx format
Choose file
Continue with default options

Resources