Generate an x.509 to be signed - windows

I have done quite a bit of searching and I can't seem to find an answer as to how to create an x.509 certificate that I could then have signed by a 3rd party like say Verisign. I am trying to do this in Windows.
I know for SSL this is a CSR but what do I do to get an x.509 for use in encrypting SSO messages with our clients?
Thanks.

My recommended way would be to use Cygwin + OpenSSL:
http://robotification.com/2007/08/31/installing-openssl-on-windows/
Another way could be to use windows binaries for OpenSSL.
WARNING: I have not tried any of these windows binaries. Use them at your own risk. I am not affiliated with any of these.
You can use windows implementation of OpenSSL. I found a few windows binaries:
http://www.openssl.org/related/binaries.html
http://gnuwin32.sourceforge.net/packages/openssl.htm
And these setup instructions:
http://forums.tutorialized.com/windows-122/openssl-installation-on-windows-tutorial-by-herong-5467.html
Regardless of the approach you would need to run the following Openssl command.
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
This will generate two files: a CSR called 'server.csr' and a 2048-bit private key called 'myserver.key'.
You will be prompted to enter some information for your CSR. Enter those as per your information and you are done.
Hope this helps.

Related

OpenSSL for making iOS certs on a windows machine - do I need a server?

I'm running Windows 7 Pro, not a server, and am wondering if I need a server to run openssl for the purpose of setting up my iOS certs for PhoneGap?
I've installed opensll, and am following instructions for making the cert here:
http://www.iandevlin.com/blog/2012/11/phonegap/building-an-ios-signing-key-for-phonegap-in-windows#more-2582
But when I enter
openssl genrsa -des3 -out ios.key 2048
it tells me 'opensll is an invalid command', displays a list of standard commands, and I cannot find the file ios.key on my machine.
I'm running the command window by shift-right-clicking on the bin folder in OpenSSL-Win64
Am I on the right track?
Thanks for your time and help.
Never mind - for anyone else looking, I found a great guide to the whole process here:
http://support.brightcove.com/en/app-cloud/docs/step-step-guide-publishing-apple-app-store-using-windows
I was running the Shining Light installation of openssl from my own command window instead of running openssl.exe, which is why I was getting the 'opensll is an invalid command' error. But even so, errors about missing equal signs from the openssl.cnf (which I hadn't touched) kept displaying when running openssl.exe. I instead used a different openssl installation, found in the above link, which worked fine.

Windows Code-Signing process & alternative to MS signtool.exe? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 1 year ago.
Improve this question
Using a non-Microsoft compiler, I have written small application for Windows that I'd like to give away for free or sell for some trivial amount ($5 say). The program doesn't use the registry but I'd like to provide it as an installer executable (e.g. MyAppInstall.exe) created using freely available tools (e.g InnoSetup).
From Signing a Windows EXE file and other sources my understanding is as follows:
If I do not sign the installer, Windows will pop-up a warning dialogue box warning the user that the publisher is unknown and suggesting they should not run the software. This is undesirable.
If I sign the installer with a self certified key, The popup dialogue will at least provide a publisher name instead of "unknown". It will say the publisher could not be verified or the publisher is untrusted. This is probably marginally better than being described as an unknown publisher.
If I pay ~$100 every year to a CA, I can get a code-signing cert that will allow me to
give away useful free software that can be easily installed - without scary and off-putting dialogues appearing.
I can use the Windows edition of OpenSSL to create a self-certified key for code signing. This way I don't have to download an install a 590 MB SDK file from MS just to obtain Microsoft's makecert.exe
Catch 22: The only code signing tool I have heard of is signtool.exe which can only be obtained by downloading and installing at least 590 MB of other stuff (the SDK).
Q: Is there an alternative to Microsoft's signtool.exe
There is kSign, and their blog also has an article about how to integrate with Inno Setup.
It is not a complete replacement for signtool (i.e. it won't sign .cat and .sys files involved in signing driver packages) but it will will digitally sign EXE,DLL,COM,CAB and OCX files.
An alternative to signtool is Mono's signcode. Mozilla Developer Network has a very useful article on converting your certificate to SPC/PVK format and signing your EXE with Authenticode:
Convert PFX to SPC/PVK
openssl pkcs12 -in authenticode.pfx -nocerts -nodes -out key.pem
openssl rsa -in key.pem -outform PVK -pvk-strong -out authenticode.pvk
openssl pkcs12 -in authenticode.pfx -nokeys -nodes -out cert.pem
openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out authenticode.spc
Sign EXE
signcode \
-spc authenticode.spc \
-v authenticode.pvk \
-a sha1 -$ commercial \
-n My\ Application \
-i http://www.example.com/ \
-t http://timestamp.verisign.com/scripts/timstamp.dll \
-tr 10 \
MyApp.exe
Passphrases
Unlike signtool, which accepts the passphrase as a command-line argument, it seems like signcode must be given the passphrase on standard input. I was able to use signcode [arguments] < passphrase.txt.
Catch 22: The only code signing tool I have heard of is signtool.exe
which can only be obtained by downloading and installing at least 590
MB of other stuff (the SDK).
No. You are not required to install the whole SDK to install signtool.exe. Use SDK Web installer and choose to install "Tools" only.
However, the bad news is no signing tool will help you to bypass Windows warning if you have no CA-signed certificate because it is not possible to create something from nothing. The good news is many CA provides FREE code signing certificates for open-source developers, but you should use it to sign only FREE software. So, it is your choise: pay to CA and continue to sell your software, or do not pay and distribute it for free. It looks fair enough.
Try this free application which also allows you to set other properties of the signed executable such as company name, details, product name, etc.

Can I use a .cer file obtained from Apple Developer/Xcode to codesign a Windows application?

I have a .cer file obtained through Xcode and apple developer site that I use to codesign my application on OSX. Is it possible to codesign the Windows version of the app with the same .cer file?
I guess that from the age of the post this will no be relevant anymore for Mike, but someone else might be trying to do the same. So here is how:
All you need to do is to export the certificate and its key as pkcs12 from the Keychain in your Mac Dev box (using extension .pfx) and use it with signtool.exe on your windows box.
If you have problems doing this, you can export the key and cert to PEM format, and execute the following command to create the windows signing pfx.
openssl pkcs12 -export -out sign_cert.pfx -inkey your_key.key -in your_cert.pem -certfile your_intermediate_chain.pem

Windows 7 - How to generate CSR when IIS is not installed

My .NET application will be communicating with a third party server application that is implemnted as web-service over SSL. This application will run from different flavours of Windows 7 platform. The server application requires me to generate CSR file. The only way I can find generating a CSR is via IIS but this may not necessarily be installed on all computer where my application will be hosted. Any ideas on how can I generate a CSR on Win 7 platform without using IIS?
For a more recent version of openssl...
https://www.openssl.org/community/binaries.html links to
https://wiki.openssl.org/index.php/Binaries which links to
http://slproweb.com/products/Win32OpenSSL.html which has links for win64 and win32 openssl.
Otherwise, you should be able to install openssl v0.98h on windows with this:
http://gnuwin32.sourceforge.net/packages/openssl.htm
Run the openssl at the command prompt (Start->Run->"cmd.exe"):
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
or you can use this online tool to generate the openssl command:
https://www.digicert.com/easy-csr/openssl.htm
When you run the openssl req command on your computer, it will generate a CSR (with public key embedded) and private key.
If you need to generate CSRs from code and you are using some of .NET languages, use BouncyCastle or our SecureBlackbox. They both support certificate requests in PKCS#10 format. For C++ you can probably use OpenSSL.
Digicert has an easy to use tool for managing certificates on Windows: https://www.digicert.com/util/
If had the capability to generate certificate requests. It will also convert certificates between different formats

How do I export a PFX Code Signing Key to SPC and PVK under Windows 7?

I have a code signing key in PFX format that I need to export into SPC and PVK files. I tried to install the OpenSSL from Shining light but the install fails under Windows 7.
http://www.shininglightpro.com/products/Win32OpenSSL.html
Here are the instructions I am using from Comodo as a basis:
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1089
Anyone know of an alternate way to do this?
I used the instructions here:
http://help.godaddy.com/article/6034
You still need openssl though, I guess you need to fix that.
Tim
Link from #timanderson worked great for me. 2 notes:
My Firefox saves the pkcs12 file with extension p12 and not pfx.
If you need a pvk without password, add the flag -nocrypt to pvk.

Resources