{"id":5166,"date":"2016-12-22T11:38:28","date_gmt":"2016-12-22T09:38:28","guid":{"rendered":"https:\/\/www.limilabs.com\/blog\/?p=5166"},"modified":"2016-12-22T11:38:36","modified_gmt":"2016-12-22T09:38:36","slug":"create-code-signing-certificate-pfx","status":"publish","type":"post","link":"https:\/\/www.limilabs.com\/blog\/create-code-signing-certificate-pfx","title":{"rendered":"Create code signing certificate"},"content":{"rendered":"

Management summary<\/h2>\n
    \n
  1. You generate certificate signing request<\/strong> on your machine (using certmgr or ActiveX component).<\/li>\n
  2. Private\/public key pair<\/strong> is generated along with the request (on your machine<\/strong>).<\/li>\n
  3. You export certificate that represents the request from your certificate key store.<\/li>\n
  4. You extract private key<\/strong> from the certificate that represents the request.<\/li>\n
  5. You send the request (it contains public key only<\/strong>) to CA (or ActiveX does this automatically).<\/li>\n
  6. CA sends your certificate <\/strong>back (crt file that is basically your public key, signed with CA’s keys).<\/li>\n
  7. Finally you need to combine the private key and the crt to create a pfx<\/strong>, that contains both private key and the certificate.<\/li>\n<\/ol>\n

    Important points<\/h2>\n
      \n
    • Private key is generated along with the certificate request.<\/li>\n
    • Private key is generated on your machine<\/strong>.<\/li>\n
    • Private key is never sent to CA<\/strong> (Certificate Authority).<\/li>\n
    • Certificate received from the CA (*.crt file) doesn’t contain your private key.<\/li>\n
        \n

        Generate CSR & private key – ActiveX<\/h2>\n

        Some vendors, like Comodo, use Active X component, that runs on your machine and creates certificate request along with private\/public key pair generation on your machine:<\/p>\n

        \"activex_01\"<\/p>\n

        Private key can be found in the certmgr of the local account<\/strong> (not machine’s):<\/p>\n

        \"activex_02\"<\/p>\n

        Later on it must be exported as a pfx (e.g. “Request.pfx”).<\/p>\n

        Generate CSR & private key – CertMgr<\/h2>\n

        In MMC (certmgr), expand Certificates (Local Computer) and then Personal.
        \nRight-click Certificates, and then go to the following menus: All Tasks > Advanced Operations > Create Custom Request:<\/p>\n

        \"certmgr_00\"<\/p>\n

        Click Next:<\/p>\n

        \"certmgr_01\"<\/p>\n

        Click Next:<\/p>\n

        \"certmgr_02\"<\/p>\n

        Click Next:<\/p>\n

        \"certmgr_03\"<\/p>\n

        Ensure the Request format is PKCS #10, and then click Next:<\/p>\n

        \"certmgr_04\"<\/p>\n

        Click the downward-facing arrow next to Details, and then click Properties.<\/p>\n

        \"certmgr_06\"<\/p>\n

        On the subject type, select the following values, enter the corresponding Value, and then click Add:<\/p>\n

          \n
        • Common name – Your business or organization’s name<\/li>\n
        • Organization – Your business or organization’s name<\/li>\n
        • Locality – Your business or organization’s address<\/li>\n
        • State – The state where your business or organization resides<\/li>\n
        • Country – The country where your business or organization resides<\/li>\n<\/ul>\n

          Go to the Private Key tab, click Key type, and then select Make private key exportable:
          \nClick OK, and then click Next:<\/p>\n

          \"certmgr_07\"<\/p>\n

          Browse for the location where you want to save the file, enter a File Name (“Request.csr”), and then click Finish.
          \nYour CSR is now stored in the file you saved it to on your local machine.<\/p>\n

          \"certmgr_05\"<\/p>\n

          Request file is regular text file:<\/p>\n

          \"certmgr_15\"<\/p>\n

          This process also creates a private key, which you will need to use later to create a PFX file to sign your code or driver.<\/p>\n

          Export certificate that represents the request<\/h2>\n

          If you were using ActiveX to generate certificate request, certificate that represents the request (including private key) is stored in certmgr of the local account (not machine’s):<\/p>\n

          \"activex_02\"<\/p>\n

          Go to “Certificate Enrollment Requests”\/ “Certificates” (Hit refresh if it is empty):<\/p>\n

          \"certmgr_08\"<\/p>\n

          Right-click the certificate and then go to the following menus: All Tasks > Export:<\/p>\n

          \"certmgr_09\"<\/p>\n

          Select export private key and hit Next:<\/p>\n

          \"certmgr_10\"<\/p>\n

          Ensure the Request format is PKCS #12, and then click Next:<\/p>\n

          \"certmgr_11\"<\/p>\n

          Specify password:<\/p>\n

          \"certmgr_12\"<\/p>\n

          Browse for the location where you want to save the file, enter a File Name (“Request.pfx”), and then click Finish.<\/p>\n

          \"certmgr_13\"<\/p>\n

          Click Finish:<\/p>\n

          \"certmgr_14\"<\/p>\n

          Certificate that represents your request is now stored in the file you saved on your local machine. It contains both private and public key<\/strong>.<\/p>\n

          Extract private key<\/h2>\n

          First you’ll need to install OpenSSL.<\/p>\n

          To extract private key from the request, issue following command:<\/p>\n

          openssl pkcs12 -in Request.pfx -out Request_PrivateKey.pem -nocerts -nodes<\/code><\/p>\n

          nocerts = private key only,
          \nnodes = no password<\/p>\n

          Generate CSR & private key – OpenSSL<\/h2>\n

          You can use following command to create certificate request and key using OpenSSL:<\/p>\n

          openssl req -new -newkey rsa:2048 -nodes -keyout Request_PrivateKey.key -out Request.csr<\/code><\/p>\n

          You may need to convert to convert the key (BEGIN PRIVATE KEY) to PKCS#1 format (BEGIN RSA PRIVATE KEY):<\/p>\n

          openssl rsa -outform pem -in Request_PrivateKey.key -out Request_PrivateKey.pem<\/code><\/p>\n

          CA creates a certificate<\/h2>\n

          Now you should upload -or- copy&paste request file (“Request.csr”) to your CA, and in return, they should create the certificate for you:<\/p>\n

          \"generated_00\"<\/p>\n

          What you receive from your CA looks more or less like this:
          \n\"generated_01\"<\/p>\n

          Most important file is the crt file which contains your certificate (it includes public key only<\/strong>).<\/p>\n

          Combine private key with cert to create pfx<\/h2>\n

          To combine private key from the request and certificate from CA into one pfx certificate, issue following command:<\/p>\n

          openssl pkcs12 -inkey Request_PrivateKey.pem -in 00\u202670.crt -export -out 00\u202670.pfx<\/code><\/p>\n

          The pfx file you created contains both private key and the certificate<\/strong> and can be used to sign your code.<\/p>\n","protected":false},"excerpt":{"rendered":"

          Management summary You generate certificate signing request on your machine (using certmgr or ActiveX component). Private\/public key pair is generated along with the request (on your machine). You export certificate that represents the request from your certificate key store. You extract private key from the certificate that represents the request. You send the request (it […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":["post-5166","post","type-post","status-publish","format-standard","hentry","category-tools"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/posts\/5166"}],"collection":[{"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/comments?post=5166"}],"version-history":[{"count":41,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/posts\/5166\/revisions"}],"predecessor-version":[{"id":5227,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/posts\/5166\/revisions\/5227"}],"wp:attachment":[{"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/media?parent=5166"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/categories?post=5166"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.limilabs.com\/blog\/wp-json\/wp\/v2\/tags?post=5166"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}