Vous êtes sur la page 1sur 16

How to create your own code signing certificate and sign an ActiveX component in Windows

All feedback and comments should be directed to support@versinique.com Webpage: http://www.top20toolbar.com/misc/codesigncert.htm

Problem Overview
Users can not install an ActiveX component because it is not signed. They can not override the security settings of Internet Explorer to allow installation. Usual solution is to obtain a code signing certificate from a CA like Verisign or Thawte, but this is overkill for internal networks or small scale applications

Solution Overview
This article describes how to do the following:

Create Root CA certificate using OpenSSL Create Intermediate Certificate using OpenSSL Create Personal Code-Signing Certificate using OpenSSL Install Root certificate in Windows KeyStore using Internet Explorer Install Intermediate Certificate in Windows KeyStore using Internet Explorer Install Personal Certificate using Windows KeyStore using Internet Explorer Sign an ActiveX CAB file using Microsoft Signtool

Limitations
Once signed you can distribute the ActiveX component to any user, BUT the user must install the Root CA and Intermediate Certificates as well for installation to be allowed. If you want users to install an ActiveX component without the Root and Intermediate certificates then buy a code-signing certificate online from Thawte or Verisign.

Step 1: Download and Install OpenSSL


Download OpenSSL distribution Click here to find Install the OpenSSL software to c:\openssl (or c:\program files\openssl if you like to keep installations consistent)

Step 2: Create Root CA Certificate

Open a DOS Command Prompt Navigate to the OpenSSL Binaries directory type CD c:\openssl\bin Create the private key. Type openssl genrsa -des3 -out ca.key 4096 When prompted enter a *very* strong password And then verify the password Create the public key. Type openssl req -new -x509 -days 365 -key ca.key -out ca.crt When prompted enter the *very* strong password For Country Name enter the international standard two letter abbreviation (use GB, NOT UK if in the UK) For State enter the state name in full, or for UK the county name For Locality, enter where your company is registered, town or city For organisation name enter either the full company name e.g. Mycompany LTD For organisation unit enter Development or Support For common name use your domain name e.g mycompany.com For email address enter a valid address e.g. support@mycompany.com

Step 3: Create and Sign Intermediate Certificate


Create the private key. Type openssl genrsa -des3 -out server.key 4096 When prompted enter a *very* strong password (can be the same as before) And then verify the password Create a certificate request for signing by the Root CA. Type openssl req -new -key server.key -out server.csr Enter the *very* strong password Repeat the information entered above for the Root CA certificate, EXCEPT for the common name add "www." e.g. www.mycompany.com When prompted for Challenge Password press Enter to skip When prompted for Optional Company Name press Enter to skip Sign the request with the Root CA and make a public key. Type openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt When prompted enter the *very* strong password used to create the CA certificate

Step 4: Create a combined cert that simplifies SignTool


Combine the two certificates into a single package. Type openssl pkcs12 -export -out exported.pfx -inkey server.key -in server.crt When prompted enter the *very* strong password used to create the Intermediate certificate Repeat password for Export Password, and Export Password verify

Step 5: Install Root CA certificate using Internet Explorer

Launch Internet Explorer

Select Tools->Internet Options from the menu bar Select Content Tab Click CERTIFICATES Select the Trusted Root Certification Authorities Tab Click IMPORT Click NEXT> Click BROWSE to locate the required filename Browse to C:\openssl\bin and highlight ca.crt Click OPEN Click NEXT> Ensure Place all certificates in the following store is selected Ensure Certificate store: = Trusted Root Certification Authorities Click NEXT> Click FINISH Click YES to trust Click OK

Step 6: Install Intermediate certificate using Internet Explorer


Change tabs to Intermediate Certification Authorities Click IMPORT Click NEXT> Click BROWSE to locate the required filename Browse to C:\openssl\bin and highlight server.crt Click OPEN Click NEXT> Ensure Place all certificates in the following store is selected Ensure Certificate store: = Intermediate Certification Authorities Click NEXT> Click FINISH Click OK

Step 7: Install Personal certificate using Internet Explorer


Note: This simplifies code signing with signtool for the developer, but end users do not need to do this

Change tabs to Personal Click IMPORT Click NEXT> Click BROWSE to locate the required filename Change the file extension type to Personal Information Exchange *.pfx, *.p12 Browse to C:\openssl\bin and highlight exported.pfx

Click OPEN Click NEXT> Enter the *very* strong password entered when EXPORTING the key (in these instructions its the same password used to create the intermediate key) Ensure Place all certificates in the following store is selected Ensure Certificate store: = Personal Click NEXT> Click FINISH Click OK

Step 8: Download and Install Microsoft Platform SDK


Download SDK Click here to find To reduce the download size use the Web Install (download and run PSDK-x86.exe), Perform custom install and select only Microsoft Windows Core SDK. Remove AMD and Documentation sub-options Install the Microsoft Platform SDK tools into c:\program files\microsoft platform sdk

Step 9: Sign ActiveX CAB file (or exe etc)


Open a DOS Command Prompt Change to the SDK binaries directory. Type CD c:\program files\microsoft platform sdk\bin Launch the signing tool wizard. Type signtool signwizard Click NEXT Browse and select the ActiveX component to sign Click NEXT Click TYPICAL Click NEXT Click SELECT FROM STORE Highlight the simplecodesign.com certificate Click OK Click NEXT Click NEXT Click NEXT Click FINISH Click OK

Step 10: User Installation Instructions

As per steps 5 and 6 and then go to the web page where the Signed ActiveX CAB is used and installation will be allowed

Add a Digital Signature to Executables


Signtool.exe is the default Windows development tool to add a digital signature (Authenticode) to Windows executables (PE files). This howto shows you how to use signtool. Youll need to create your own certificate and key (or buy one) to sign code. To obtain signtool, download the platform SDK or the .NET SDK. I use signtool in my makefile with command line options to automatically sign compiled code, but in this howto, Ill show the interactive use. First we will install the certificate with key well use to sign code. Double-click the file and let the wizard do its work with the default option:

Because the wizard will also install the root CA certificate found in the PKCS12 file, it will ask you if you trust it.

It is not necessary to install this root CA certificate for code signing purposes, but if you dont, signtool will not include the root CA certificate in the certificate chain. And you also need to install this root CA certificate if you want to automatically trust all certificates issued by this root CA (or its subordinate CAs). Now start signtool from a command-line like this: signtool signwizard.

For the purposes of this howto, well sign notepad.exe. When you sign an executable that is already signed, the existing signature is overwritten. Actually, notepad is not signed by Microsoft with an embedded signature, but using a security catalog.

Well use the default options presented by the wizard (except for the timestamp):

Select the certificate with key we installed: use Select from Store

By default, the signature doesnt include a timestamp signed by an external authority (a countersignature). Its easy to add one, for example using Verisigns timestamp service:

http://timestamp.verisign.com/scripts/timstamp.dll (of course, using this option requires Internet access).

Finally, click finish for the wizard to do its work:

From now on, notepad.exes properties displays a Digital Signatures tab:

This certificate is OK because we installed the root CA certificate in our certificate store. But if you check this signature on another machine or with another account (which doesnt trust our root CA), well get a warning that although the signature is valid, we dont trust the root CA:

If you didnt make a backup of notepad.exe and want to remove the signature, use my digital signature tool disitool.