how to create your own code signing certificate and sign an activex component in windows
TRANSCRIPT
7/30/2019 How to Create Your Own Code Signing Certificate and Sign an Activex Component in Windows
http://slidepdf.com/reader/full/how-to-create-your-own-code-signing-certificate-and-sign-an-activex-component 1/16
How to create your own code signing certificate and sign an
ActiveX component in Windows
All feedback and comments should be directed to [email protected]
Webpage: http://www.top20toolbar.com/misc/codesigncert.htm
Problem OverviewUsers can not install an ActiveX component because it is not signed. They can not override the
security settings of Internet Explorer to allow installation.
Usual solution is to obtain a code signing certificate from a CA like Verisign or Thawte, but this is
overkill for internal networks or small scale applications
Solution Overview
This article describes how to do the following:
Create Root CA certificate using OpenSSL
Create Intermediate Certificate using OpenSSL
Create Personal Code-Signing Certificate using OpenSSL
Install Root certificate in Windows KeyStore using Internet Explorer
Install Intermediate Certificate in Windows KeyStore using Internet Explorer
Install Personal Certificate using Windows KeyStore using Internet Explorer
Sign an ActiveX CAB file using Microsoft Signtool
Limitations
Once signed you can distribute the ActiveX component to any user, BUT the user must install the
Root CA and Intermediate Certificates as well for installation to be allowed.
If you want users to install an ActiveX component without the Root and Intermediate certificates
then buy a code-signing certificate online from Thawte or Verisign.
Step 1: Download and Install OpenSSL
Download OpenSSL distribution Click here to find
Install the OpenSSL software to c:\openssl (or c:\program files\openssl if you like to keep
installations consistent)
Step 2: Create Root CA Certificate
7/30/2019 How to Create Your Own Code Signing Certificate and Sign an Activex Component in Windows
http://slidepdf.com/reader/full/how-to-create-your-own-code-signing-certificate-and-sign-an-activex-component 2/16
Open a DOS Command Prompt
Navigate to the OpenSSL Binaries directory type CD c:\openssl\bin
Create the private key. Type openssl genrsa -des3 -out ca.key 4096
When prompted enter a *very* strong password
And then verify the password
Create the public key. Type openssl req -new -x509 -days 365 -key ca.key -out ca.crt
When prompted enter the *very* strong password
For Country Name enter the international standard two letter abbreviation (use GB, NOTUK if in the UK)
For State enter the state name in full, or for UK the county name
For Locality, enter where your company is registered, town or city
For organisation name enter either the full company name e.g. Mycompany LTD
For organisation unit enter Development or Support
For common name use your domain name e.g mycompany.com
For email address enter a valid address e.g. [email protected]
Step 3: Create and Sign Intermediate Certificate
Create the private key. Type openssl genrsa -des3 -out server.key 4096
When prompted enter a *very* strong password (can be the same as before)
And then verify the password
Create a certificate request for signing by the Root CA. Type
openssl req -new -key server.key -out server.csr Enter the *very* strong password
Repeat the information entered above for the Root CA certificate, EXCEPT for the common
name add "www." e.g. www.mycompany.com
When prompted for Challenge Password press Enter to skip
When prompted for Optional Company Name press Enter to skip
Sign the request with the Root CA and make a public key. Type
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out
server.crt When prompted enter the *very* strong password used to create the CA certificate
Step 4: Create a combined cert that simplifies SignTool
Combine the two certificates into a single package. Type
openssl pkcs12 -export -out exported.pfx -inkey server.key -in server.crt When prompted enter the *very* strong password used to create the Intermediate certificate
Repeat password for Export Password, and Export Password verify
Step 5: Install Root CA certificate using Internet Explorer
Launch Internet Explorer
7/30/2019 How to Create Your Own Code Signing Certificate and Sign an Activex Component in Windows
http://slidepdf.com/reader/full/how-to-create-your-own-code-signing-certificate-and-sign-an-activex-component 3/16
Select Tools->Internet Options from the menu bar
Select Content Tab
Click CERTIFICATES
Select the Trusted Root Certification Authorities Tab
Click IMPORT
Click NEXT>
Click BROWSE to locate the required filename
Browse to C:\openssl\bin and highlight ca.crt Click OPEN
Click NEXT>
Ensure Place all certificates in the following store is selected
Ensure Certificate store: = Trusted Root Certification Authorities
Click NEXT>
Click FINISH
Click YES to trust
Click OK
Step 6: Install Intermediate certificate using Internet Explorer
Change tabs to Intermediate Certification Authorities
Click IMPORT
Click NEXT>
Click BROWSE to locate the required filename
Browse to C:\openssl\bin and highlight server.crt
Click OPEN
Click NEXT>
Ensure Place all certificates in the following store is selected
Ensure Certificate store: = Intermediate Certification Authorities
Click NEXT>
Click FINISH
Click OK
Step 7: Install Personal certificate using Internet Explorer
Note: This simplifies code signing with signtool for the developer, but end users do not
need to do this
Change tabs to Personal
Click IMPORT
Click NEXT>
Click BROWSE to locate the required filename
Change the file extension type to Personal Information Exchange *.pfx, *.p12
Browse to C:\openssl\bin and highlight exported.pfx
7/30/2019 How to Create Your Own Code Signing Certificate and Sign an Activex Component in Windows
http://slidepdf.com/reader/full/how-to-create-your-own-code-signing-certificate-and-sign-an-activex-component 4/16
Click OPEN
Click NEXT>
Enter the *very* strong password entered when EXPORTING the key (in these instructions
it’s the same password used to create the intermediate key)
Ensure Place all certificates in the following store is selected
Ensure Certificate store: = Personal
Click NEXT>
Click FINISH Click OK
Step 8: Download and Install Microsoft Platform SDK
Download SDK Click here to find
To reduce the download size use the Web Install (download and run PSDK-x86.exe),
Perform custom install and select only Microsoft Windows Core SDK. Remove AMD and
Documentation sub-options
Install the Microsoft Platform SDK tools into c:\program files\microsoft platform sdk
Step 9: Sign ActiveX CAB file (or exe etc)
Open a DOS Command Prompt
Change to the SDK binaries directory. Type
CD c:\program files\microsoft platform sdk\bin Launch the signing tool wizard. Type signtool signwizard
Click NEXT
Browse and select the ActiveX component to sign
Click NEXT
Click TYPICAL
Click NEXT
Click SELECT FROM STORE
Highlight the simplecodesign.com certificate
Click OK
Click NEXT
Click NEXT
Click NEXT
Click FINISH
Click OK
Step 10: User Installation Instructions
As per steps 5 and 6 and then go to the web page where the Signed ActiveX CAB is used
and installation will be allowed
7/30/2019 How to Create Your Own Code Signing Certificate and Sign an Activex Component in Windows
http://slidepdf.com/reader/full/how-to-create-your-own-code-signing-certificate-and-sign-an-activex-component 5/16
Add a Digital Signature to Executables
Signtool.exe is the default Windows development tool to add a digital signature (Authenticode) to
Windows executables (PE files). This howto shows you how to use signtool. You’ll need to create your
own certificate and key (or buy one) to sign code.
To obtain signtool, download the platform SDK or the .NET SDK.
I use signtool in my makefile with command line options to automatically sign compiled code, but in this
howto, I’ll show the interactive use.
First we will install the certificate with key we’ll use to sign code. Double-click the file and let the wizard
do its work with the default option:
7/30/2019 How to Create Your Own Code Signing Certificate and Sign an Activex Component in Windows
http://slidepdf.com/reader/full/how-to-create-your-own-code-signing-certificate-and-sign-an-activex-component 6/16
Because the wizard will also install the root CA certificate found in the PKCS12 file, it will ask you if you
trust it.
7/30/2019 How to Create Your Own Code Signing Certificate and Sign an Activex Component in Windows
http://slidepdf.com/reader/full/how-to-create-your-own-code-signing-certificate-and-sign-an-activex-component 7/16
It is not necessary to install this root CA certificate for code signing purposes, but if you don’t, signtool
will not include the root CA certificate in the certificate chain. And you also need to install this root CA
certificate if you want to automatically trust all certificates issued by this root CA (or its subordinate CAs)
Now start signtool from a command-line like this: signtool signwizard.
For the purposes of this howto, we’ll sign notepad.exe. When you sign an executable that is already
signed, the existing signature is overwritten. Actually, notepad is not signed by Microsoft with an
embedded signature, but using a security catalog.
7/30/2019 How to Create Your Own Code Signing Certificate and Sign an Activex Component in Windows
http://slidepdf.com/reader/full/how-to-create-your-own-code-signing-certificate-and-sign-an-activex-component 8/16
We’ll use the default options presented by the wizard (except for the timestamp):
7/30/2019 How to Create Your Own Code Signing Certificate and Sign an Activex Component in Windows
http://slidepdf.com/reader/full/how-to-create-your-own-code-signing-certificate-and-sign-an-activex-component 9/16
Select the certificate with key we installed: use Select from Store…
7/30/2019 How to Create Your Own Code Signing Certificate and Sign an Activex Component in Windows
http://slidepdf.com/reader/full/how-to-create-your-own-code-signing-certificate-and-sign-an-activex-component 10/16
By default, the signature doesn’t include a timestamp signed by an external authority (a counter-
signature). It’s easy to add one, for example using Verisign’s timestamp service:
7/30/2019 How to Create Your Own Code Signing Certificate and Sign an Activex Component in Windows
http://slidepdf.com/reader/full/how-to-create-your-own-code-signing-certificate-and-sign-an-activex-component 11/16
http://timestamp.verisign.com/scripts/timstamp.dll
(of course, using this option requires Internet access).
Finally, click finish for the wizard to do its work:
7/30/2019 How to Create Your Own Code Signing Certificate and Sign an Activex Component in Windows
http://slidepdf.com/reader/full/how-to-create-your-own-code-signing-certificate-and-sign-an-activex-component 12/16
From now on, notepad.exe’s properties displays a Digital Signatures tab:
7/30/2019 How to Create Your Own Code Signing Certificate and Sign an Activex Component in Windows
http://slidepdf.com/reader/full/how-to-create-your-own-code-signing-certificate-and-sign-an-activex-component 13/16
7/30/2019 How to Create Your Own Code Signing Certificate and Sign an Activex Component in Windows
http://slidepdf.com/reader/full/how-to-create-your-own-code-signing-certificate-and-sign-an-activex-component 14/16
This certificate is OK because we installed the root CA certificate in our certificate store. But if you check
this signature on another machine or with another account (which doesn’t trust our root CA), we’ll get a
warning that although the signature is valid, we don’t trust the root CA:
7/30/2019 How to Create Your Own Code Signing Certificate and Sign an Activex Component in Windows
http://slidepdf.com/reader/full/how-to-create-your-own-code-signing-certificate-and-sign-an-activex-component 15/16
7/30/2019 How to Create Your Own Code Signing Certificate and Sign an Activex Component in Windows
http://slidepdf.com/reader/full/how-to-create-your-own-code-signing-certificate-and-sign-an-activex-component 16/16
If you didn’t make a backup of notepad.exe and want to remove the signature, use my digital signature
tool disitool.