how to create your own code signing certificate and sign an activex component in windows

7/30/2019 How to Create Your Own Code Signing Certificate and Sign an Activex Component in Windows

http://slidepdf.com/reader/full/how-to-create-your-own-code-signing-certificate-and-sign-an-activex-component 1/16

How to create your own code signing certificate and sign an

ActiveX component in Windows

All feedback and comments should be directed to [email protected]

Webpage: http://www.top20toolbar.com/misc/codesigncert.htm

Problem OverviewUsers can not install an ActiveX component because it is not signed. They can not override the

security settings of Internet Explorer to allow installation.

Usual solution is to obtain a code signing certificate from a CA like Verisign or Thawte, but this is

overkill for internal networks or small scale applications

Solution Overview

This article describes how to do the following:

Create Root CA certificate using OpenSSL

Create Intermediate Certificate using OpenSSL

Create Personal Code-Signing Certificate using OpenSSL

Install Root certificate in Windows KeyStore using Internet Explorer

Install Intermediate Certificate in Windows KeyStore using Internet Explorer

Install Personal Certificate using Windows KeyStore using Internet Explorer

Sign an ActiveX CAB file using Microsoft Signtool

Limitations

Once signed you can distribute the ActiveX component to any user, BUT the user must install the

Root CA and Intermediate Certificates as well for installation to be allowed.

If you want users to install an ActiveX component without the Root and Intermediate certificates

then buy a code-signing certificate online from Thawte or Verisign.

Step 1: Download and Install OpenSSL

Download OpenSSL distribution Click here to find

Install the OpenSSL software to c:\openssl (or c:\program files\openssl if you like to keep

installations consistent)

Step 2: Create Root CA Certificate

mailto:[email protected]



http://www.top20toolbar.com/misc/codesigncert.htm







Open a DOS Command Prompt

Navigate to the OpenSSL Binaries directory type CD c:\openssl\bin

Create the private key. Type openssl genrsa -des3 -out ca.key 4096

When prompted enter a *very* strong password

And then verify the password

Create the public key. Type openssl req -new -x509 -days 365 -key ca.key -out ca.crt

When prompted enter the *very* strong password

For Country Name enter the international standard two letter abbreviation (use GB, NOTUK if in the UK)

For State enter the state name in full, or for UK the county name

For Locality, enter where your company is registered, town or city

For organisation name enter either the full company name e.g. Mycompany LTD

For organisation unit enter Development or Support

For common name use your domain name e.g mycompany.com

For email address enter a valid address e.g. [email protected]

Step 3: Create and Sign Intermediate Certificate

Create the private key. Type openssl genrsa -des3 -out server.key 4096

When prompted enter a *very* strong password (can be the same as before)

And then verify the password

Create a certificate request for signing by the Root CA. Type

openssl req -new -key server.key -out server.csr Enter the *very* strong password

Repeat the information entered above for the Root CA certificate, EXCEPT for the common

name add "www." e.g. www.mycompany.com

When prompted for Challenge Password press Enter to skip

When prompted for Optional Company Name press Enter to skip

Sign the request with the Root CA and make a public key. Type

openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out

server.crt When prompted enter the *very* strong password used to create the CA certificate

Step 4: Create a combined cert that simplifies SignTool

Combine the two certificates into a single package. Type

openssl pkcs12 -export -out exported.pfx -inkey server.key -in server.crt When prompted enter the *very* strong password used to create the Intermediate certificate

Repeat password for Export Password, and Export Password verify

Step 5: Install Root CA certificate using Internet Explorer

Launch Internet Explorer



Select Tools->Internet Options from the menu bar

Select Content Tab

Click CERTIFICATES

Select the Trusted Root Certification Authorities Tab

Click IMPORT

Click NEXT>

Click BROWSE to locate the required filename

Browse to C:\openssl\bin and highlight ca.crt Click OPEN

Click NEXT>

Ensure Place all certificates in the following store is selected

Ensure Certificate store: = Trusted Root Certification Authorities

Click NEXT>

Click FINISH

Click YES to trust

Click OK

Step 6: Install Intermediate certificate using Internet Explorer

Change tabs to Intermediate Certification Authorities

Click IMPORT

Click NEXT>


Browse to C:\openssl\bin and highlight server.crt

Click OPEN

Click NEXT>


Ensure Certificate store: = Intermediate Certification Authorities

Click NEXT>

Click FINISH

Click OK

Step 7: Install Personal certificate using Internet Explorer

Note: This simplifies code signing with signtool for the developer, but end users do not

need to do this

Change tabs to Personal

Click IMPORT

Click NEXT>


Change the file extension type to Personal Information Exchange *.pfx, *.p12

Browse to C:\openssl\bin and highlight exported.pfx



Click OPEN

Click NEXT>

Enter the *very* strong password entered when EXPORTING the key (in these instructions

it’s the same password used to create the intermediate key)


Ensure Certificate store: = Personal

Click NEXT>

Click FINISH Click OK

Step 8: Download and Install Microsoft Platform SDK

Download SDK Click here to find

To reduce the download size use the Web Install (download and run PSDK-x86.exe),

Perform custom install and select only Microsoft Windows Core SDK. Remove AMD and

Documentation sub-options

Install the Microsoft Platform SDK tools into c:\program files\microsoft platform sdk

Step 9: Sign ActiveX CAB file (or exe etc)

Open a DOS Command Prompt

Change to the SDK binaries directory. Type

CD c:\program files\microsoft platform sdk\bin Launch the signing tool wizard. Type signtool signwizard

Click NEXT

Browse and select the ActiveX component to sign

Click NEXT

Click TYPICAL

Click NEXT

Click SELECT FROM STORE

Highlight the simplecodesign.com certificate

Click OK

Click NEXT

Click NEXT

Click NEXT

Click FINISH

Click OK

Step 10: User Installation Instructions

As per steps 5 and 6 and then go to the web page where the Signed ActiveX CAB is used

and installation will be allowed



Add a Digital Signature to Executables

Signtool.exe is the default Windows development tool to add a digital signature (Authenticode) to

Windows executables (PE files). This howto shows you how to use signtool. You’ll need to create your

own certificate and key (or buy one) to sign code.

To obtain signtool, download the platform SDK or the .NET SDK.

I use signtool in my makefile with command line options to automatically sign compiled code, but in this

howto, I’ll show the interactive use.

First we will install the certificate with key we’ll use to sign code. Double-click the file and let the wizard

do its work with the default option:

http://en.wikipedia.org/wiki/Portable_Executable



http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/




http://msdn.microsoft.com/en-us/library/aa387764.aspx









Because the wizard will also install the root CA certificate found in the PKCS12 file, it will ask you if you

trust it.



It is not necessary to install this root CA certificate for code signing purposes, but if you don’t, signtool

will not include the root CA certificate in the certificate chain. And you also need to install this root CA

certificate if you want to automatically trust all certificates issued by this root CA (or its subordinate CAs)

Now start signtool from a command-line like this: signtool signwizard.

For the purposes of this howto, we’ll sign notepad.exe. When you sign an executable that is already

signed, the existing signature is overwritten. Actually, notepad is not signed by Microsoft with an

embedded signature, but using a security catalog.

http://blog.didierstevens.com/2008/01/11/the-case-of-the-missing-digital-signatures-tab/








We’ll use the default options presented by the wizard (except for the timestamp):



Select the certificate with key we installed: use Select from Store…



By default, the signature doesn’t include a timestamp signed by an external authority (a counter-

signature). It’s easy to add one, for example using Verisign’s timestamp service:



http://timestamp.verisign.com/scripts/timstamp.dll

(of course, using this option requires Internet access).

Finally, click finish for the wizard to do its work:






From now on, notepad.exe’s properties displays a Digital Signatures tab:



This certificate is OK because we installed the root CA certificate in our certificate store. But if you check

this signature on another machine or with another account (which doesn’t trust our root CA), we’ll get a

warning that although the signature is valid, we don’t trust the root CA:



If you didn’t make a backup of notepad.exe and want to remove the signature, use my digital signature

tool disitool.

http://blog.didierstevens.com/programs/disitool/






how to create your own code signing certificate and sign an activex component in windows

Documents