Tuesday, September 19, 2006

Getting the .spc and .pvk files for Code Signed certificate

Getting code signed
Something that has bothered me for a while is the hassle in putting together all the pieces to sign my download files. I finally got around to looking it all up, and it isn't easy as you have to piece all the things together. I hope that this will give you an insight into how it can really work, since I managed to actually achieve what I wanted and sign my code. This article is a list of the steps I had to take, and you will probably need to review the commands yourself if you have problems.

The process
Get a certificate from http://www.ascertia.com/onlineCA/Issuer/CerIssue.aspx who will do a free code signing certificate. Obviously any alternative is good, but this will prove the concept for you, and you can go buy another from them or elsewhere later. The email address is included in the certificate, so use a sensible one you are happy for the world to see. Accept the installation of the certificate into the browser as it won't be emailed even though they say it will. Make sure you chose exportable.

Then get the Microsoft code signing stuff (codesigningx86.exe) from the MSDN web site (google will find its current location).

Use the certmgr to view your certificate and export it. Export it as a certificate (.cer file), and with the key (.pvk) file.

Use cert2spc to convert the cer file into an spc file. That's the first half of the process done. Now you need a key file compatible with the signcode application.

From http://support.globalsign.net/en/objectsign/transform.cfm:

How to transform your certificate to a pvk + spc combination.

Export your certificate to a pfx file (be sure to check "Include all certificates in the certification path if possible"). (The latter will help ensure it is accepted by more systems.

Install openssl. You can find compiled binaries on www.openssl.org (but get the Windows build from http://www.shininglightpro.com/ http://www.shininglightpro.com/download/Win32OpenSSL-v0.9.7d.exe)

Extract your private key from the pfx file.

->openssl pkcs12 -in -nocerts -nodes -out

The pfx password will be asked.

Download the pvk transform utility. This file can be found at http://support.globalsign.net/en/objectsign/PVK.zip.

-> pvk -in -topvk -out

Extract your certificates from the pfx file.

openssl pkcs12 -in -nokeys -out

The pfx password will be asked.

Transform your pem file to a spc file

->openssl crl2pkcs7 -nocrl -certfile -outform DER -out

No comments: