Generating my own Software Publishing Certificate

I'm trying to figure out how to generate my own Software Publisher Certificate using Certificate Services on my own Windows 2003 server. Can anyone help guide me through this?

This one appears to be a toughie. Being a fully paid up MSDN universal subscriber I originaly posted the question in a 'managed' MSDN news group.

I got one reply from MS telling me to "Just enroll for a 'code signing' certificate using that template." If I was standing in front of the guy I would have slapped him.

My goal is to generate spc and pvk files that I can then go and sign my own macro code.

The background is:
I'm the single developer in a small office. I write a lot of .net code used with Excel and I need to get rid of the annoying "Enable Macros" buttons from our own code.

I know I could purchase an SPC from verisign, etc but this seems pointless for my situation as the only people that will be using this code is ourselves and we trust ourselves.

Anyone done this before?

Anyone needing a good laugh at the offical reply from Microsoft can look here
http://msdn.microsoft.com/newsgroups/managed/default.aspx?pg=2&lang=en&cr=US&guid=&dg=microsoft.public.platformsdk.security&fltr=

thread posted on 15th July, subject: Generating my own Software Publishing Certificate

Hi Simo


Have you already set up certificate services on a machine. I'm assuming you have in the following...let me know if not...

If so you should be able to browse to http://localhost/certsrv on the machine with certificate services installed.

assuming this works then follow the wizard on that page:
the personal info can be whatever...
Choose code signing cert in the certificate type combo
Choose a suitable CSP and key length ( 2048 ms rsa/aes enhanced provider maybe? )
mark the keys as exportable via the checkbox and strongly protect the private keys.

request format shouldn't matter. sha512 it if u are paranoid...

Hit submit and you should get a pending request page

Now you have to play the role of the certserver and accept the certificate request.

So run the certificate services mmc snapin on the same machine( start, run, certsrv.msc )

there should be a tab underneath your CA that says pending requests. Go to this and right hand mouse on the cert that's ( hopefully ) there and click issue..

the cert is now issued. One last step...

Browse back to http://localhost/certsrv and click on the link that says "view the status of a pending request". Click on the cert there and click download. This will give you a valid cert that u can use for code signing...

Let me know if that's enough info to go on...it is kind of long winded, but ok once you've been through it once...


edit:
you can gen spc files from an exported .cer cert using this utility
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/html/cpgrfsoftwarepublishercertificatetesttoolcert2spcexe.asp

hey thanks for replying...

The problem i've got is making the Code Signing Cert appear in the Cert Type Combo. At the moment I'm only offered a choice of Basic EFS or User

That's strange. I just re-set up a cert server on one of my boxes to confirm that what i said worked, and it gives me all the choices on a fresh install also..

Are you an admin on the box? Is this a root standalone CA that you've installed...this is all Windows 2003 right?

if you go to http://localhost/certsrv hit "request a certificate", hit "advanced certificate request", hit "create and submit a request to this CA" do you only get the two choices in the certificate type dropdown box? There should be about 7 or 8 there...

ok I re-read what you told me to do and have made major progress.

My mistake was that that i wasn't browsing the certserv site from http://localhost on the Certificate services box and was using my std. read email/browse the web account. doh doh doh. Sorry.

So I'm now offerd the chance to create a Code Signing certificate.

But....

Am not offered RSA/AEs as a provider, so am opting for MS Enhanced Cryptographic.

The "Mark keys as exportable" check box is disabled, am guessing this is a big issue. So i can't check it.

The Request formats on offer are CMC & PKCS10, not sha512

When I make the request the certificate is automaticaly issued. So i don't have to authorise the requests.

When I browse "View the status of pending request" There are no certs on offer. Instead I can browse Download a CA Certificate. But my Code signing Cert is not there, just something that appears to be the root certificate for the domain.

However, the code signing cert was issues and i managed to export from the Certificates MMC for the logged on user. But I was not allowed to export the private key.

SO i've still screwed up somewhere.

cool, we're getting close though.

Could you try these settings in the cert request web-page please. i get a .pvk etc successfully from this:

Type of cert needed:
   code signing cert

Key Option:
   Create new keyset checked
   CSP: Microsoft enhanced RSA and AES Crypto provider ( should be the bottom option )
   KeyUsage: signature
   KeySize: 2048 ( or 4096 )
   Check automatic key container name
   check - mark keys as exportable ( somethign is badly wrong if this is greyed out )
   check - export keys to file ( give the .pvk file )
   check - enable strong key protection

Additional Options:
   Request format: cmc
   hash algo: sha1
 
not sure what's wrong if this doesnt work but let me know and we can try a couple of other things...

It looks like your cert wasn't correctly issued btw. Did it show up in the issued section in the certsrv.msc mmc snapin?

I would expect "view the status of pending request" to have the cert there after it was issued, so maybe its worth checking it really is issued?

"download a ca cert" isnt what you need btw, it's for download the cert of another certificate authority, and for updating cert revocation lists etc.

Ok, I still come off the rails when choosing the Crypto provider (CSP) and Marking keys as exportable.

Certs were being issued automaticaly because I had enabled this option in the Certification Authority snap-in.

Looking at my Code Signing cert template (Cert Templates snap-In), switching to the second tab of the property page (Request Handeling) the MS RSA & AES Crypto Provider is not enabled along with 'allow private key to be exported'.

I guess this is why the options are not available when I'm generating a cert from this template.

So... I created a new cert template based on the default Code Signing template and enabled the appropriate CSP and checked 'allow private key to be exported'. Finaly saved this as a new template.

The final stage to make my Cert Template available is to enable it in the Certification Authority (CA) snap-in -> Certificate Templates -> Right-Click -> New -> Certificate Template to Issue. But my new template can not be selected.

I think it can't be selected because the new template has a minimum supported CA of Windows 2003, Enterprise Edition. I have only std edition Win2003 available to me.

So I think the options for me are:

1. figure out why the default Code Signing template in my installation is not enabled for RSA/AES CSP and private key export.

or

2. Figure out how to create a new template with a minimum supported CA of Windows 2003, Std Edition. Interestingly enough the default Code Signing Cert template has a min CA authority of Win2000

Hey, I have a success. And in part thanks to the original MS guy in the MSDN managed newsgroup. So I owe him an apology.

Instead of browsing the Cert Authority website from http://localhost whilst logged on as the admin. I ended up granting my regular account 'Enroll' permissions for Code Sign template and browsing the web site from a client PC logged in with regular account. Now the 'mark keys as exportable' check box is enabled.

For the benefit of anybody else who struggling to figure this out I have documented what I needed to do below:

After Certificate Services is installed on Windows 2003 server.

Log on to server as admin.
Run up the Certificate Templates snap-in.
Right-Click the Code Signing template->Properties->Security Tab-> Enable 'enroll' permission for whoever will need to to request a Code-Signing cert. Maybe use 'Authernticate Users' group

Run up the Certification Authority snap-in.
Right-Click Certificate Templates->New->Certificate Template to Issue -> Code Signing

Enable IIS, ASP pages, and the CertSrv virtual directory if any of this is switched off/locked down.

From the client desktop and account of user requiring cert.
Browse to http://<server name>/CertSrv

-> Request a certificate
-> Advanced Certificate request
-> Create and submit a request to this CA

Type of cert needed:
   code signing cert

Key Option:
   Create new keyset checked
   CSP: Microsoft enhanced RSA and AES Crypto provider ( should be the bottom option )
   KeyUsage: signature
   KeySize: 2048 ( or 4096 )
   Check automatic key container name
   check - mark keys as exportable
   check - export keys to file ( give the .pvk file )
   check - enable strong key protection

Additional Options:
   Request format: cmc
   hash algo: sha1

Hit submit
pvk file should be downloaded to filepath specified
and you should get a pending request page

Log back into server as admin
Run up the Certification Authority snap-in.
Pending Requests -> Right-click on freshly waiting cert->Issue

From the client desktop and account of user requiring cert.
Browse to http://<server name>/CertSrv
-> View the status of pending certificate request
Download the waiting cert

Use cert2spc.exe to generate spc file.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/html/cpgrfsoftwarepublishercertificatetesttoolcert2spcexe.asp

Simo said:

Hey, I have a success. And in part thanks to the original MS guy in the MSDN managed newsgroup. So I owe him an apology.

Instead of browsing the Cert Authority website from http://localhost whilst logged on as the admin. I ended up granting my regular account 'Enroll' permissions for Code Sign template and browsing the web site from a client PC logged in with regular account. Now the 'mark keys as exportable' check box is enabled.

For the benefit of anybody else who struggling to figure this out I have documented what I needed to do below:

After Certificate Services is installed on Windows 2003 server.

Log on to server as admin.
Run up the Certificate Templates snap-in.
Right-Click the Code Signing template->Properties->Security Tab-> Enable 'enroll' permission for whoever will need to to request a Code-Signing cert. Maybe use 'Authernticate Users' group

Run up the Certification Authority snap-in.
Right-Click Certificate Templates->New->Certificate Template to Issue -> Code Signing

Enable IIS, ASP pages, and the CertSrv virtual directory if any of this is switched off/locked down.

From the client desktop and account of user requiring cert.
Browse to http://<server name>/CertSrv

-> Request a certificate
-> Advanced Certificate request
-> Create and submit a request to this CA

Type of cert needed:
   code signing cert

Key Option:
   Create new keyset checked
   CSP: Microsoft enhanced RSA and AES Crypto provider ( should be the bottom option )
   KeyUsage: signature
   KeySize: 2048 ( or 4096 )
   Check automatic key container name
   check - mark keys as exportable
   check - export keys to file ( give the .pvk file )
   check - enable strong key protection

Additional Options:
   Request format: cmc
   hash algo: sha1

Hit submit
pvk file should be downloaded to filepath specified
and you should get a pending request page

Log back into server as admin
Run up the Certification Authority snap-in.
Pending Requests -> Right-click on freshly waiting cert->Issue

From the client desktop and account of user requiring cert.
Browse to http://<server name>/CertSrv
-> View the status of pending certificate request
Download the waiting cert

Use cert2spc.exe to generate spc file.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/html/cpgrfsoftwarepublishercertificatetesttoolcert2spcexe.asp

Hi Simo, I'm sorry about my english.

I have the same problem but in the code singing template the check - mark keys as exportable is disabled.

What Window server edition have you got?

Some people think that only is posible check as exportable the keys in the Enterprise edition.

Thank you very much.