How do I create a self-signed certificate for code signing on Windows?

后端 未结 5 754
抹茶落季
抹茶落季 2020-11-22 17:08

How do I create a self-signed certificate for code signing using tools from the Windows SDK?

5条回答
  •  花落未央
    2020-11-22 17:10

    Updated Answer

    If you are using the following Windows versions or later: Windows Server 2012, Windows Server 2012 R2, or Windows 8.1 then MakeCert is now deprecated, and Microsoft recommends using the PowerShell Cmdlet New-SelfSignedCertificate.

    If you're using an older version such as Windows 7, you'll need to stick with MakeCert or another solution. Some people suggest the Public Key Infrastructure Powershell (PSPKI) Module.

    Original Answer

    While you can create a self-signed code-signing certificate (SPC - Software Publisher Certificate) in one go, I prefer to do the following:

    Creating a self-signed certificate authority (CA)

    makecert -r -pe -n "CN=My CA" -ss CA -sr CurrentUser ^
             -a sha256 -cy authority -sky signature -sv MyCA.pvk MyCA.cer
    

    (^ = allow batch command-line to wrap line)

    This creates a self-signed (-r) certificate, with an exportable private key (-pe). It's named "My CA", and should be put in the CA store for the current user. We're using the SHA-256 algorithm. The key is meant for signing (-sky).

    The private key should be stored in the MyCA.pvk file, and the certificate in the MyCA.cer file.

    Importing the CA certificate

    Because there's no point in having a CA certificate if you don't trust it, you'll need to import it into the Windows certificate store. You can use the Certificates MMC snapin, but from the command line:

    certutil -user -addstore Root MyCA.cer
    

    Creating a code-signing certificate (SPC)

    makecert -pe -n "CN=My SPC" -a sha256 -cy end ^
             -sky signature ^
             -ic MyCA.cer -iv MyCA.pvk ^
             -sv MySPC.pvk MySPC.cer
    

    It is pretty much the same as above, but we're providing an issuer key and certificate (the -ic and -iv switches).

    We'll also want to convert the certificate and key into a PFX file:

    pvk2pfx -pvk MySPC.pvk -spc MySPC.cer -pfx MySPC.pfx
    

    If you want to protect the PFX file, add the -po switch, otherwise PVK2PFX creates a PFX file with no passphrase.

    Using the certificate for signing code

    signtool sign /v /f MySPC.pfx ^
                  /t http://timestamp.url MyExecutable.exe
    

    (See why timestamps may matter)

    If you import the PFX file into the certificate store (you can use PVKIMPRT or the MMC snapin), you can sign code as follows:

    signtool sign /v /n "Me" /s SPC ^
                  /t http://timestamp.url MyExecutable.exe
    

    Some possible timestamp URLs for signtool /t are:

    • http://timestamp.verisign.com/scripts/timstamp.dll
    • http://timestamp.globalsign.com/scripts/timstamp.dll
    • http://timestamp.comodoca.com/authenticode

    Full Microsoft documentation

    • signtool
    • makecert
    • pvk2pfx

    Downloads

    For those who are not .NET developers, you will need a copy of the Windows SDK and .NET framework. A current link is available here: SDK & .NET (which installs makecert in C:\Program Files\Microsoft SDKs\Windows\v7.1). Your mileage may vary.

    MakeCert is available from the Visual Studio Command Prompt. Visual Studio 2015 does have it, and it can be launched from the Start Menu in Windows 7 under "Developer Command Prompt for VS 2015" or "VS2015 x64 Native Tools Command Prompt" (probably all of them in the same folder).

提交回复
热议问题