Certificate server: what properties for a code signing certificate ?
Hello everyone, I'm trying to create an environment for the developers or our silverlight-based application and they request that I provide code-signing certificate so they can sign their distribution files (.xap). In test, the developers can create a self-signed certificate (which has no key usage at all) but that causes problems: the cert has to be distributed on all machine and the fact that it has no key usage property and is self-signed makes it a security risk. It's also a pain to use on the build server. So, I wanted to issue a code signing certificate to each developer and one to the build server. Unfortunately, when I do this using the template that comes with windows 2008 Certificate services, the certificate isn't recognized by VisualStudio 2010 and when I provide it to signtool.exe I got the following error: The signer's certificate is not valid for signing. An error occurred while attempting to sign: Client.Silverlight.xap So, what is VS2010/signtool looking for, really ?
March 23rd, 2011 6:11am

When the certificate was generated, was it exported with the private key when distributed to the developers? This would cause an issue when using it with Visual Studio. If this is not the issue, please respond with the certificate template that you used and I will see if there are any other possible explanations.fr3dd
Free Windows Admin Tool Kit Click here and download it now
March 23rd, 2011 10:52am

Hi, Please also run the following command to dump the code signing certificate on the computer encountering the error and post the output here for research: certutil -store -v my certSerialNumberThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
March 23rd, 2011 10:49pm

The default 'Code Signing' certificate template is a version 1 template from Windows 2000. This certificate does not allow the private key to be exported for issued certificates, which means it is only valid on the requesting machine. If you are looking to create a common certificate for all developers, then you will need to duplicate the 'Code Signing' template and check the 'Allow the private key to be exported' on the Request Handling tab. Once you issue the certificate, you can export it with the private key and distribute to the developers with the required password.fr3dd
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2011 1:45pm

Hi, How's everything going? If you need further assistance, please feel free to respond back. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
March 29th, 2011 9:21am

Some more details: Here is the certificate generated through certificate services: -----BEGIN CERTIFICATE----- MIIGnTCCBYWgAwIBAgIKIpornwAAAAAUoTANBgkqhkiG9w0BAQ0FADBdMRIwEAYK CZImiZPyLGQBGRYCY2gxEzARBgoJkiaJk/IsZAEZFgNnaXQxFjAUBgoJkiaJk/Is ZAEZFgZvZmZpY2UxGjAYBgNVBAMTEW9mZmljZS1TUlYtQ1dBLUNBMB4XDTExMDMx ODA4MzEwMloXDTEzMDMxODA4NDEwMlowfjESMBAGCgmSJomT8ixkARkWAmNoMRMw EQYKCZImiZPyLGQBGRYDZ2l0MRYwFAYKCZImiZPyLGQBGRYGb2ZmaWNlMREwDwYD VQQLEwhHSVRVc2VyczEMMAoGA1UECxMDZGV2MRowGAYDVQQDExFWYWxlcml1IENh cmF1bGVhbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALKslfMP7q1H 790COFs8rtqF/z4aN+KE6T4XCkY8N4kZWN+/SCBCbZQn5H6smtnDdWDdSx2viNBA sGDp2CXsBnczRjb+urS+IC5GrlOuVBPkwY/6kpt8nGN6+rvpLL6aIvl7Y81RXcLy XBgaAxKH0MIDFRnHSBjlUd6GZ0Z1RzhCDWqZppgsJtamZsZDeEkja7q8350NCjzR Dy8KJ4HuUmXdsDtoHOVRrdpVO45E1NkBpCHYQqGXj4fElrsyhLqUsgF3JaB1Y0yX NKn1YxyyGCPfRTCZVewMw4t29tDjRBnoJnzSZC/Xt9t6wMnwZomT/D3tX7HyWlPB MD9Gk1HZ8oECAwEAAaOCAzwwggM4MDwGCSsGAQQBgjcVBwQvMC0GJSsGAQQBgjcV CIX+mUaBnNdggvGBEoS5+BeesUOBKMqhIIWE5lsCAWUCAQAwEwYDVR0lBAwwCgYI KwYBBQUHAwMwCwYDVR0PBAQDAgeAMBsGCSsGAQQBgjcVCgQOMAwwCgYIKwYBBQUH AwMwHQYDVR0OBBYEFCDILVXBklfNnJpzZTfrPJxj97yjMB8GA1UdIwQYMBaAFH7H iDW35kpeAuJCkK0DONBxQI5PMIIBFwYDVR0fBIIBDjCCAQowggEGoIIBAqCB/4aB vWxkYXA6Ly8vQ049b2ZmaWNlLVNSVi1DV0EtQ0EsQ049U1JWLUNXQSxDTj1DRFAs Q049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmln dXJhdGlvbixEQz1vZmZpY2UsREM9Z2l0LERDPWNoP2NlcnRpZmljYXRlUmV2b2Nh dGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIY9 aHR0cDovL3Nydi1jd2Eub2ZmaWNlLmdpdC5jaC9DZXJ0RW5yb2xsL29mZmljZS1T UlYtQ1dBLUNBLmNybDCCASsGCCsGAQUFBwEBBIIBHTCCARkwgbUGCCsGAQUFBzAC hoGobGRhcDovLy9DTj1vZmZpY2UtU1JWLUNXQS1DQSxDTj1BSUEsQ049UHVibGlj JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE Qz1vZmZpY2UsREM9Z2l0LERDPWNoP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RD bGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MF8GCCsGAQUFBzAChlNodHRwOi8v c3J2LWN3YS5vZmZpY2UuZ2l0LmNoL0NlcnRFbnJvbGwvU1JWLUNXQS5vZmZpY2Uu Z2l0LmNoX29mZmljZS1TUlYtQ1dBLUNBLmNydDAvBgNVHREEKDAmoCQGCisGAQQB gjcUAgOgFgwUdmFyZWx5QG9mZmljZS5naXQuY2gwDQYJKoZIhvcNAQENBQADggEB AJduDWbWuzW25OZ4Zeua9zY58gekVaIrnV6ID5fGJpmLHruPpi2LFuhY8W60T6db FbMH5G3IpPPMhq9Fg0B7UeIC6ob++k00m0PwESpd1SmmTh6c3TOKhVJ2K0u1jDGz 6FRkH+UBRdgNlfWZR4p3hgugm4gv6VD2mPCgnENuKzF0xzj+eHoLg4fkNWl7CDRf 8uP04ZX0GCFK9GwvuQxf8saUL5ct5YSDdEkSal1AK5Ildlw4uDm8Iix/nxk7vn76 OY7544JOKdN7+P0v3OorehJM2j/0EPrwhh7eC6SKZRrii/Pml+xMvBxjmtHRFVvs cLQYg1u89oaW5uLTrEn70h0= -----END CERTIFICATE----- And the cert I generated with another tool -----BEGIN CERTIFICATE----- MIIC7jCCAdagAwIBAgIRALh4VO0vzDtEhCOh4EMMLDAwDQYJKoZIhvcNAQEFBQAw HDEaMBgGA1UEAxMRQ29kZSBzaWduaW5nIHRlc3QwHhcNMTEwMzI5MTQ1MjUxWhcN MTQwMzI5MTQ1MjUxWjAcMRowGAYDVQQDExFDb2RlIHNpZ25pbmcgdGVzdDCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALz0W2Qtfv+buxYrJ/972iVjNcIH 0Uq5+OPtqABwUI4uH3KlOzIElHT9TliMuOwhg3eQJDE6P+F/81DX+fZST+ZuHKWY A9hHTGXHEXSC5xYWtL6iXJ3wPECBHIpT2hTONqdLNu0aFQpUJUcbtAx27j9l4WvE mdP/iUrg5U8AbCePVbhA4SWGs/IIdfcW8cyWO03w2WpENcfgOjOvAin0Onsu/oSH 3fLSq6Gyhlw0mubHyA5J1yaFQ1RDaE82+ztIhMwMd/6UFKzWdJqk8MZZHSBtpvpp RrxCgy6tT9hmsIjgFDdXvh9IVLg/fN42PlWaNrDQkXeetUoxZeMRkGBIXHECAwEA AaMrMCkwDwYDVR0PAQH/BAUDAwCAADAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzAN BgkqhkiG9w0BAQUFAAOCAQEAA8O24SLua9sjNKLJO+smLth0LoFmeocTxkOvlBMD gjgn86bT1QvqeOIW4No94j3DJRn+kFXgGPq4C8AVuJX9uDd5HykBkEH9YS5/Lij/ uFZyqQVikVcPaDXhNtLv6U0Azsw7rfHSFTDnaCSwxEb8ys0XdCKU4SxDxY5n+ZA8 JqzN3W8Al6XEgh3xhyUfVhcU9xXcHMBuByQ3GjfyVwQOZpgKtLi+l/DsuU7x+Qcq 2kiTx4avIz1Cqq7VpxzbsoWKWjEQyX47U5ZdnhADVwEMNhjvNg8QM3vzA4Xjdrz1 aTu57L1342g9uuF13tn/3oCdI+JD8BcdvQyyDy2YO9VAXA== -----END CERTIFICATE-----
Free Windows Admin Tool Kit Click here and download it now
March 29th, 2011 10:18am

Hello. Thanks for the answers, everyone. Sorry, forum notification failed me (would have been better if I entered an email address). The certificate template I used was a modified version of the code signing template that allowed the private key to be exported. I also tried to generate a certificate for code signing with the following properties: Key usage: Digital Signature (80 00) Extended key usage: Code signing (1.3.6.1.5.5.7.3.3) The only certificate that worked has no key usage, no extended key usage and no application policy. The only extended property it has is "Authority key identifier" Again, sorry for not answering sooner and than you for the assistance.
March 29th, 2011 11:37am

Hi - the two certificates you posted are not the same ones. The first one appears to be the one issued by the CA and the second one is a self-signed 'Code signing test' certificate. The code signing certificate issued by the CA has a subject alternate name associated with it, which is not common. Typically, these certificates are enrolled via the web or Certificates snap-in and require the appropriate information to be filled out. Can you please respond with the settings on the certificate template request handling tab? Additionally, some applications look for the certificate to be in the Trusted Publishers store under either the machine or current user account. Please verify that it is there and if it is not, you can do a right-click drag and copy to this store within the certificates snap-in.fr3dd
Free Windows Admin Tool Kit Click here and download it now
March 29th, 2011 11:39am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics