Certificate server: what properties for a code signing certificate ?
Hello everyone,
I'm trying to create an environment for the developers or our silverlight-based application and they request that I provide code-signing certificate so they can sign their distribution files (.xap).
In test, the developers can create a self-signed certificate (which has no key usage at all) but that causes problems: the cert has to be distributed on all machine and the fact that it has no key usage property and is self-signed makes it a security risk.
It's also a pain to use on the build server.
So, I wanted to issue a code signing certificate to each developer and one to the build server. Unfortunately, when I do this using the template that comes with windows 2008 Certificate services, the certificate isn't recognized by VisualStudio 2010 and
when I provide it to signtool.exe I got the following error:
The signer's certificate is not valid for signing.
An error occurred while attempting to sign: Client.Silverlight.xap
So, what is VS2010/signtool looking for, really ?
March 23rd, 2011 6:11am
When the certificate was generated, was it exported with the private key when distributed to the developers? This would cause an issue when using it with Visual Studio. If this is not the issue, please respond with the certificate template that
you used and I will see if there are any other possible explanations.fr3dd
Free Windows Admin Tool Kit Click here and download it now
March 23rd, 2011 10:52am
Hi,
Please also run the following command to dump the code signing certificate on the computer encountering the error and post the output here for research:
certutil -store -v my certSerialNumberThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can
be beneficial to other community members reading the thread.
March 23rd, 2011 10:49pm
The default 'Code Signing' certificate template is a version 1 template from Windows 2000. This certificate does not allow the private key to be exported for issued certificates, which means it is only valid on the requesting machine. If you
are looking to create a common certificate for all developers, then you will need to duplicate the 'Code Signing' template and check the 'Allow the private key to be exported' on the Request Handling tab. Once you issue the certificate, you can export
it with the private key and distribute to the developers with the required password.fr3dd
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2011 1:45pm
Hi,
How's everything going? If you need further assistance, please feel free to respond back.
Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can
be beneficial to other community members reading the thread.
March 29th, 2011 9:21am
Some more details:
Here is the certificate generated through certificate services:
-----BEGIN CERTIFICATE-----
MIIGnTCCBYWgAwIBAgIKIpornwAAAAAUoTANBgkqhkiG9w0BAQ0FADBdMRIwEAYK
CZImiZPyLGQBGRYCY2gxEzARBgoJkiaJk/IsZAEZFgNnaXQxFjAUBgoJkiaJk/Is
ZAEZFgZvZmZpY2UxGjAYBgNVBAMTEW9mZmljZS1TUlYtQ1dBLUNBMB4XDTExMDMx
ODA4MzEwMloXDTEzMDMxODA4NDEwMlowfjESMBAGCgmSJomT8ixkARkWAmNoMRMw
EQYKCZImiZPyLGQBGRYDZ2l0MRYwFAYKCZImiZPyLGQBGRYGb2ZmaWNlMREwDwYD
VQQLEwhHSVRVc2VyczEMMAoGA1UECxMDZGV2MRowGAYDVQQDExFWYWxlcml1IENh
cmF1bGVhbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALKslfMP7q1H
790COFs8rtqF/z4aN+KE6T4XCkY8N4kZWN+/SCBCbZQn5H6smtnDdWDdSx2viNBA
sGDp2CXsBnczRjb+urS+IC5GrlOuVBPkwY/6kpt8nGN6+rvpLL6aIvl7Y81RXcLy
XBgaAxKH0MIDFRnHSBjlUd6GZ0Z1RzhCDWqZppgsJtamZsZDeEkja7q8350NCjzR
Dy8KJ4HuUmXdsDtoHOVRrdpVO45E1NkBpCHYQqGXj4fElrsyhLqUsgF3JaB1Y0yX
NKn1YxyyGCPfRTCZVewMw4t29tDjRBnoJnzSZC/Xt9t6wMnwZomT/D3tX7HyWlPB
MD9Gk1HZ8oECAwEAAaOCAzwwggM4MDwGCSsGAQQBgjcVBwQvMC0GJSsGAQQBgjcV
CIX+mUaBnNdggvGBEoS5+BeesUOBKMqhIIWE5lsCAWUCAQAwEwYDVR0lBAwwCgYI
KwYBBQUHAwMwCwYDVR0PBAQDAgeAMBsGCSsGAQQBgjcVCgQOMAwwCgYIKwYBBQUH
AwMwHQYDVR0OBBYEFCDILVXBklfNnJpzZTfrPJxj97yjMB8GA1UdIwQYMBaAFH7H
iDW35kpeAuJCkK0DONBxQI5PMIIBFwYDVR0fBIIBDjCCAQowggEGoIIBAqCB/4aB
vWxkYXA6Ly8vQ049b2ZmaWNlLVNSVi1DV0EtQ0EsQ049U1JWLUNXQSxDTj1DRFAs
Q049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmln
dXJhdGlvbixEQz1vZmZpY2UsREM9Z2l0LERDPWNoP2NlcnRpZmljYXRlUmV2b2Nh
dGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIY9
aHR0cDovL3Nydi1jd2Eub2ZmaWNlLmdpdC5jaC9DZXJ0RW5yb2xsL29mZmljZS1T
UlYtQ1dBLUNBLmNybDCCASsGCCsGAQUFBwEBBIIBHTCCARkwgbUGCCsGAQUFBzAC
hoGobGRhcDovLy9DTj1vZmZpY2UtU1JWLUNXQS1DQSxDTj1BSUEsQ049UHVibGlj
JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE
Qz1vZmZpY2UsREM9Z2l0LERDPWNoP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RD
bGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MF8GCCsGAQUFBzAChlNodHRwOi8v
c3J2LWN3YS5vZmZpY2UuZ2l0LmNoL0NlcnRFbnJvbGwvU1JWLUNXQS5vZmZpY2Uu
Z2l0LmNoX29mZmljZS1TUlYtQ1dBLUNBLmNydDAvBgNVHREEKDAmoCQGCisGAQQB
gjcUAgOgFgwUdmFyZWx5QG9mZmljZS5naXQuY2gwDQYJKoZIhvcNAQENBQADggEB
AJduDWbWuzW25OZ4Zeua9zY58gekVaIrnV6ID5fGJpmLHruPpi2LFuhY8W60T6db
FbMH5G3IpPPMhq9Fg0B7UeIC6ob++k00m0PwESpd1SmmTh6c3TOKhVJ2K0u1jDGz
6FRkH+UBRdgNlfWZR4p3hgugm4gv6VD2mPCgnENuKzF0xzj+eHoLg4fkNWl7CDRf
8uP04ZX0GCFK9GwvuQxf8saUL5ct5YSDdEkSal1AK5Ildlw4uDm8Iix/nxk7vn76
OY7544JOKdN7+P0v3OorehJM2j/0EPrwhh7eC6SKZRrii/Pml+xMvBxjmtHRFVvs
cLQYg1u89oaW5uLTrEn70h0=
-----END CERTIFICATE-----
And the cert I generated with another tool
-----BEGIN CERTIFICATE-----
MIIC7jCCAdagAwIBAgIRALh4VO0vzDtEhCOh4EMMLDAwDQYJKoZIhvcNAQEFBQAw
HDEaMBgGA1UEAxMRQ29kZSBzaWduaW5nIHRlc3QwHhcNMTEwMzI5MTQ1MjUxWhcN
MTQwMzI5MTQ1MjUxWjAcMRowGAYDVQQDExFDb2RlIHNpZ25pbmcgdGVzdDCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALz0W2Qtfv+buxYrJ/972iVjNcIH
0Uq5+OPtqABwUI4uH3KlOzIElHT9TliMuOwhg3eQJDE6P+F/81DX+fZST+ZuHKWY
A9hHTGXHEXSC5xYWtL6iXJ3wPECBHIpT2hTONqdLNu0aFQpUJUcbtAx27j9l4WvE
mdP/iUrg5U8AbCePVbhA4SWGs/IIdfcW8cyWO03w2WpENcfgOjOvAin0Onsu/oSH
3fLSq6Gyhlw0mubHyA5J1yaFQ1RDaE82+ztIhMwMd/6UFKzWdJqk8MZZHSBtpvpp
RrxCgy6tT9hmsIjgFDdXvh9IVLg/fN42PlWaNrDQkXeetUoxZeMRkGBIXHECAwEA
AaMrMCkwDwYDVR0PAQH/BAUDAwCAADAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzAN
BgkqhkiG9w0BAQUFAAOCAQEAA8O24SLua9sjNKLJO+smLth0LoFmeocTxkOvlBMD
gjgn86bT1QvqeOIW4No94j3DJRn+kFXgGPq4C8AVuJX9uDd5HykBkEH9YS5/Lij/
uFZyqQVikVcPaDXhNtLv6U0Azsw7rfHSFTDnaCSwxEb8ys0XdCKU4SxDxY5n+ZA8
JqzN3W8Al6XEgh3xhyUfVhcU9xXcHMBuByQ3GjfyVwQOZpgKtLi+l/DsuU7x+Qcq
2kiTx4avIz1Cqq7VpxzbsoWKWjEQyX47U5ZdnhADVwEMNhjvNg8QM3vzA4Xjdrz1
aTu57L1342g9uuF13tn/3oCdI+JD8BcdvQyyDy2YO9VAXA==
-----END CERTIFICATE-----
Free Windows Admin Tool Kit Click here and download it now
March 29th, 2011 10:18am
Hello.
Thanks for the answers, everyone.
Sorry, forum notification failed me (would have been better if I entered an email address).
The certificate template I used was a modified version of the code signing template that allowed the private key to be exported.
I also tried to generate a certificate for code signing with the following properties:
Key usage: Digital Signature (80 00)
Extended key usage: Code signing (1.3.6.1.5.5.7.3.3)
The only certificate that worked has no key usage, no extended key usage and no application policy. The only extended property it has is "Authority key identifier" Again, sorry for not answering sooner and than you for the assistance.
March 29th, 2011 11:37am
Hi - the two certificates you posted are not the same ones. The first one appears to be the one issued by the CA and the second one is a self-signed 'Code signing test' certificate. The code signing certificate issued by the CA has a subject
alternate name associated with it, which is not common. Typically, these certificates are enrolled via the web or Certificates snap-in and require the appropriate information to be filled out. Can you please respond with the settings on the certificate
template request handling tab?
Additionally, some applications look for the certificate to be in the Trusted Publishers store under either the machine or current user account. Please verify that it is there and if it is not, you can do a right-click drag and copy to this store within
the certificates snap-in.fr3dd
Free Windows Admin Tool Kit Click here and download it now
March 29th, 2011 11:39am