Saturday, August 13, 2016

Installing a Code Signing Certificate, 2016

This is an update to my earlier article about the same subject. This process is much easier than it used to be.

This post was edited on August 1, 2019 to reflect minor changes in the process.

Install a certificate from Sectigo (was Comodo)

  1. Use IE11 for your browser for everything related to the purchase. Don't use Edge or Chrome.
  2. Use Sectigo (formerly Comodo) to buy your Code Signing Cert. They're still the cheapest provider, especially if you go through Tucows and buy a three year certificate.
  3. When filling out the information during the purchase process:
    • Make SURE you click the checkbox to allow the private cert to be exported, or you will be very unhappy.
    • You want a SHA2 certificate, which will do SHA1 and SHA256 signing.
  4. Your private key is generated when you initiate the order, but it is NOT stored in your Cert Store. Therefore, you must start and complete your order on the same machine with the same browser.
  5. After your identity is confirmed, you will receive an email from Sectigo with a subject like ORDER #12345678 - Your Code Signing Certificate is ready!
  6. Install the new certificate by clicking the link in the email. Again, use IE11. When it's done, you'll see something like this:

  7. At this point, your new certificate has been automatically added to your Cert Store.
  8. Verify the installation. Go to Control Panel / Internet Options / Content, click Certificates, select your new certificate, and click View in the bottom right. The certificate will probably be on the Personal page. Make sure you are looking at your new certificate and not the old. You can tell the difference by the expiration date.
  9. Make sure you have the private key. Again on the Certificate page, at the end of the information, right under the "Valid from" dates, you should see something that says "You have a private key that corresponds to this certificate." If this isn't there, you may not have checked the box during the signup process as described in Step 3 above. You will probably need to get the certificate reissued (this is free with Sectigo).
  10. Remove your old certificate. If you are renewing an existing certificate, then keeping the old certificates installed isn't usually useful, and having multiple certificates will break SIGNTOOL if signtool is searching the certificate store. Go to Control Panel / Internet Options / Content, click Certificates, select your old certificate, and click Remove. The old certificate will probably be on the Personal page.

Export the PFX file

A PFX file can be used by many third party utilities. One advantage is that PFX files can be created without a password, which is handy in automated builds if you are using SIGNTOOL. You can see the complete process with pretty pictures at Acmetek. Here's the abridged version:
  1. Go back to the Certificates Page on Internet Options.
  2. Select your new certificate
  3. Click Export...
  4. Click Next.
  5. Select "Yes, export the private key."
  6. Click Next.
  7. Select "Personal Information Exchange - PKCS #12 (.PFX)." (If this option is grayed out, then your private key was not imported).
  8. Check the box labeled "Include all certificates in the certification path if possible." THIS IS VERY IMPORTANT.
  9. You may want to read about the new Windows 10 option, Enable certificate privacy.
  10. Click Next.
  11. Check the Password box.
  12. Provide a password and the confirmation.
  13. Click Next.
  14. Enter a filename.
  15. Click Next.
  16. Click Finish.
  17. If you want to remove the password from the PFX file, use openssl as described in this post from the Wayback Machine. Quick summary:
    openssl pkcs12 -in mycert.pfx -out tmpmycert.pem -nodes
    openssl pkcs12 -export -out mycert2.pfx -in tmpmycert.pem

Sign your code!

If you need some hints on this, see my earlier post.

As of January 1, 2016, all Windows executables destined for Windows 7 or later must be signed with SHA256. If you still support Windows XP and Vista, then you must also dual sign with SHA1. For details, see this excellent article.