Last post Jun 22, 2007 11:07 AM by usmaniac4life
Jun 22, 2007 11:07 AM|usmaniac4life|LINK
This article of mine explains how to sign a code without the need to buy the digital signature for Microsoft Trusted Certificate Authorities. Please note that this
would be helpful for test purposes only since it requires you to install the certificate in all client browser using the application. Eventually, a certificate from Trusted Root CA like Verisign, Thawte. Etc has to be bought for insuring that your CAB/ActiveX
component is available for use to all without security issues.
It even makes code signing easier, which needs only signcode.exe utility along with the spc file and private key provided by the CA.
For the list for Microsoft trusted CA’s , click the link below:
The article uses Ascertia as the CA to obtain the free digital certificate.
Some of the utilities provided in the process of signing the code are part of the Microsoft SDK. So we would be having them if we have any version of .NET installed on our machine.
This works like a charm if the steps are followed correctly. We just need to execute all the utilities one by one.
Following is the Procedure for code signing:
This requires the user to register for an account and provide some information so as to embed it into the certificate.
Please note that the "Name" that you enter will be the name seen on the certificate. When the information is provided, a prompt will be asked to add the certificate into the browser's certificate
root store. Add the certificate in the "Trusted Root Certification Authorities" store.
Run certmgr.exe. This would display the certificate installed in the previous step along with other certificates.
Select the option to export without the private key and in DER encoded binary. This should produce a certificate file with .cer extension. Put it in a folder and at a path, which is not cumbersome. E.g. c:\<foldername>. Put all the utility files in this folder
Now convert the certificate file to spc file - Software Publishing Certificate with the following utility
cert2spc <insert cer file path> <insert new spc file path>
This is the file, which is provided by the Verisign along with a private key. We will generate a private key later in this stage.
This time export the private key. Make sure "Include all certificates in the certification if possible" is
checked and "Delete the private key if the export is successful" is unchecked.
This will export a pfx file. (Make sure to remember the password you set.)
This is available from the following link for Windows Version.
Execute the following code
openssl pkcs12 -in <insert pfx file path> -nocerts -nodes -out <insert new pem file path>
This will create a *.pem file.
The pfx password will be asked.
Transform the *.pem file to a *.pvk file. This pvk file will be our private key. Along with the spc, it will be used to sign our CAB file.
Download the pvk transform utility. This file can be found at
pvk -in <insert pem file path> -topvk -out <insert new pvk file path>
This is what we require. We only need the spc and pvk files, so we can delete the other data files if we want.
Now we sign the code using the signcode.exe utility with the help of spc and pvk files.
The following can be kept in batch file and executed
set Product=Picis Ftp
signcode.exe -spc <insert spc file> -v <insert pvk file> -n "%Product%" -t "%TimeURL%" "%File%"
We can verify the signature by opening the properties of the signed file, and clicking the Digital Signatures tab. If there is no Digital Signatures tab, then there is something wrong that
we have done in our procedure.
If everything goes right, then we have our code digitally signed by Ascertia CA and we can go and use our activeX to install in our IE 6 and IE 7 browsers.
It really proved helpful to me to test my ActiveX Component for IE 7 Browser. Hope it proves useful to you guys too.
daily Free Code