Wednesday, June 29, 2011

How to obtain a code signing certificate from a CA?

The following six steps helps you in getting a code signing certificate from Comodo CA. There are many others (VeriSign, DigiCode, etc). The author is not recommending this product but interested readers should read this and other similar resources for their code signing purposes. If the program such as LightSwitch Application has a certificate from CA then your users will be safe in assuming that the software has not been tampered when you install it. These steps are only for Comodo and you should look up similar information if you are using others.

The following steps are reproduced from the following site:

The Six Steps In Code Signing

These instructions provide an overview of obtaining and using Microsoft Authenticode and a Code Signing Digital ID from Comodo.

Step 1: Make Sure that you Are Running the Correct Versions of all Tools:

These include:

* Internet Explorer 4.0 or later
* Internet Client SDK

Step 2: Apply for a Code Signing ID for Authenticode from Comodo

In the process of applying for a Code Signing ID, your browser will generate a private key. You should store this private key (called MyPrivateKey.pvk) on a floppy disk, which is stored in a safe deposit box or other secure location. Please make a back-up copy of this private key, as you will need this key to sign code. This key is never sent to Comodo, so if you lose this private key, you will be unable to sign code. If this key is lost or stolen, please contact Comodo immediately.

Step 3: Pick up your Digital ID

Once you have completed the application process, Comodo will take a number of steps to verify your identity. For commercial publishers, Comodo does a considerable amount of background checking. As a result, it will take approximately 3-5 days to verify your information and issue a Digital ID.

At the end of this process, Comodo will send you an e-mail containing a PIN (Personal Identification Number). Follow the instructions in this e-mail to pick up your Digital ID. Save your Digital ID as a file (e.g. MyCredentials.spc).

Please note that you must use the same machine to apply for and obtain your Digital ID. You can then use the private key and Digital ID to sign files on a different machine.

Step 4: Prepare your Files to be Signed

If you are building any PE file (.exe, .ocx, .dll or other), you need not do anything special. For cab files, you need to add the following entry to your .ddf file before creating the cab file: Set ReservePerCabinetSize=6144

Step 5. Sign your Files

You can now sign your .exe, or .cab, .ocx, or .dll file. To sign, you will use the SIGNCODE.EXE utility included in the ActiveX SDK. You will also need your Digital ID file (generally called MyCredentials.spc) and the diskette containing your private key (MyPrivateKey.pvk).

As part of this process you will need to know the URL of Comodo's time stamping server, which is

Step 6: Test Your Signature

The Microsoft SDK contains a utility called chktrust.exe. This may be used to check your signature before distributing your file.

To test a signed .exe, .dll or .ocx file, run chktrust filename
To test a signed cab file, run chktrust -c

If your code signing process was OK, this will bring up a digital certificate. Congratulations, you have just digitally signed your file. When this file is downloaded from a Web site by Internet Explorer, it will display the same certificate to the user. If the file is tampered with in any way after it has been signed, the user will be notified and given the option of refusing installation.

Microsoft and Comodo are committed to making the Internet a secure and viable platform for commerce and the distribution of content through encryption and ssl certificates. With Authenticode and Comodo's Code Signing Digital IDs, your code will be as safe and trustworthy to your customers as it would be if you shrink-wrapped it and sold it off a store shelf.


Andria Willson said...

Very interesting blog that learns how to create the digital certificate. I will try to use it and to make the certificate to my website.

Andria Willson said...

Very interesting blog that learns how to create the digital certificate. I will try to use it and to make the certificate to my website.