Make your own certificate for signing files?

Question

Is there any way to make your own signing certificate in order to sign files such as installation packages?

Is the problem that the certificate supplier has to be a trusted source with Windows otherwise you will get warning messages?

Answer 1

If you have basic knowledge about PKI and X.509 you can do it with openssl.

Openssl has preconfigured CA.pl or CA.sh script that may be used to setup your CA and generate certificates with minimal configuration.

The main commands are:

# generate CA (need to do it only once)
CA.sh -newca
# create certificate request
openssl req -new -keyout user.key -out user.req -config yourconf.cnf
# sign request by CA
openssl ca -policy policy_anything -config yourconf.cnf -out user.pem -infiles user.req
# convert it into PKCS#12 (pfx) container, that can be used from various soft
openssl pkcs12 -export -in user.pem -inkey user.key -out user.p12 -name user -caname your_ca_name -chain -CAfile ./demoCA/cacert.pem

yourconf.cnf is a main config file based on default openssl.cnf included with openssl. To make your certificate suitable for code signing you should specify it in permitted key usage fields like this (it will limit your certificate to code-signing only):

[ usr_cert ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature
extendedKeyUsage = codeSigning  
[ v3_req ]
keyUsage = digitalSignature
extendedKeyUsage = codeSigning

To use this certificate in windows your should install your CA certificate into windows certificate store as CA authority. You must do it on every workplace where you want to validate signs on your files.