Is there any way to make your own signing certificate in order to sign files such as installation packages?
Is the problem that the certificate supplier has to be a trusted source with Windows otherwise you will get warning messages?
If you do not want to purchase a digital certificate from a third-party certificate authority, or if you want to digitally sign your document immediately, you can create your own digital certificate by selecting the Create your own digital ID option in the Get a Digital ID dialog box.
If you have basic knowledge about PKI and X.509 you can do it with openssl.
Openssl has preconfigured CA.pl or CA.sh script that may be used to setup your CA and generate certificates with minimal configuration.
The main commands are:
# generate CA (need to do it only once)
CA.sh -newca
# create certificate request
openssl req -new -keyout user.key -out user.req -config yourconf.cnf
# sign request by CA
openssl ca -policy policy_anything -config yourconf.cnf -out user.pem -infiles user.req
# convert it into PKCS#12 (pfx) container, that can be used from various soft
openssl pkcs12 -export -in user.pem -inkey user.key -out user.p12 -name user -caname your_ca_name -chain -CAfile ./demoCA/cacert.pem
yourconf.cnf is a main config file based on default openssl.cnf included with openssl. To make your certificate suitable for code signing you should specify it in permitted key usage fields like this (it will limit your certificate to code-signing only):
[ usr_cert ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature
extendedKeyUsage = codeSigning
[ v3_req ]
keyUsage = digitalSignature
extendedKeyUsage = codeSigning
To use this certificate in windows your should install your CA certificate into windows certificate store as CA authority. You must do it on every workplace where you want to validate signs on your files.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With