I just bought a code-signing certificate for the first time. I'm successfully signing my code from script/command line using
signtool sign /f <pfx file> /p <password> <exe file>
I noticed that signtool also has a /a option that will "choose the best certificate", which I believe uses any certificates imported into the Windows Certificate Store to select from.
If I double-click my cert, it opens the Certificate Import Wizard.
What are the pros/cons of using the Certificate Store? In particular for an individual developer.
It looks like with the certificate store I do not need to use provide the password for each call. I guess that means the certificate store is linked to my user and uses my login credentials to validate use of the certs?
Thanks, Brett
On a computer that has the Windows operating system installed, the operating system stores a certificate locally on the computer in a storage location called the certificate store. A certificate store often has numerous certificates, possibly issued from a number of different certification authorities (CAs).
The primary function of a certificate is to authenticate the identity of the owner of the certificate to others. A certificate contains the public key of the owner, while the owner retains the private key. The public key can be used to encrypt messages sent to the owner of the certificate.
Certificates in a certificate store are normally kept in some kind of permanent storage such as a disk file or the system registry. Certificate stores can also be created and opened strictly in memory. A memory store provides temporary certificate storage for working with certificates that do not need to be kept.
This certificate store is located in the registry under the HKEY_LOCAL_MACHINE root. This type of certificate store is local to a user account on the computer. This certificate store is located in the registry under the HKEY_CURRENT_USER root.
I'm adding this answer because I'm concerned some people may be led down the wrong path by the previous answer. You have to be careful with how you handle your certificates. You should also be very careful of how you handle your private keys (i.e. don't leave them in files in the file system).
Here is what the Windows Certificate Store provides:
I encourage you to do your own research and make an informed decision.
As far as I am concerned, there really isn't any clear benefit to using the the Windows Certificate Store aside from having it organized in a streamlined manner in a database (the registry).
In some cases (e.g. export) it is more convenient to work with the store.
If you are interested in learning more about the inner-working of the certificate store, check the following:
http://msdn.microsoft.com/en-us/library/aa386971%28VS.85%29.aspx
http://technet.microsoft.com/en-us/library/cc962104.aspx
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With