Preparing Code Signing Certificate using Microsoft’s makecert

Background

Ever so often it is good to revisit the steps one needs to take to prepare SSL Code Signing Certificate.

One can prepare the Request and sent it along to third party SSL Certificate Providers.

In this case we will do a complete round circle run.

That is, do everything ourselves.

Microsoft’s makecert will be our resource.

 

Makecert

Outline

  1. Artifacts
    • Do you have makecert on your machine?
  2. SSL Certificate
    • Create Code Sign Certificate for Root
    • Create Code Sign Certificate for Self
    • Extract PFX File

Artifacts

Unfortunately, Microsoft is always moving things around a bit.

For the sake of brevity, we will not go over the current installation choices for makecert in this post.

 

Do we have makecert on your machine ?

Code


>cd\

>cd "Program Files"

>dir makecert.exe /s

Output

 

 

SSL Certificate Root

Let us create our root certificate

Options

Here are the Options that we will utilize:-

Option Available Choice
Algorithm SHA-1 or MD5 sha1
Enhanced Key Usage 1.3.6.1.5.5.7.3.1 – id_kp_serverAuth
1.3.6.1.5.5.7.3.2 – id_kp_clientAuth
1.3.6.1.5.5.7.3.3 – id_kp_codeSigning
1.3.6.1.5.5.7.3.4 – id_kp_emailProtection
1.3.6.1.5.5.7.3.5 – id-kp-ipsecEndSystem
1.3.6.1.5.5.7.3.6 – id-kp-ipsecTunnel
1.3.6.1.5.5.7.3.7 – id-kp-ipsecUser
1.3.6.1.5.5.7.3.8 – id_kp_timeStamping
1.3.6.1.5.5.7.3.9 – OCSPSigning
1.3.6.1.5.5.7.3.3
cy: Certificate type. Valid options are [end|authority] authority
-pe (exportable)
-ss: Certificate store name. Most common options are [AuthRoot|CA|My|Root] AuthRoot|CA|My|Root Root
-sr: Certificate store location. Valid options are [CurrentUser|LocalMachine]. Default to ‘CurrentUser’ CurrentUser|LocalMachine LocalMachine
-sv: Private Key (.pvk) codeSigningRootPrivateKey.pvk
RootCertificate.cer

 

Code


@echo on

setlocal

set "_binFolder=C:\Program Files\Microsoft Message Analyzer\"

set "_certificateName=Daniel Adeniji ( codesign root)"

rem SHA-1 or MD5
set "_algorithm=sha1" 

rem id_kp_codeSigning = 1.3.6.1.5.5.7.3.3
set "_eku=1.3.6.1.5.5.7.3.3"

rem -r	Creates a self-signed certificate.

rem -cy: Certificate type. Valid options are [end|authority].
rem Use authority to create a CA (root or intermediate) certificate.
set "_certificateType=authority"

rem -pe: Switch to mark the generated private key as exportable.

set "_codeSigningPrivateKey=codeSigningRootPrivateKey.pvk"

set "_codeSigningPublicKey=codeSigningRootPrivateKey.cer"

rem -ss: Certificate store name. Most common options are [AuthRoot|CA|My|Root]
set "_certStoreName=Root"

rem -sr: Certificate store location. Valid options are [CurrentUser|LocalMachine]. Default to ‘CurrentUser’
set "_certStoreLocation=LocalMachine"

if exist %_codeSigningPrivateKey% echo file %_codeSigningPrivateKey% exists goto :complete

if exist %_codeSigningPublicKey% echo file %_codeSigningPrivateKey% exists goto :complete

"%_binFolder%\makecert.exe" -n "CN=%_certificateName%" -a %_algorithm% -eku %_eku% -r -cy %_certificateType% -pe ^
 -sv %_codeSigningPrivateKey% %_codeSigningPublicKey% ^
 -ss %_certStoreName% -sr %_certStoreLocation%

endlocal

:complete

Output

Issuing Code Signing command does a couple of things :-

  1. Files Created
    • Root Private Key
    • Root Certificate
  2. Certificates created in store

File List

MMC

Outline
  1. Start MMC Console
  2. Add Certificate
    • Target Machine
      • Access “Trusted Root Certification Authorities
      • Review listed trusted root certificates
Image

Explanation
  1. Certificate Purposes
    • Code Signing

 

SSL Certificate Self

Let us create our signing certificate

Options

Here are the Options that we will utilize:-

Option Available Choice
Algorithm SHA-1 or MD5 sha1
Enhanced Key Usage 1.3.6.1.5.5.7.3.3 – id_kp_codeSigning 1.3.6.1.5.5.7.3.3
cy: Certificate type. Valid options are [end|authority] end
-pe (exportable)
-ss: Certificate store name. Most common options are [AuthRoot|CA|My|Root] AuthRoot|CA|My|Root My
-sr: Certificate store location. Valid options are [CurrentUser|LocalMachine]. Default to ‘CurrentUser’ CurrentUser|LocalMachine CurrentUser
-iv: Private Key (.pvk) codeSigningRootPrivateKey.pvk
-ic:certificate RootCertificate.cer

 

Code


@echo on

setlocal

set "_binFolder=C:\Program Files\Microsoft Message Analyzer\"

set "_certificateName=Daniel Adeniji ( codesign self )"

rem SHA-1 or MD5
set "_algorithm=sha1" 

rem id_kp_codeSigning = 1.3.6.1.5.5.7.3.3
set "_eku=1.3.6.1.5.5.7.3.3"

rem -cy: Certificate type. Valid options are [end|authority].
rem Use authority to create a CA (root or intermediate) certificate.
set "_certificateType=end"

rem -pe: Switch to mark the generated private key as exportable.

set "_codeSigningPrivateKey=codeSigningRootPrivateKey.pvk"

set "_codeSigningPublicKey=codeSigningRootPrivateKey.cer"

rem -ss: Certificate store name. Most common options are [AuthRoot|CA|My|Root]
set "_certStoreName=My"

rem -sr: Certificate store location. Valid options are [CurrentUser|LocalMachine]. Default to ‘CurrentUser’
set "_certStoreLocation=CurrentUser"

"%_binFolder%\makecert.exe" -n "CN=%_certificateName%" -a %_algorithm% -eku %_eku% -cy %_certificateType% -pe ^
 -iv %_codeSigningPrivateKey% -ic %_codeSigningPublicKey% ^
 -ss %_certStoreName% -sr %_certStoreLocation%

endlocal

:complete

Output

Issuing Code Signing command adds our signing certificate to the store.

  1. Certificates created in store

MMC

Outline
  1. Start MMC Console
  2. Add Certificate
    • Current User
      • Personal
        • Certificates
          • Review listed personal certificates
Image
Image – Listing

Image – Detail

 

Explanation
  1. Certificate Information & Purpose
    • Ensures software came from software publisher
    • Protects software from alteration after publication

 

Export Certificate

Let us export our SSL Certificate so that we can use in our development tool.

Outline

  1. Launch Microsoft Management Console ( MMC )
  2. Via Menu, Add File \ Add and Remove Snap In, please add Certificate Snap In
    • Select Targeted Store
    • Options will include Machine, Services, and User
  3. Review certificates under the tree of Personal \ Certificates
  4. Select certificate
    • Right Click on Certificate
    • Choose Export from the drop down menu
    • Navigate through Windows
      • Welcome
      • Export Private Key
        • Please choose “Yes, export the Private Key”
      • Export Format
        • Format :- Personal Information Exchange – PCKS #12 (.PFX)
        • Options
          • Include all certificates in the path ( Check )
            • This ensures that all exportable intermediate certificates are included, as well
          • Delete private key if successful ( un-check )
          • Export all extended properties ( Check )
          • Enable certificate privacy
      •  Security
        • Group or User Names
          • If  list of users is known and same Active Directory Domain, select Users
        • Password
          • Please choose password

Images

Image – Export Wizard – Welcome

Image – Export Wizard – Export Private Key

Please choose “Yes, export the private key”.

Exporting the Private Key is the only option that will allow us to export in PFX format.

Image – Export Wizard – Export File Format

Please choose “Personal Information Exchange – PCKS #12 (.PFX)”

certificate.exportFileFormat.03.20190606.1250AM.PNG

Image – Export Wizard – Security

This is for personal use and so for ease of use, chose to restrict to self ( domain account ) and skipped password enforcement.

 

Image – Export Wizard – Completing

Image – Export Wizard – Export was successful

 

Source Code Control

GitHub

DanielAdeniji/codesign
Link

 

References

  1. Scott Hanselman
    • Signing PowerShell Scripts
      Link
  2. Microsoft
    • Makecert
    • Technet
      • John Howard
        • How-to use MakeCert for trusted root certification authority and SSL certificate issuance
          Link
  3. Elizabeth Andrews
    • Creating self signed certificates with makecert.exe for development
      Link

One thought on “Preparing Code Signing Certificate using Microsoft’s makecert

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s