Introduction
A signing certificate is purchased from a Certificate Authority (like VeriSign). The Certificate Authority verifies your identity. The certificate they issue to you is derived from their Certificate Authority certificate that is already installed on your user's Windows computer. It is a best practice to buy your signing certificate.
If you do not want to buy a signing certificate, then you must create your own Certificate Authority certificate and a signing certificate derived from it. The Certificate Authority certificate must be installed on all of the PCs that will run your application. Many system administrators will not want to do this. If you are the system administrator for all of the Windows computers that will run your application, then it is something you may decide to do.
Background
I do not claim to be a certificate expert. This is the procedure that I followed to create the Certificate Authority certificate and the signing certificate for a small non-profit organization that did not want to purchase a signing certificate. I have used the signing certificate to sign Click Once deployment manifests and SETUP.EXE programs that have subsequently been executed on Windows XP SP2, Windows 7, Windows 8 and Windows 10 computers.
Using the Procedure
In all of the steps below, replace COMPANYNAME with an abbreviation of your organization name (no embedded spaces).
Certificate creation and code signing software tools referenced in C:\"Program Files (x86)"\"Windows
Kits"\8.0\bin\x86\ in the examples below are part of the Windows SDK. The Windows 8 SDK can be found here.
At least Internet Explorer 7 must be installed on the PC used to execute the code signing. Any earlier version of Internet Explorer will not work.
1. Create Certificate Authority Certificate
The following should be all on one line:
C:\"Program Files (x86)"\"Windows
Kits"\8.0\bin\x86\makecert -n "CN=COMPANYNAME"
-cy authority -a sha512 -len 4096 -sv "COMPANYNAME.pvk" -r "COMPANYNAME.cer" -m 600
Makecert will ask you for a Certificate Authority password. Don't forget it!
2. Run MMC.EXE
- Click File then Add/Remove Snap-in
- Select Certificates from the left list, click Add
- Select My user account, click Finish
- Select Certificates from the list again and Add it
- Select Computer account
- Save this configuration of MMC (File, then Save As) as Certificates.msc in the Start Menu, Programs, Administrative Tools directory so that you can access it in the future
3. Install the new Certificate Authority Certificate
The Certificate Authority certificate is stored in the trusted store Certificates (Local Computer) / Trusted Root Certification Authorities area of the computer that will do the signing and all of the computers that will run your application.
- Double-click Certificates (Local Computer)
- Right click on Trusted Root Certification Authorities
- Select All Tasks, then Import
- Select the new certificate (COMPANYNAME.cer) to place it into Trusted Root Certification Authorities area
The computer now implicitly trusts all certificates signed by that new Certificate Authority.
In a Microsoft Active Directory environment, you can enroll your Certificate Authority certificate so that it will be distributed to all of your Windows computers. Details on how to enroll your Certificate Authority certificate in Active Directory are beyond the scope of this article.
4. Create the Signing Certificate
The following should be all on one line:
C:\"Program Files (x86)"\"Windows
Kits"\8.0\bin\x86\makecert -n "CN=COMPANYNAME Software" -ic
"COMPANYNAME.cer" -iv "COMPANYNAME.pvk" -a sha512 -len 4096 -sky
signature -pe -sr currentuser -ss my "COMPANYNAMESoftware.cer"
Makecert will ask you for a password for the new signing certificate's private key.
Makecert will ask you for the password to the Certificate Authority's private key from Step 1 above.
5. Install the Signing Certificate
The signing certificate is derived from the new Certificate Authority certificate and stored in the Certificates - Current User / Personal area on the Windows computer that will do the signing.
You do not have to and should not install this signing certificate on your user's computers.
- Right-click on Personal in Certificates - Current User
- Select All Tasks, then Import.
- Select the new signing certificate COMPANYNAMESoftware.cer to place it in the Certificates - Current User / Personal area
6. Create a BAT File named SIGNCODE.BAT
I put my SIGNCODE.BAT file in a folder named C:\BAT so that it would be easy to type C:\BAT\SIGNCODE.BAT rather than a long folder path.
@ECHO OFF
REM create an array of timestamp servers...
REM IMPORTANT NOTE - The SET statement and the four servers should be all on one line.
set SERVERLIST=(http://timestamp.comodoca.com/authenticode
http://timestamp.verisign.com/scripts/timstamp.dll
http://timestamp.globalsign.com/scripts/timestamp.dll http://tsa.starfieldtech.com)
REM sign the file...
C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\signtool.exe
sign /n "COMPANYNAME Software" %1
set timestampErrors=0
for /L %%a in (1,1,300) do (
for %%s in %SERVERLIST% do (
Echo Try %%s
REM try to timestamp the file.
This operation is unreliable and may need to be repeated...
C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\signtool.exe timestamp /t %%s %1
REM check the return value of the timestamping operation and retry
if ERRORLEVEL 0 if not ERRORLEVEL 1 GOTO succeeded
echo Signing problem - timestamp server %%s
set /a timestampErrors+=1
Rem Wait 6 seconds
choice /N /T:6 /D:Y >NUL
)
REM wait 12 seconds...
choice /N /T:12 /D:Y >NUL
)
REM return an error code...
echo SignCode.bat exit code is 1. %timestampErrors% timestamping errors.
exit /b 1
:succeeded
REM return a successful code...
echo SignCode.bat exit code is 0. %timestampErrors% timestamping errors.
exit /b 0
7. Example of How to Sign a Program
In a CMD window, navigate to the directory that contains the program to be signed and run the BAT file.
C:\BAT\SIGNCODE.BAT SETUP.EXE
Where SETUP.EXE is the program to be signed.
Points of Interest
I read many articles on both Microsoft and non-Microsoft web sites to piece together these instructions. Thanks to all of those that posted information that allowed me to learn how to do this and subsequently publish this step-by-step procedure of all of the steps that I followed.
History
- 24th February, 2013 - Initial version
- 25th February, 2013 - Added link to Windows 8 Windows SDK
- 1st March, 2013 - Added reference to Active Directory's CA distribution capability
- 17th October, 2014 - Added statement requiring at least Internet Explorer 7 to be installed
- 20th September, 2019 - Changed Makecert option from
-sky exchange to -sky signature.
I found that the "exchange" option caused an error when a PFX exported from the signing certificate was used to sign an Assembly in Visual Studio. Changed -a sha1 to -a sha512 -len 4096
I’m retired. When I started my career, programming projects consisted of plugging wires into plug boards to create punch card processing applications to be run on electrical accounting machine like the IBM 402, 407, 085, 088, 514, 519, etc. From there, I moved to writing SPS and Autocoder applications on an IBM 1401 with 4K of memory eventually upgraded to 16K of memory. After many years of migrating my skills to various languages on various hardware platforms, I became an Information Technology Director where I didn’t need to program anymore. So, starting in 1996, I volunteered my time with a local community cable television organization and built some applications to help them run their operations. Originally in Clipper Summer 1987 and later Clipper 5.2, I migrated and enhanced those applications to VB .NET 2003 in 2003. I retired from my full-time job in 2010. Since then, I have continued to support the local community cable tv organization's applications. In 2013, I migrated the VB .NET 2003 Solution to VB .NET 2012 so that it can run on 64-bit computers and interact with Microsoft Office 2010. The upgrade went smoothly. In mid 2013, I developed a VB .NET 2012 application for them to download election results data from the Secretary of State's web site, format the results and send them to a VizRT character generator for on-air display.
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
