W2K3 CA and Code Signing Certificates

If you want to use the trusted deployment feature of ClickOnce (or just plain Authenticode), you need a certificate with an intended purpose of at least “code signing”.

You have 3 options

  • Generate a self signed certificate using makecert.exe (only for testing purposes)
  • Get one from a public CA like VeriSign
  • Configure your internal (Windows) CA to issue this type of certificate

For corporate scenarios option 3 seems to be most likely. Here is how you get it to work.

Windows 2003 Enterprise CAs have so called “Certificate Templates” installed (certtmpl.msc). These templates configure the settings of issuable certificates. There is already a pre-installed template for “Code Signing”. This template has a validity period of 1 year. If you want to modify the template (only supported on W2K3 Enterprise Edition), call “Duplicate Template”, give it a new name and change the settings of the template. Either way, you have to modify the security settings. Give the user(s) who should be allowed the request such a certificate the “Enroll” permission.

After that go to the console of your CA and navigate to the “Certificate Templates” folder. Click “New->Certificate Templates to Issue”, and select your code signing template.

Now you can request this type of certificate from the CA web interface or the client side “Certificates” MMC snap-in.

For Authenticode (and ClickOnce) there are two prerequisites:

  • You have to add the code signing certificate to the client’s “Trusted Publishers” (machine) store
  • This cert has to have a trusted root (if you are using an enterprise CA, this is done automatically by AD), otherwise you have to add the CA cert to the “Trusted Root Certificate Authorities” folder

After that, you can use the certificate to sign binaries using “signcode.exe” as well as signing application manifests in ClickOnce (more info here).

 

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s