Step-by-step instructions to create and install a Certificate Authority certificate and a signing certificate as well as a BAT file to sign a program.
A signing certificate is purchased from a Certificate Authority (like VeriSign). The Certificate Authority verifies your identity. The certificate they issue to you is derived from their Certificate Authority certificate that is already installed on your user's Windows computer. It is a best practice to buy your signing certificate.
If you do not want to buy a signing certificate, then you must create your own Certificate Authority certificate and a signing certificate derived from it. The Certificate Authority certificate must be installed on all of the PCs that will run your application. Many system administrators will not want to do this. If you are the system administrator for all of the Windows computers that will run your application, then it is something you may decide to do.
I do not claim to be a certificate expert. This is the procedure that I followed to create the Certificate Authority certificate and the signing certificate for a small non-profit organization that did not want to purchase a signing certificate. I have used the signing certificate to sign Click Once deployment manifests and SETUP.EXE programs that have subsequently been executed on Windows XP SP2, Windows 7 and Windows 8 computers.
Using the Procedure
In all of the steps below, replace COMPANYNAME with an abbreviation of your organization name (no embedded spaces).
Certificate creation and code signing software tools referenced in C:\"Program Files (x86)"\"Windows
Kits"\8.0\bin\x86\ in the examples below are part of the Windows SDK. The Windows 8 SDK can be found here .
At least Internet Explorer 7 must be installed on the PC used to execute the code signing. Any earlier version of Internet Explorer will not work.
1. Create Certificate Authority Certificate
The following should be all on one line:
MAKECERT will ask you for a Certificate Authority password. Don't forget it!
2. Run MMC.EXE
- Click File then Add/Remove Snap-in
- Select Certificates from the left list, click Add
- Select My user account. Click Finish
- Select Certificates from the list again and Add it
- Select Computer account
- Save this configuration of MMC (File. then Save As ) as Certificates.msc in the Start Menu, Programs, Administrative Tools directory so that you can access it in the future
3. Install the new Certificate Authority certificate
The Certificate Authority certificate is stored in the trusted store Certificates (Local Computer) / Trusted Root Certification Authorities area of the computer that will do the signing and all of the computers that will run your application.
- Double-click Certificates (Local Computer)
- Right click on Trusted Root Certification Authorities
- Select All Tasks. then Import
- Select the new certificate (COMPANYNAME.cer ) to place it into Trusted Root Certification Authorities area
The computer now implicitly trusts all certificates signed by that new Certificate Authority.
In a Microsoft Active Directory environment, you can enroll your Certificate Authority certificate so that it will be distributed to all of your Windows computers. Details on how to enroll your Certificate Authority certificate in Active Directory are beyond the scope of this article.
4. Create the Signing Certificate
The following should be all on one line:
Makecert will ask you for a password for the new signing certificate's private key.
Makecert will ask you for the password to the Certificate Authority's private key from Step 1 above.
5. Install the Signing Certificate
The signing certificate is derived from the new Certificate Authority certificate and stored in the Certificates - Current User / Personal area on the Windows computer that will do the signing.
You do not have to and should not install this signing certificate on your user's computers.
- Right-click on Personal in Certificates - Current User
- Select All Tasks. then Import .
- Select the new signing certificate COMPANYNAMESoftware.cer to place it in the Certificates - Current User / Personal area
6. Create a BAT file named SIGNCODE.BAT
I put my SIGNCODE.BAT file in a folder named C:\BAT so that it would be easy to type C:\BAT\SIGNCODE.BAT rather than a long folder path.
7. Example of how to sign a program
In a CMD window, navigate to the directory that contains the program to be signed and run the BAT file.
Where SETUP.EXE is the program to be signed.
Points of Interest
I read many articles on both Microsoft and non-Microsoft web sites to piece together these instructions. Thanks to all of those that posted information that allowed me to learn how to do this and subsequently publish this step-by-step procedure of all of the steps that I followed.