Click here to Skip to main content
Click here to Skip to main content
Go to top

How To Be Your Own Certificate Authority and Create Your Own Certificate to Sign Code Files

, 1 Mar 2013
Rate this:
Please Sign up or sign in to vote.
Step-by-step instructions to create and install a Certificate Authority certificate and a signing certificate as well as a BAT file to sign a program.

Introduction

A signing certificate is purchased from a Certificate Authority (like VeriSign). The Certificate Authority verifies your identity. The certificate they issue to you is derived from their Certificate Authority certificate that is already installed on your user's Windows computer. It is a best practice to buy your signing certificate.

If you do not want to buy a signing certificate, then you must create your own Certificate Authority certificate and a signing certificate derived from it. The Certificate Authority certificate must be installed on all of the PCs that will run your application. Many system administrators will not want to do this. If you are the system administrator for all of the Windows computers that will run your application, then it is something you may decide to do.

Background

I do not claim to be a certificate expert. This is the procedure that I followed to create the Certificate Authority certificate and the signing certificate for a small non-profit organization that did not want to purchase a signing certificate. I have used the signing certificate to sign Click Once deployment manifests and SETUP.EXE programs that have subsequently been executed on Windows XP SP2, Windows 7 and Windows 8 computers.

Using the Procedure

In all of the steps below, replace COMPANYNAME with an abbreviation of your organization name (no embedded spaces).

Certificate creation and code signing software tools referenced in C:\"Program Files (x86)"\"Windows
Kits"\8.0\bin\x86\
in the examples below are part of the Windows SDK. The Windows 8 SDK can be found here.

1. Create Certificate Authority Certificate

The following should be all on one line:

C:\"Program Files (x86)"\"Windows
 Kits"\8.0\bin\x86\makecert -n "CN=COMPANYNAME" -cy authority -a
sha1 -sv "COMPANYNAME.pvk" -r "COMPANYNAME.cer"

MAKECERT will ask you for a Certificate Authority password. Don't forget it!

2. Run MMC.EXE

  1. Click File then Add/Remove Snap-in
  2. Select Certificates from the left list, click Add
  3. Select My user account, Click Finish
  4. Select Certificates from the list again and Add it
  5. Select Computer account
  6. Save this configuration of MMC (File, then Save As) as Certificates.msc in the Start Menu, Programs, Administrative Tools directory so that you can access it in the future

3. Install the new Certificate Authority certificate

The Certificate Authority certificate is stored in the trusted store Certificates (Local Computer) / Trusted Root Certification Authorities area of the computer that will do the signing and all of the computers that will run your application.

  1. Double-click Certificates (Local Computer)
  2. Right click on Trusted Root Certification Authorities
  3. Select All Tasks, then Import
  4. Select the new certificate (COMPANYNAME.cer) to place it into Trusted Root Certification Authorities area

The computer now implicitly trusts all certificates signed by that new Certificate Authority.

In a Microsoft Active Directory environment, you can enroll your Certificate Authority certificate so that it will be distributed to all of your Windows computers. Details on how to enroll your Certificate Authority certificate in Active Directory are beyond the scope of this article.

4. Create the Signing Certificate

The following should be all on one line:

C:\"Program Files (x86)"\"Windows
Kits"\8.0\bin\x86\makecert -n "CN=COMPANYNAME Software" -ic
"COMPANYNAME.cer" -iv "COMPANYNAME.pvk" -a sha1 -sky
exchange -pe -sr currentuser -ss my "COMPANYNAMESoftware.cer"

Makecert will ask you for a password for the new signing certificate's private key.

Makecert will ask you for the password to the Certificate Authority's private key from Step 1 above.

5. Install the Signing Certificate

The signing certificate is derived from the new Certificate Authority certificate and stored in the Certificates - Current User / Personal area on the Windows computer that will do the signing.

You do not have to and should not install this signing certificate on your user's computers.

  1. Right-click on Personal in Certificates - Current User
  2. Select All Tasks, then Import.
  3. Select the new signing certificate COMPANYNAMESoftware.cer to place it in the Certificates - Current User / Personal area

6. Create a BAT file named SIGNCODE.BAT

I put my SIGNCODE.BAT file in a folder named C:\BAT so that it would be easy to type C:\BAT\SIGNCODE.BAT rather than a long folder path.

@ECHO OFF
REM create an array of timestamp servers...
REM IMPORTANT NOTE - The SET statement and the four servers should be all on one line.
set SERVERLIST=(http://timestamp.comodoca.com/authenticode 
http://timestamp.verisign.com/scripts/timstamp.dll http://timestamp.globalsign.com/scripts/timestamp.dll http://tsa.starfieldtech.com)
REM sign the file...
C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\signtool.exe sign /n "COMPANYNAME Software" %1
set timestampErrors=0
for /L %%a in (1,1,300) do (
    for %%s in %SERVERLIST% do (
        Echo Try %%s
        REM try to timestamp the file. This operation is unreliable and may need to be repeated...
        C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\signtool.exe timestamp /t %%s %1
        REM check the return value of the timestamping operation and retry
        if ERRORLEVEL 0 if not ERRORLEVEL 1 GOTO succeeded
        echo Signing problem - timestamp server %%s
        set /a timestampErrors+=1
        Rem Wait 6 seconds
        choice /N /T:6 /D:Y >NUL
    )
    REM wait 12 seconds...
    choice /N /T:12 /D:Y >NUL
)
REM return an error code...
echo SignCode.bat exit code is 1. %timestampErrors% timestamping errors.
exit /b 1
:succeeded
REM return a successful code...
echo SignCode.bat exit code is 0. %timestampErrors% timestamping errors.
exit /b 0

7. Example of how to sign a program

In a CMD window, navigate to the directory that contains the program to be signed and run the BAT file.

C:\BAT\SIGNCODE.BAT SETUP.EXE

Where SETUP.EXE is the program to be signed.

Points of Interest

I read many articles on both Microsoft and non-Microsoft web sites to piece together these instructions. Thanks to all of those that posted information that allowed me to learn how to do this and subsequently publish this step-by-step procedure of all of the steps that I followed.

History

  • 24 February 2013 - Initial version
  • 25 February 2013 - Added link to Windows 8 Windows SDK
  • 1 March 2013 - Added reference to Active Directory's CA distribution capability

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Mike Meinz
Retired
United States United States
I’m retired. When I started my career, programming projects consisted of plugging wires into plug boards to create punch card processing applications to be run on electrical accounting machine like the IBM 402, 407, 085, 088, 514, 519, etc. From there, I moved to writing SPS and Autocoder applications on an IBM 1401 with 4K of memory eventually upgraded to 16K of memory. After many years of migrating my skills to various languages on various hardware platforms, I became an Information Technology Director where I didn’t need to program anymore. So, starting in 1996, I volunteered my time with a local community cable television organization and built some applications to help them run their operations. Originally in Clipper Summer 1987 and later Clipper 5.2, I migrated and enhanced those applications to VB .NET 2003 in 2003. I retired from my full-time job in 2010. Since then, I have continued to support the local community cable tv organization's applications. In 2013, I migrated the VB .NET 2003 Solution to VB .NET 2012 so that it can run on 64-bit computers and interact with Microsoft Office 2010. The upgrade went smoothly. In mid 2013, I developed a VB .NET 2012 application for them to download election results data from the Secretary of State's web site, format the results and send them to a VizRT character generator for on-air display.

Comments and Discussions

 
QuestionError when execution of Step-4, "exchange is not recognized as..." PinmemberMember 1102013918-Aug-14 8:25 
AnswerRe: Error when execution of Step-4, "exchange is not recognized as..." PinpremiumMike Meinz18-Aug-14 12:05 
GeneralLast step...running signcode and error re: authenticode PinmemberMember 1102013918-Aug-14 14:04 
GeneralRe: Last step...running signcode and error re: authenticode PinpremiumMike Meinz18-Aug-14 14:15 
GeneralRe: Last step...running signcode and error re: authenticode PinpremiumMike Meinz19-Aug-14 3:02 
GeneralRe: Last step...running signcode and error re: authenticode PinmemberMember 1102013919-Aug-14 9:16 
QuestionI don't understand... Pinmemberdsyeey7-Aug-14 16:57 
AnswerRe: I don't understand... PinpremiumMike Meinz8-Aug-14 2:19 
GeneralRe: I don't understand... Pinmemberdsyeey8-Aug-14 9:10 
GeneralRe: I don't understand... PinpremiumMike Meinz8-Aug-14 13:31 
GeneralRe: I don't understand... Pinmemberdsyeey8-Aug-14 23:12 
GeneralRe: I don't understand... PinpremiumMike Meinz9-Aug-14 1:32 
GeneralRe: I don't understand... Pinmemberdsyeey9-Aug-14 2:09 
QuestionThanks so much! PinmemberMushroomeffect22-Jun-14 2:25 
AnswerRe: Thanks so much! PinpremiumMike Meinz22-Jun-14 2:43 
GeneralRe: Thanks so much! PinmemberMushroomeffect22-Jun-14 4:48 
QuestionWindows 8 store implementation? Pinmemberuobaspnet12-Apr-14 21:06 
AnswerRe: Windows 8 store implementation? PinpremiumMike Meinz13-Apr-14 2:17 
BugSIGNCODE problem PinmemberRemix Mixdox28-Mar-14 4:41 
GeneralRe: SIGNCODE problem [modified] PinpremiumMike Meinz28-Mar-14 4:53 
QuestionGood article. Possible bug report. PinmemberMark31731-Jan-14 9:50 
AnswerRe: Good article. Possible bug report. PinmemberMike Meinz31-Jan-14 9:57 
Questionexcellent information - thanks PinmemberdevBilal28-Nov-13 23:37 
QuestionMy votes of 5. Pinmemberrilov10-Oct-13 9:56 
AnswerRe: My votes of 5. PinmemberMike Meinz10-Oct-13 10:19 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web01 | 2.8.140905.1 | Last Updated 1 Mar 2013
Article Copyright 2013 by Mike Meinz
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid