Usually when we think about SSL/TLS and certificates the first thing that comes to mind are the certificates used by a web server – and this makes sense because it is by far the most common usage for them. However, the specification for x.509 certificates has a lot of other uses as well. To recap, a certificate is the public key in a public/private keypair (usually generated with RSA or ECDSA). A code signing certificate is a special kind of certificate used to verify the authenticity of a binary. That is, software developers sign their releases with their private key, and clients can use their public key to decrypt a nonce published along as an attribute in the certificate. We once again leverage certificate authorities (like SSLTrust) to create a web of trust around these public keys allowing your computer to trust or distrust different programs depending on who publishes them. Pretty cool, right? You could even say that CA’s make the world go round! Without this mechanism an attacker could create a Man-In-The-Middle attack and trick you into running their program instead.
What if you’re a developer who wants to start signing their releases? In this day and age you really do have a moral obligation to do so. First you need to decide whether you want to go with a Comodo code signing certificate or a Thawte. Comodo is a cheaper option, and is largely compatible with any binaries you wish to sign – be they Windows Drivers, Java Applications, Office Macros, RDP shortcuts, Visual Studio projects or Silverlight Applications. However, legacy clients sometimes have trouble with Comodo certificates as they haven’t been a player in the game for as long as Thawte.
Next you’ll need to generate your CSR. You will need to generate it from the machine you intend to use to sign code, as installing the signed certificate combines the publically trusted cert with the private key already on your computer! This process differs a little bit depending on if you’re going to be signing Windows Code , or a Java Application.
Note: This process follows the best practice of tying the certificate to your user account instead of the computer account. This means that unless you export a backup of the keypair, the certificate will be tied directly to your account.
Generating a CSR for signing Windows Code:
- Open certmgr.msc
- Right click the “Personal” node.
- Navigate to All Tasks > Advanced Operations > Create Custom Request.
- Select “Proceed without enrollment policy” and click Next.
- Make sure the Request Format is PKCS #10 and select Next.
- Expand Details and select Properties.
- Under the General tab you need to give the certificate a descriptive friendly name.
- Under the Subject Tab you need to include a valid value for the following attributes:
Common Name – The name of your business.
Organization – The name of your business.
Locality – The physical location your business resides.
State – The territory where your business resides.
Country – The primary country your business operates in.
- Under Extensions, make sure to add “digital signature” and “key encipherment” and “key certificate signing”.
- Under Extender Key usage (Application Policies) make sure to add Code Signing.
- Under “Private Key”, make your key size at least 2048. Select “Make your private key exportable”. Do NOT select “Strong private key protection”. Under Hash algorithm select “Sha256”. Click OK.
- Select next, and export your CSR in Base 64 format. Open this in notepad and paste the contents into SSLTrust SSL Configuration Panel for the Certificate you have ordered so that we can process your certificate request. Remember to use Internet Explorer or Chrome as Firefox maintains its own Certificate Store and will not function as expected.
Generating a CSR for signing Java Code
Make sure that KeyTool is in your Windows Path. If not, you’ll need to replace “keytool” with the full path to “keytool.exe” in each command.
Generate your code signing keystore:
keytool -genkey -alias codesigncert -keyalg RSA -keysize 2048 -keystore codesignstore
Generate your CSR. Answer the questions to provide the information you’re prompted for. It will prompt you to create a password, you will need to remember it and provide it when you sign binaries.
keytool -certreq -v -alias codesigncert -file mycsr.pem -keystore codesignstore
the .PEM file contains the BASE64 CSR to use during your certificate configuration stage for your order on ssltrust so that we can generate your certificate.
Installing Windows Certificates:
Once you’ve received your certificate (This can take up to 3 business days to properly verify your identity), you will use this keypair to sign your binary. You will need to install it into your machine’s Keystore. Use Internet Explorer to install the certificate, and it will combine this code signed certificate with the private key you generated when you created your CSR. You should make a password protected backup of your keypair by navigating to the “local machine certificates” pane in the Windows MMC Utility.
Installing Java Certificates:
keytool -import -trustcacerts -alias codesigncert -file FileReceived.p7b -keystore codesignstore
Signing Windows Applications with Authenticode (Office/VBA, Visual Studio, DLLs, Drivers, etc)
On the machine you intend to sign code with, install the Windows SDK for your Operating System.
Assuming you have a single Code Signing Certificate bound to your user account, perform the following:
signtool sign /t http://sha256timestamp.ws.symantec.com/sha256/timestamp /a "c:\path\to\file.exe"
You can replace http:// sha256timestamp.ws.symantec.com/sha256/timestamp with a timestamping server of your choice.
If you have multiple Code Signing Certificates, the easiest thing to do is export a .PFX from the MMC and specify it:
signtool sign /t http://sha256timestamp.ws.symantec.com/sha256/timestamp /f "c:\path\to\mycert.pfx" /p pfxpassword "c:\path\to\file.exe"
Congratulations, your Windows binary has now been signed.
Signing Java Code:
jarsigner -tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp -keystore codesign jks -storepass passwordcreatedabove filetosign.jar codesign
You won’t see any output from this command, but you can check code signatures with the following:
jarsigner -verify -verbose -certs filetosign.jar
Not only do code signing certificates provide safety for your customers, but they will pay for themselves in the trust that you build with your clientele. Many enterprises are obligated by corporate policy to only purchase products that utilize this method for distribution. Get your code signing certificate today!