none
Code Signing - Internal CA RRS feed

  • Question

  • Our company has a lot of internal applications.  Our current security model for our .NET apps is not ideal so I am taking a look at implementing code signing to improve what we have.  We have an internal CA for our SSL certs, but have really no experience producing certificates for code signing.  The crew that operates the CA requests a CSR so they can then provide me a certificate that I can then use.  Creating an SSL CSR is easy enough from IIS, but for the life of me, I can't figure out how to create a code signing cert CSR.

    Browsing around to the commercial CA providers seem to suggest that they generate the CSR in the browser at order time.  Extensive internet searching has left me with no answers and more questions about if I am even going the right direction.  Any help/advice would be appreciated.

    Thanks,

    David

    Monday, May 3, 2010 7:14 PM

Answers

  • It wasn't the answer, just helpful.  I ended up using the java JDK keytool to create the key pair and generate the CSR.  Once I received the certificate from our CA I imported it into the JDK keystore and then exported the pair using combination of keytool, java code, open ssl, and a tool I found online.

    This may not be the best solution for everyone, but it ended up that we wanted to put this in a java keystore as well to use since the cert that we had for java signing was DSA instead of RSA.

    Here are the links that I used in this process

    I started by following these directions to generate a CSR.

    http://community.godaddy.com/help/2008/09/10/sign-java-code/

    Then I started using this to extract the cert once I had it in the keystore.  Note that the pvktool mentioned in the blog doesn't work on DSA certs.  I later found out that .net signing requires an RSA cert anyway.

    http://blogs.atlassian.com/developer/2007/02/code_signing_the_jira_installer.html

    Then I ended up using this because it seemed to work better, although I ended up using the full version of openSSL because the one that he packaged in his download was erroring out during the batch script.

    http://www.crionics.com/products/opensource/faq/signFree.htm

     

    Friday, May 7, 2010 1:06 PM

All replies

  • What you want to do is to have an external commercial CA create a cert which establishes your company as a Software Publisher. Then sign the apps/assemblies with that so that trust can be established. By having that cert on each of the user's desktop, they know when they install that this install is from a trusted publisher.

    See How to: Add a Trusted Publisher to a Client Computer for ClickOnce Applications for more info.


    William Wegerson (www.OmegaCoder.Com)
    Monday, May 3, 2010 7:32 PM
    Moderator
  • Microsoft's Certification Authority service has a web front-end that you can use to create a CSR (and submit it).

    That said, I've found Microsoft's CA UI to be quite painful (including the fact that it forces you to install it in the machine and not save it to a file). OpenSSL is a lot more flexible; the default install includes a "easy" pki system. You could also try this online tool: https://pkiwidgets.quovadisglobal.com/pkiwidgets/generateCSR.aspx

    Also see: http://www.microsoft.com/whdc/winlogo/drvsign/best_practices.mspx - though it doesn't answer your specific question, it's still a good reference as you explore this area.

           -Steve


    Programming blog: http://nitoprograms.blogspot.com/
      Including my TCP/IP .NET Sockets FAQ
      and How to Implement IDisposable and Finalizers: 3 Easy Rules
    Microsoft Certified Professional Developer

    How to get to Heaven according to the Bible
    Monday, May 3, 2010 7:44 PM
  • The idea is to have a cert created by our internal CA for our internal apps.  This internal CA is trusted by our PCs.  Seems odd to pay for a signing cert when we should have the ability to produce a trusted one ourselves.

    I'm also not just looking at ClickOnce apps, but windows forms and console apps that are deployed on network locations.

    Feel free to tell me if I am missing the point.

    Monday, May 3, 2010 7:51 PM
  • Thanks for the best practices white paper link Steve.  Skimming it tells me I'm headed in the right direction.  I don't think the pkiwidgets is what I need, but it is getting there.  I am going to look into the openssl feature that is mentioned.  I am also looking into some references that the white paper pointed out.  If anyone else has advice, keep it coming. If it doesn't answer the question, you can still get points for being helpful. :)
    Monday, May 3, 2010 8:45 PM
  •  

    Hi David,

    Glad to see that you got the direction, by the way, please remember to mark useful replies as answer, so that other community member who encounters similar issue will get the right answer easily and quickly.

    Please feel free to let us know if you have any concern.


    Sincerely,
    Eric
    MSDN Subscriber Support in Forum
    If you have any feedback of our support, please contact msdnmg@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    Friday, May 7, 2010 8:31 AM
  • It wasn't the answer, just helpful.  I ended up using the java JDK keytool to create the key pair and generate the CSR.  Once I received the certificate from our CA I imported it into the JDK keystore and then exported the pair using combination of keytool, java code, open ssl, and a tool I found online.

    This may not be the best solution for everyone, but it ended up that we wanted to put this in a java keystore as well to use since the cert that we had for java signing was DSA instead of RSA.

    Here are the links that I used in this process

    I started by following these directions to generate a CSR.

    http://community.godaddy.com/help/2008/09/10/sign-java-code/

    Then I started using this to extract the cert once I had it in the keystore.  Note that the pvktool mentioned in the blog doesn't work on DSA certs.  I later found out that .net signing requires an RSA cert anyway.

    http://blogs.atlassian.com/developer/2007/02/code_signing_the_jira_installer.html

    Then I ended up using this because it seemed to work better, although I ended up using the full version of openSSL because the one that he packaged in his download was erroring out during the batch script.

    http://www.crionics.com/products/opensource/faq/signFree.htm

     

    Friday, May 7, 2010 1:06 PM
  • You probably want to start a new thread since you have a different problem.  My issue was creating a CSR, yours is creating a cert from the csr.
    Wednesday, October 17, 2012 8:36 PM