none
How to add email address to a certificate RRS feed

  • Question

  • Hi

    I generate a certificate using makecert.exe and using signtool.exe to sign my app. But in the file properties dialog box on digital signatures details the email field is "Not available". How can i add an email address to it (or and other extra information)? is it depend on certificate file (makecert) or signtool?

    Also what is "Countersignatures" sectiton?

    Another question:

    When generating the certificate for code signing is it necessary to use passwords (requested by makecert & pvk2pfx tools)? or can i set them to none?

    Thanks


    • Edited by drjackool Monday, January 11, 2016 6:33 PM
    • Moved by Weiwei Cai Tuesday, January 12, 2016 9:27 AM not VS IDE issue.
    Monday, January 11, 2016 6:29 PM

Answers

  • Countersignatures are used for time stamps at least -- a time stamp server certifies that your signature already existed at a particular time, so if your private key was stolen after that time, the signature should remain valid. See Time Stamping Authenticode Signatures.

    Let's see about the email address. If I have the following in openssl.cnf

    [req]
    default_bits=2048
    distinguished_name=req.dn
    x509_extensions=req.x509ext
    prompt=no
    
    [req.dn]
    commonName=Test Vendor
    emailAddress=test1@example.com
    
    [req.x509ext]
    basicConstraints=CA:TRUE, pathlen:0
    keyUsage=digitalSignature
    extendedKeyUsage=codeSigning
    subjectAltName=email:test2@example.com,email:test3@example.com

    then run the commands

    openssl req -config openssl.cnf -new -x509 -out testcert.pem -keyout testprivkey.pem -nodes
    openssl pkcs12 -export -in testcert.pem -inkey testprivkey.pem -passout pass: -out test.pfx
    COPY /Y "%SystemRoot%\System32\winver.exe" .
    signtool sign /f test.pfx /d "Test Description" /du ftp://test.example.org/ winver.exe

    and view the properties of the resulting winver.exe in Windows Explorer and click Details on the Digital Signatures tab, then it shows test2@example.com in the E-mail field. So this information apparently comes from the Subject Alternative Name extension of the certificate.

    Although you can generate a certificate using makecert.exe, or using openssl.exe like I did above, Windows will not trust such certificates by default. It can be configured to trust the certificate, but if you're going to distribute your app to your customers, they might be unwilling to trust your certificate. You should instead purchase a certificate from a commercial certification authority, and ask the certification authority how to get your email address to the Subject Alternative Name extension.

    • Edited by ranta Tuesday, January 12, 2016 5:22 PM recommend commercial CA
    • Proposed as answer by Kristin Xie Tuesday, January 19, 2016 1:19 AM
    • Marked as answer by DotNet WangModerator Monday, January 25, 2016 2:10 AM
    Tuesday, January 12, 2016 5:12 PM

All replies

  • Hi drjackool,

    This forum is discuss Visual Studio WPF/SL Designer, Visual Studio Guidance Automation Toolkit, Developer Documentation and Help System, and Visual Studio Editor.

    Since your problem is related to sign in PE file, I help you move this thread to CLR forum for a better help. It is appropriate and more experts will assist you.

    Best Regards,
    Weiwei

    Tuesday, January 12, 2016 9:20 AM
  • Countersignatures are used for time stamps at least -- a time stamp server certifies that your signature already existed at a particular time, so if your private key was stolen after that time, the signature should remain valid. See Time Stamping Authenticode Signatures.

    Let's see about the email address. If I have the following in openssl.cnf

    [req]
    default_bits=2048
    distinguished_name=req.dn
    x509_extensions=req.x509ext
    prompt=no
    
    [req.dn]
    commonName=Test Vendor
    emailAddress=test1@example.com
    
    [req.x509ext]
    basicConstraints=CA:TRUE, pathlen:0
    keyUsage=digitalSignature
    extendedKeyUsage=codeSigning
    subjectAltName=email:test2@example.com,email:test3@example.com

    then run the commands

    openssl req -config openssl.cnf -new -x509 -out testcert.pem -keyout testprivkey.pem -nodes
    openssl pkcs12 -export -in testcert.pem -inkey testprivkey.pem -passout pass: -out test.pfx
    COPY /Y "%SystemRoot%\System32\winver.exe" .
    signtool sign /f test.pfx /d "Test Description" /du ftp://test.example.org/ winver.exe

    and view the properties of the resulting winver.exe in Windows Explorer and click Details on the Digital Signatures tab, then it shows test2@example.com in the E-mail field. So this information apparently comes from the Subject Alternative Name extension of the certificate.

    Although you can generate a certificate using makecert.exe, or using openssl.exe like I did above, Windows will not trust such certificates by default. It can be configured to trust the certificate, but if you're going to distribute your app to your customers, they might be unwilling to trust your certificate. You should instead purchase a certificate from a commercial certification authority, and ask the certification authority how to get your email address to the Subject Alternative Name extension.

    • Edited by ranta Tuesday, January 12, 2016 5:22 PM recommend commercial CA
    • Proposed as answer by Kristin Xie Tuesday, January 19, 2016 1:19 AM
    • Marked as answer by DotNet WangModerator Monday, January 25, 2016 2:10 AM
    Tuesday, January 12, 2016 5:12 PM