Getting a Software Publisher Certificate
Before you can sign files, you need to obtain a Software Publisher Certificate (SPC). To do this, you must make a request to a Certification Authority. During the application process, you must generate a key pair and provide the Certification Authority with identification information, such as your name, address, and public key. You must also make a legally binding pledge that you cannot and will not distribute software you know or should have known contains viruses or will otherwise maliciously harm the user's machine or code.
The Certification Authority generates a Software Publisher Certificate that conforms to the industry standard X.509 certificate format with Version 3 extensions. The certificate identifies you and contains your public key. It is stored by the Certification Authority for reference and a copy is returned to you via electronic mail. After accepting the certificate, you should include a copy in all published software signed with the private key.
See the following resources for information on Authenticode and digitally signed certificates:
- "Certificates and Authenticode" (Microsoft TechNet) at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/certauth/default.asp.
- "Frequently Asked Questions About Authenticode" (MSDN) at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnauth/html/signfaq.asp.
- For information about Authenticode and obtaining a Software Publisher Certificate (SPC), read the white paper "Digital Code Signing Step-by-Step Guide" at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsmarttag/html/odc_dcss.asp.
- For information about creating a test certificate to test sign your files, see Making a Test Software Publisher Certificate.
- For information about Microsoft Internet Explorer Security, see http://www.microsoft.com/Windows/ie/security/default.asp.
You can use the MAKECERT and CERT2SPC utilities to make a test Software Publisher Certificate. Note that this test SPC is not valid for software publishing, but can be used to test code signing.
To make a private key file called MYKEY.PVK and a company certificate called CERT.CER, run the MAKECERT utility with the following command:
C:\MSSDK\BIN\MAKECERT -u:MyKey -n:CN=MySoftwareCompany -k:MYKEY.PVK CERT.CER
MyKey is the name you give to your key and MySoftwareCompany is the name of your company. Note that the MAKECERT utility is case sensitive to command-line options, so you must use lowercase -u, -n, and -k. The value for the -n option must be an uppercase CN=.
To create a test Software Publisher Certificate (SPC) called CERT.SPC, run the CERT2SPC utility with the following command:
C:\MSSDK\BIN\CERT2SPC C:\MSSDK\BIN\ROOT.CER CERT.CER CERT.SPC
Note that the CERT.SPC file is created from the CERT.CER file you created with MAKECERT and from the ROOT.CER file provided in the same directory.