Issuing Code-signing Certificate with Private Key

  • Thread starter jwgoerlich@gmail.com
  • Start date
J

jwgoerlich@gmail.com

Hello group,

I am issuing a code-signing certificate from an Enterprise CA. I am
currently using the Certificate Services' web interface with the code-
signing template.

There does not seem to be an option to export the private key, though
I understand that is a requirement in Visual Studio 2005. When using
ClickOnce, Visual Studio reponds that "The selected file does not
contain a private key. You must choose a certificate that contains a
private key."

I have exported the key using the Certificates MMC. The Certificate
Authority is reporting that "the associated private key is marked as
not exportable."

What am I missing?

J Wolfgang Goerlich


Related Links:

ClickOnce Manifest Signing and Strong-Name Assembly Signing Using
Visual Studio Project Designer's Signing Page
http://msdn2.microsoft.com/en-us/library/aa730868(vs.80).aspx
 
B

Brian Komar

You need to create a v2 certificate template based on the default Code
Signing certificate that allows key export. Of course, your enterprise CA
must be running on Enterprise Edition to allow the issuance of the v2
certificate template.
A certificate based on the custom template will allow export as you require
Brian

<jwgoerlich@gmail.com> wrote in message
news:fc467fd0-5571-4851-bcd7-68b34b320987@v4g2000hsf.googlegroups.com...
> Hello group,
>
> I am issuing a code-signing certificate from an Enterprise CA. I am
> currently using the Certificate Services' web interface with the code-
> signing template.
>
> There does not seem to be an option to export the private key, though
> I understand that is a requirement in Visual Studio 2005. When using
> ClickOnce, Visual Studio reponds that "The selected file does not
> contain a private key. You must choose a certificate that contains a
> private key."
>
> I have exported the key using the Certificates MMC. The Certificate
> Authority is reporting that "the associated private key is marked as
> not exportable."
>
> What am I missing?
>
> J Wolfgang Goerlich
>
>
> Related Links:
>
> ClickOnce Manifest Signing and Strong-Name Assembly Signing Using
> Visual Studio Project Designer's Signing Page
> http://msdn2.microsoft.com/en-us/library/aa730868(vs.80).aspx
 
J

John Xie

Hi Brian,

I would like to know what the default code sign template used for? If we
can't use it to sign code.

Thanks.



"Brian Komar" wrote:

> You need to create a v2 certificate template based on the default Code
> Signing certificate that allows key export. Of course, your enterprise CA
> must be running on Enterprise Edition to allow the issuance of the v2
> certificate template.
> A certificate based on the custom template will allow export as you require
> Brian
>
> <jwgoerlich@gmail.com> wrote in message
> news:fc467fd0-5571-4851-bcd7-68b34b320987@v4g2000hsf.googlegroups.com...
> > Hello group,
> >
> > I am issuing a code-signing certificate from an Enterprise CA. I am
> > currently using the Certificate Services' web interface with the code-
> > signing template.
> >
> > There does not seem to be an option to export the private key, though
> > I understand that is a requirement in Visual Studio 2005. When using
> > ClickOnce, Visual Studio reponds that "The selected file does not
> > contain a private key. You must choose a certificate that contains a
> > private key."
> >
> > I have exported the key using the Certificates MMC. The Certificate
> > Authority is reporting that "the associated private key is marked as
> > not exportable."
> >
> > What am I missing?
> >
> > J Wolfgang Goerlich
> >
> >
> > Related Links:
> >
> > ClickOnce Manifest Signing and Strong-Name Assembly Signing Using
> > Visual Studio Project Designer's Signing Page
> > http://msdn2.microsoft.com/en-us/library/aa730868(vs.80).aspx
>
>
 
P

Paul Adare

On Fri, 4 Jan 2008 08:26:03 -0800, John Xie wrote:

> Hi Brian,
>
> I would like to know what the default code sign template used for? If we
> can't use it to sign code.

Brian never said that you couldn't use a certificate based on the default
V1 template to sign code. All he said was that you couldn't modify the
template to allow private key export like the OP wanted to do.

>
>
> "Brian Komar" wrote:
>
>> You need to create a v2 certificate template based on the default Code
>> Signing certificate that allows key export. Of course, your enterprise CA
>> must be running on Enterprise Edition to allow the issuance of the v2
>> certificate template.
>> A certificate based on the custom template will allow export as you require
>> Brian
>>
>> <jwgoerlich@gmail.com> wrote in message
>> news:fc467fd0-5571-4851-bcd7-68b34b320987@v4g2000hsf.googlegroups.com...
>>> Hello group,
>>>
>>> I am issuing a code-signing certificate from an Enterprise CA. I am
>>> currently using the Certificate Services' web interface with the code-
>>> signing template.
>>>
>>> There does not seem to be an option to export the private key, though
>>> I understand that is a requirement in Visual Studio 2005. When using
>>> ClickOnce, Visual Studio reponds that "The selected file does not
>>> contain a private key. You must choose a certificate that contains a
>>> private key."
>>>
>>> I have exported the key using the Certificates MMC. The Certificate
>>> Authority is reporting that "the associated private key is marked as
>>> not exportable."
>>>
>>> What am I missing?
>>>
>>> J Wolfgang Goerlich
>>>
>>>
>>> Related Links:
>>>
>>> ClickOnce Manifest Signing and Strong-Name Assembly Signing Using
>>> Visual Studio Project Designer's Signing Page
>>> http://msdn2.microsoft.com/en-us/library/aa730868(vs.80).aspx
>>
>>


--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
BPI: A 1960s term used to describe unmentionable parts of the anatomy, as
in
"you bet your bpi".
 
J

John Xie

Actually, I tried use the v1 template to sign my code. The result is that the
certificate doesn't appear in trusted software publisher store. it is in
personal folder store.

According the link (http://www.kinook.com/blog/?p=10), in order to sign a
code, we need to have the code signing certificate with private key
exportable, and it looks like that we are not able to do that with windows
server 2003 standard edtion.

Also, I would like to know what are this code signing will do? I can list
the following:
1. sign VBA code, so you don't need to change security setting to low to
let it work.
2. When you download the signned code, it will show you certificate in the
Security Warning window.
3. when you run the program, it will show your certificate in the security
warning window.

what else?

thanks.

John


"Paul Adare" wrote:

> On Fri, 4 Jan 2008 08:26:03 -0800, John Xie wrote:
>
> > Hi Brian,
> >
> > I would like to know what the default code sign template used for? If we
> > can't use it to sign code.
>
> Brian never said that you couldn't use a certificate based on the default
> V1 template to sign code. All he said was that you couldn't modify the
> template to allow private key export like the OP wanted to do.
>
> >
> >
> > "Brian Komar" wrote:
> >
> >> You need to create a v2 certificate template based on the default Code
> >> Signing certificate that allows key export. Of course, your enterprise CA
> >> must be running on Enterprise Edition to allow the issuance of the v2
> >> certificate template.
> >> A certificate based on the custom template will allow export as you require
> >> Brian
> >>
> >> <jwgoerlich@gmail.com> wrote in message
> >> news:fc467fd0-5571-4851-bcd7-68b34b320987@v4g2000hsf.googlegroups.com...
> >>> Hello group,
> >>>
> >>> I am issuing a code-signing certificate from an Enterprise CA. I am
> >>> currently using the Certificate Services' web interface with the code-
> >>> signing template.
> >>>
> >>> There does not seem to be an option to export the private key, though
> >>> I understand that is a requirement in Visual Studio 2005. When using
> >>> ClickOnce, Visual Studio reponds that "The selected file does not
> >>> contain a private key. You must choose a certificate that contains a
> >>> private key."
> >>>
> >>> I have exported the key using the Certificates MMC. The Certificate
> >>> Authority is reporting that "the associated private key is marked as
> >>> not exportable."
> >>>
> >>> What am I missing?
> >>>
> >>> J Wolfgang Goerlich
> >>>
> >>>
> >>> Related Links:
> >>>
> >>> ClickOnce Manifest Signing and Strong-Name Assembly Signing Using
> >>> Visual Studio Project Designer's Signing Page
> >>> http://msdn2.microsoft.com/en-us/library/aa730868(vs.80).aspx
> >>
> >>
>
>
> --
> Paul Adare
> MVP - Virtual Machines
> http://www.identit.ca
> BPI: A 1960s term used to describe unmentionable parts of the anatomy, as
> in
> "you bet your bpi".
>
 
J

jwgoerlich@gmail.com

That is the ticket. Much obliged, Brian.

On Dec 27 2007, 12:58 pm, "Brian Komar"
<brian.ko...@nospam.identit.ca> wrote:
> You need to create a v2 certificate template based on the default Code
> Signing certificate that allows key export. Of course, your enterprise CA
> must be running on Enterprise Edition to allow the issuance of the v2
> certificate template.
> A certificate based on the custom template will allow export as you require
> Brian
>
> <jwgoerl...@gmail.com> wrote in message
>
> news:fc467fd0-5571-4851-bcd7-68b34b320987@v4g2000hsf.googlegroups.com...
>
>
>
> > Hello group,
>
> > I am issuing a code-signing certificate from an Enterprise CA. I am
> > currently using the Certificate Services' web interface with the code-
> > signing template.
>
> > There does not seem to be an option to export the private key, though
> > I understand that is a requirement in Visual Studio 2005. When using
> > ClickOnce, Visual Studio reponds that "The selected file does not
> > contain a private key. You must choose a certificate that contains a
> > private key."
>
> > I have exported the key using the Certificates MMC. The Certificate
> > Authority is reporting that "the associated private key is marked as
> > not exportable."
>
> > What am I missing?
>
> > J Wolfgang Goerlich
>
> > Related Links:
>
> > ClickOnce Manifest Signing and Strong-Name Assembly Signing Using
> > Visual Studio Project Designer's Signing Page
> >http://msdn2.microsoft.com/en-us/library/aa730868(vs.80).aspx- Hide quoted text -
>
> - Show quoted text -
 
B

Brian Komar

You can use it to sign code.
But, it disables private key export
You stated you want private key export, so you must create a v2 certificate
template to meet this requirement
Brian

"John Xie" <JohnXie@discussions.microsoft.com> wrote in message
news:A45DDD69-B4E4-436D-B2E0-E787F3542B1F@microsoft.com...
> Hi Brian,
>
> I would like to know what the default code sign template used for? If we
> can't use it to sign code.
>
> Thanks.
>
>
>
> "Brian Komar" wrote:
>
>> You need to create a v2 certificate template based on the default Code
>> Signing certificate that allows key export. Of course, your enterprise CA
>> must be running on Enterprise Edition to allow the issuance of the v2
>> certificate template.
>> A certificate based on the custom template will allow export as you
>> require
>> Brian
>>
>> <jwgoerlich@gmail.com> wrote in message
>> news:fc467fd0-5571-4851-bcd7-68b34b320987@v4g2000hsf.googlegroups.com...
>> > Hello group,
>> >
>> > I am issuing a code-signing certificate from an Enterprise CA. I am
>> > currently using the Certificate Services' web interface with the code-
>> > signing template.
>> >
>> > There does not seem to be an option to export the private key, though
>> > I understand that is a requirement in Visual Studio 2005. When using
>> > ClickOnce, Visual Studio reponds that "The selected file does not
>> > contain a private key. You must choose a certificate that contains a
>> > private key."
>> >
>> > I have exported the key using the Certificates MMC. The Certificate
>> > Authority is reporting that "the associated private key is marked as
>> > not exportable."
>> >
>> > What am I missing?
>> >
>> > J Wolfgang Goerlich
>> >
>> >
>> > Related Links:
>> >
>> > ClickOnce Manifest Signing and Strong-Name Assembly Signing Using
>> > Visual Studio Project Designer's Signing Page
>> > http://msdn2.microsoft.com/en-us/library/aa730868(vs.80).aspx
>>
>>
 
You must log in or register to reply here.

Similar threads

O
Windows Hardware Lab Kit won't sign my package "Failed to create Signing Key"
Replies
0
Views
42
Oliver Ives
O
S
Compromised code signing certificate
Replies
0
Views
49
sussybaka_manifold
S
H
Can't create a custom CSR using mmc and certificates snap-in on Windows 10
Replies
0
Views
71
Hank Cohen
H
S
Trusted Publisher - Code Signing Certificate
Replies
0
Views
129
Steven Bl.
S
S
Visual studio code c++ compiler not working
Replies
0
Views
67
Seema Patel1
S
Back
Top Bottom