code signing with internal cert srvr

In house certificate server for signing in house code.

I'm trying to set up a certificate server so that I can have developers do their own code signing.

This will be for things like internal VSTO addons and macros.  The apps are not intended to be distributed outside the company.

The certificate server is setup.

From the certificate authority, I duplicated the original Code Singing template (NOTE: apparently, this step is required so that the generated cert is exportable - otherwise, the option to export is greyed out), then I assigned a few additional properties and permissions to the template, such as for the certificate to be valid for 20 years (it's for internal VSTO apps and macros and no one wants application naggs a year from now).

From http://server/certsrv
Request a certificate > submit a advanced certificate request > create and submit a request to this CA >
Certificate template: Inhouse Code signing
Key options: Microsoft Enhanced Cryptographic provider
keysize: 2048
check: mark keys as exportable
check: export keys to file: c:\here.pvk

Additional Options:
Request format: CMC
Save request to file: c:\here.cmc
FriendlyName: InternalCode



What now?  the .pvk file seems useless and the .cmc file is a certificate request.  So I submit the request like so:
Request a certificate > submit a advanced certificate request > Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Saved request: (paste in the request)
Certificate Template: Inhouse Code Signing

The certificate you requested was issued to you.
   Download certificate

So I install it.

So now, I try to sign a excel macro with that certificate, but I get an error:
"there was a problem with the digital certificate.  The VBA project could not be signed.  The signature will be discarded."

When I examine the certificate, I confirm that the cert is valid from my cert server and is indeed intended for code signing.  No red X's or exclamation points.

Any idea how to get this to work?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
Decent link, - since you are using a CA issued cert ignore the makecert.exe stuff if you read that.  Also note that the cert will only be valid for the number of years that your CA cert is valid for - if that is over 20 years then you're fine (although that's a bit long, in my opinion but whatever).

Short version with different tools:
Download these:

OpenSSL for Windows:

Pvk2pfx.exe is contained within the WDK:

Then run these (replace CAPS as variables)
c:\openssl\bin\openssl.exe pkcs7 -in CERTNAME.p7b -out CERTNAME.spc -inform DER

pvk2pfx.exe -pvk CERTNAME.pvk -pi PASSWORD -spc CERTNAME.spc -pfx CERTNAME.p12 -po PASSWORD

Alternatively, if you have a lot of stuff to do, you might be interested in CodeSigner Pro:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.