code signing with internal cert srvr

In house certificate server for signing in house code.

I'm trying to set up a certificate server so that I can have developers do their own code signing.

This will be for things like internal VSTO addons and macros.  The apps are not intended to be distributed outside the company.

The certificate server is setup.

From the certificate authority, I duplicated the original Code Singing template (NOTE: apparently, this step is required so that the generated cert is exportable - otherwise, the option to export is greyed out), then I assigned a few additional properties and permissions to the template, such as for the certificate to be valid for 20 years (it's for internal VSTO apps and macros and no one wants application naggs a year from now).

From http://server/certsrv
Request a certificate > submit a advanced certificate request > create and submit a request to this CA >
Certificate template: Inhouse Code signing
Key options: Microsoft Enhanced Cryptographic provider
keysize: 2048
check: mark keys as exportable
check: export keys to file: c:\here.pvk

Additional Options:
Request format: CMC
Save request to file: c:\here.cmc
FriendlyName: InternalCode

Submit

..

What now?  the .pvk file seems useless and the .cmc file is a certificate request.  So I submit the request like so:
Request a certificate > submit a advanced certificate request > Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Saved request: (paste in the request)
Certificate Template: Inhouse Code Signing
Submit.

The certificate you requested was issued to you.
   Download certificate

So I install it.

So now, I try to sign a excel macro with that certificate, but I get an error:
"there was a problem with the digital certificate.  The VBA project could not be signed.  The signature will be discarded."

When I examine the certificate, I confirm that the cert is valid from my cert server and is indeed intended for code signing.  No red X's or exclamation points.

Any idea how to get this to work?
Marketing_InsistsAsked:
Who is Participating?
 
ParanormasticCryptographic EngineerCommented:
Decent link, - since you are using a CA issued cert ignore the makecert.exe stuff if you read that.  Also note that the cert will only be valid for the number of years that your CA cert is valid for - if that is over 20 years then you're fine (although that's a bit long, in my opinion but whatever).

Short version with different tools:
Download these:

OpenSSL for Windows:
http://gnuwin32.sourceforge.net/packages/openssl.htm

Pvk2pfx.exe is contained within the WDK:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=36a2630f-5d56-43b5-b996-7633f2ec14ff

Then run these (replace CAPS as variables)
c:\openssl\bin\openssl.exe pkcs7 -in CERTNAME.p7b -out CERTNAME.spc -inform DER

pvk2pfx.exe -pvk CERTNAME.pvk -pi PASSWORD -spc CERTNAME.spc -pfx CERTNAME.p12 -po PASSWORD


Alternatively, if you have a lot of stuff to do, you might be interested in CodeSigner Pro:
http://download.cnet.com/Code-Signer-Pro/3000-2383_4-10611051.html?tag=mncol
0
 
itsmeinCommented:
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.