This article of mine explains how to sign a code without the need to buy the digital
signature for Microsoft Trusted Certificate Authorities. Please note that this
would be helpful for test purposes only since it requires you to install the
certificate in all client browser using the application. Eventually, a
certificate from Trusted Root CA like Verisign, Thawte. Etc has to be bought
for insuring that your CAB/ActiveX component is available for use to all
without security issues. It even makes
code signing easier, which needs only signcode.exe utility along with the spc
file and private key provided by the CA.
For the list for Microsoft trusted CA’s , click the link below:http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/rootcertprog.asp
The article uses Ascertia as the CA to obtain the free digital certificate.
Some of the utilities provided in the process of signing the
code are part of the Microsoft SDK. So we would be having them if we
have any version of .NET installed on our machine. This works
like a charm if the steps are followed correctly. We just need to execute all
the utilities one by one.
This requires the user to register for an account and provide some
information so as to embed it into the certificate.
Please note that the "Name" that you enter will be the name seen on the certificate. When the information
is provided, a prompt will be asked to add the certificate into the
browser's certificate root store. Add the certificate in the "Trusted
Root Certification Authorities" store.
2. Generation of Software Publishing Certificate (spc)
Run certmgr.exe. This
would display the certificate installed in the previous step along with other
certificates. Select the option to export without the private key and in DER
encoded binary. This should produce a certificate file with .cer
extension. Put it in a folder and at a path, which is not cumbersome. E.g.
c:\<foldername>. Put all the utility files in this folder too.
Now convert the certificate file to spc file - Software
Publishing Certificate with the following utility
cert2spc <insert cer file path>
<insert new spc file path>
3. Generation of Personal Information Exchange file (pfx)Run certmgr.exe again. Select the same certificate, and
This will export a pfx file. (Make sure to remember the password you set.)
This time export the private key. Make sure "Include all certificates in
the certification if possible" is checked and "Delete the
private key if the export is successful" is unchecked.
This is available from
the following link for Windows Version. http://www.shininglightpro.com/products/Win32OpenSSL.html
Execute the following code
openssl pkcs12 -in <insert pfx
file path> -nocerts -nodes -out <insert new pem file path>
This will create a *.pem file.
The pfx password will be asked.
Transform the *.pem file to a *.pvk file. This pvk
file will be our private key. Along with the spc, it will be used to sign
our CAB file.
-in <insert pem file path> -topvk -out <insert new pvk file path>
This is what we require. We only need the spc and pvk
files, so we can delete the other data files if we want.
Now we sign the code using the signcode.exe utility with the
help of spc and pvk files.
The following can be
kept in batch file and executed
-spc <insert spc file> -v <insert pvk file> -n
"%Product%" -t "%TimeURL%" "%File%"
We can verify the signature by opening
the properties of the signed file, and clicking the Digital Signatures tab. If
there is no Digital Signatures tab, then there is something wrong that we
have done in our procedure.
If everything goes right,
then we have our code digitally signed by Ascertia CA and we can go and use our
activeX to install in our IE 6 and IE 7 browsers.
It really proved helpful to me to test my ActiveX Component for IE 7 Browser. Hope it proves useful to you guys too.