Using Tools to Sign and Test Code

MakeCert, Cert2SPC, and Signcode are tools you can use to sign and test code. These tools are available in the \Program Files\IEAK\Reskit\Tools folder of this IEAK Resource Kit. You can find additional resources in the Microsoft Internet Client SDK.

MakeCert

Use the MakeCert test program to generate a test X.509 certificate. MakeCert performs the following tasks:

  1. Creates a public/private key pair for digital signatures and associates it with a name that you choose.
  2. Associates the key pair with a publisher's name that you choose.
  3. Creates an X.509 certificate, signed by the test root key or one you specify, that binds your name to the public part of the key pair. The certificate is output to a file, a system certificate store, or both.

The syntax for MakeCert is as follows:

MakeCert [basic options | extended options] outputFile

MakeCert provides basic options and extended options. Basic options are the options most commonly used to create a certificate. Extended options provide more flexibility. The options for MakeCert are also divided into three functional groups:

  1. Options applicable to SPC-file, private-key, and certificate store technology
  2. Options specific to SPC-file and private-key technology only
  3. Options specific to certificate store technology only

Options in Groups 2 and 3 cannot be mixed, with the exception of the –ic option.

6.4 MakeCert Internet Explorer 4.0 Examples

The following examples show how to create certificates with MakeCert using the Internet Explorer 4.0 options.

Example 1

Make a certificate issued by the default test root. Save the certificate to a file.

MakeCert myNew.cer 

Example 2

Make a certificate issued by the default test root. Save it to a certificate store.

MakeCert -ss myNewStore 

Example 3

Make a certificate issued by the default test root. Create a .pvk file and output the certificate to both a store and a file.

MakeCert -sv myNew.pvk -ss myNewStore myNew.cer 

Example 4

Make a certificate issued by the default test root. Create a key container and output the certificate to both a store and a file.

MakeCert -sk myNewKey -ss myNewStore myNew.cer 

Example 5

Make a certificate using the default test root. Save the certificate to a store. Then make another certificate using the newly created certificate. Save the second certificate to another store.

MakeCert -sk myNewKey -ss myNewStore
MakeCert -is myNewStore -ss anotherStore 

Example 6

Make a certificate using the default test root. Save the certificate to my store. Then make another certificate using the newly created certificate. Because there is more than one certificate in my store, identify the first certificate using its common name.

MakeCert -sk myNewKey -n "CN=XXZZYY" -ss my
MakeCert -is my -in "XXZZYY" -ss anotherStore 

Example 7

Make a certificate using the default test root. Save the certificate to my store and to a file. Then make another certificate using the newly created myNew certificate. Because there is more than one certificate in my store, uniquely identify the first certificate using the certificate filename.

MakeCert -sk myNewKey -n "CN=XXZZYY" -ss my myNew.cer
MakeCert -is my -ic myNew.cer -ss anotherStore 

Example 8

Create a self-signed certificate named myNewRoot using the default test root. Then use SignCode with the certificate to sign a file.

MakeCert -sk myNewRootKey -r -ss myNewRoot
SignCode -s myNewRoot myControl.exe 

Example 9

Create a self-signed certificate named myNewRoot using the default test root. Save myNewRoot into a system certificate store ca. Then make a certificate from myNewRoot and sign some code with the certificate.

When SignCode uses a certificate in a store for signing, it also builds a certificate chain from the signing certificate to a root. All of the certificates in the certificate chain must be in any of the my, ca, spc, or root certificate stores. In this case, myNewRoot is in the ca certificate store.

MakeCert -sk myNewRootKey -r -ss ca myNewRoot.cer
MakeCert -is ca -ic myNewRoot.cer -ss myNewSign 
SignCode -s myNewSign myControl.exe

Cert2SPC

After you have generated a certificate, you can create an SPC (Software Publisher Certificate) by using the Cert2SPC program. This program wraps multiple X.509 certificates into a PKCS #7 signed-data object. Note that this program is for test purposes only. A valid SPC is obtained from a CA.

The syntax for Cert2SPC is as follows:

Cert2SPC cert1.cer cert2.cer. . .certN.cer output.spc

where:

Here is an example:

Cert2SPC MyCert.cer MyCert.spc 

This wraps an X.509 certificate, MyCert.cer into a PKCS #7 SPC called MyCert.spc.

SignCode

The final step is to actually sign a file by using the SignCode program. This program does the following:

  1. Creates a cryptographic digest of the file.
  2. Signs the digest with your private key.
  3. Copies the X.509 certificates from the SPC into a new PKCS #7 signed-data object. The PKCS #7 object contains the serial numbers and issuers of the certificates used to create the signature, the certificates, and the signed digest information.
  4. Embeds the object into the file.
  5. Adds a timestamp to the file (optional). A timestamp should always be added when signing a file. However, SignCode also has the ability to add a timestamp to a previously signed file subject to some restrictions (see the examples that follow the options table).

The syntax for SignCode is as follows:

SignCode [options] [fileName]

where: