I am trying to sign one of my WIX EXEs using sign tool. When I create a certificate and install it to windows certificate store, I can easily verify the EXE using sign tool. But when I try to create a PFX file and sign it, it gets signed successfully. But when I try to verify it, it throws the below error.
SignTool Error: WinVerifyTrust returned error: 0x800B010A
A certificate chain could not be built to a trusted root authority.
Number of errors: 1
I tried using a certificate chain and signing using the commands mentioned in the answer of https://social.msdn.microsoft.com/Forums/sqlserver/en-US/da5d1aef-5dbc-4400-8972-fef4d7139d99/where-windows-sdk-tools-like-cert2spcexe-and-pvk2pfxexe-go?forum=windowssdk. But that results in the same error as well. My requirement is to sign and verify using a PFX file using signtool. I cannot use Windows Store. Any help would be much appreciated.
The method described in http://msdn.microsoft.com/en-us/library/ff699202.aspx creates a self signed test certificate. A self signed test certificate is not signed by a trusted 3rd party, so you get the error "A certificate chain could not be built to a trusted root authority." when trying to verify the file signed by the certificate.
If you want to fix the error you will need to obtain a code signing certificate from a certificate authority. Usually for a fee.
When you purchase a code signing certificate, the certifying authority takes certain steps to verify your identity. If those steps are passed, the certifying authority issues you a certificate signed by their private key. Their private key is kept secret. When you verify the signed file, the verification process extracts the code signature from the signed file and validates it against one of the known public keys provided by all of the certifying authorities.
Related
I have created a self-signed certificate to sign my program.
I noticed that importing the certificate using:
certutil.exe -addstore root "Tmp.crt"
Makes UAC warnings "more friendly" (showing the publisher name, without paying hundreds to Certificate Authorities.
My program is dedicated for a small group of people. Is it safe to create a prompt asking users if they want to install the certificate to the "Trusted Root Certification Authorities" store? Assuming they already trust the program enough to allow starting with administrative permissions.
If they import and trust your self-signed certificate, they are explicitly asked to trust you.
If you use a code signing certificate from an "official" (= paid-for) certificate authority, they are not asked to trust you explicitly, but they trust your certificate implicitly through that certificate authority. They have never been asked if they trust that authority, because it's trusted by the operating system for them.
As a consequence, I can't see how asking to trust your self-signed certificate would be more unsafe than relying on someone else's decision to trust a certificate authority. The only downside is that the user might be disconcerted by being asked something they are not usually asked.
You can increase security by making your program check the certificate it's been signed with to make sure it's indeed the one you self-signed.
It's not wrong but it could be unsafe if they are not getting your application from a trusted source. You could instead request a free certificate from the Let's Encrypt project. Here is a link to their getting started page:
Let's Encrypt Getting Started
How do I add a Connected Service that requires a Certificate?
I need to call a SOAP API developed by another company. The company has supplied me with a pfx-file based on a cer-file I've created. I've installed the certificate in "Trusted Root Certification Authorities" (in local computer and current user) using the supplied password. But when i try to add a WCF Web Service Provider either through the URL or the wsdl-file I get the error: "Could not create SSL/TLS secure channel", and the addition of the service is abandoned.
When I contacted the company they asked me to check if the certificate was installed correctly by calling the API from SOAP UI (adding a jks-file they gave me) - this works fine. They could not be of further assistance.
I'm writing a aps.net core web application and using .net core 3.0 in VS19
I'll have to mention that this is my first practical encounter with certificates and the question might be somewhat in concise.
The PFX might contain more than one certificate.
Are you shure you created a .cer (Certificate) and not a .csr (Certificate signing request)?
Nonetheless, the certificate must be in the personal store and the the certificate that issued it must be place into the Trusted Root Certification Authorities (if it is the last one in the chain).
Here is an example ( i ran certlm.msc and clicked the end entity certificate:
Sectico is the root certificate and goes to Trusted Root Certification Authorities
COMODO RSA ... is the intermediate certificate and goes to Intermediate Certification Authorities
Daniel... is the end entity certificate and goes to Personal
I recommend to import into Personal and then move (drag-drop) the certificates.
For the end entity there must be a private key associated - which can be identified by the key icon:
Microsoft also provides some documentation on the topic: https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648360(v=pandp.10)?redirectedfrom=MSDN
I received a .pfx Code Signing certificate from Sectigo CA.
After I installed it, I signed my VBA Code with said certificate.
When I open the file on a different computer, it can't be verified that it's signed and when I look into the certificate details, it doesn't display me the chain of trust like on the computer I signed it on.
Is there a way I can add the chain of trust to my vba code?
I'm developing a Docusign integration with a sandbox account, in my server I have no certificate because it's just a development environment. The API works fine there. But when I uploaded the Docusign feature in a test server, which has a certificate, the API returns the following message:
Caught exception: SSL certificate problem: self signed certificate in
certificate chain
I checked the CA in the Microsoft Trusted Root Certificate Program and it isn't there, so maybe this is the problem. But if that's the case, shouldn't the API have returned a different message? I'm positive the server certificate isn't a self signed one, but is there a way to double check that? What should I do about the server certificate?
You will have to get the DocuSign certificate installed on your test server.
You can find all of DocuSign certificates here - https://www.docusign.com/trust/compliance/public-certificates
The question may sound a bit stupid but I really want to know this.
When we download a file, say abc.exe, it is digitally signed with some digital certificate of some organisation. Why do we need to install that certificate? What is the use of it? What if we dont install it?
When I run certmgr.msc in my windows system, I see some certificates already installed. What do they mean?
If you get signed material, you may want to verify the signature.
Digital signatures usually are created using a private key and can be verified using the associated public key.
Certificates essentially are transport containers for public keys with some extra information. Thus, to verify signatures you usually need the certificate of the signer.
You install certificates to make them known to your system (to allow for signature verification) and to tell your system to trust material signed by the associated private key.
As having to install certificates by each and every party you want to trust is too much work, certificates can have hierarchies, some root certificate may be the issuer of multiple other certificates, and by trusting that root you implicitly trust those other certificates the root issued.
For more details you may want to ask on https://security.stackexchange.com/.
The RSA algorithm used for encryption is used for digital signatures.
Use of RSA for a signature is as under:
1. First, a message digest is calculated.
2. The private key is used to sign the digest of the message.
3. The signature is appended to the message and transmitted to the recipient.
4. The recipient calculates the digest of the received message.
5. Then, verifying the signature requires extracting the signature from the message
and using RSA on the signature with the public key.
6. If the result of the transformation and the newly calculated digest are equal, the signature is valid.