I know this needs Code Signing Certificate. Just wonder if it must be the Code Signing Certificate from VeriSign?
Certification requirements for the Windows Store (Desktop Apps) mandates that files are signed with an Authenticode certificate, but doesn't specify which CA. Based on http://msdn.microsoft.com/en-us/library/windows/desktop/jj256845.aspx I would say that as long as its a reputable code-signing certificate (not self-signed, or a private CA) then it would pass certification.
I think it has to be Verisign, also according to Michael S: https://stackoverflow.com/a/13026302/921282
Also from first hand. I got the next quote when testing with Microsoft development kit. (You get the link to this information only when the test passes without FAILURE. The site is restricted and shows to MS services users only)
WARNING Install signed driver and executable files
"VeriSign Code-Signing Certificates for Microsoft Authenticode ($99 USD)
The Microsoft Authenticode certificate provided by VeriSign is the only accepted method of authentication, file signing, and code-signing. Microsoft will not be able to accept any other authentication method, including GeoTrust authentication required by the Windows Store. "
Related
I have a question regarding signing with SSL. I need to sign an application (.exe) written in Delphi. At the same time I also want to sign an Internet Portal with which the application communicate. My question is: does signing services generally provide also the certificate for the application either the certificate for the site? Can you sign the application with the same certificate or do you need another certificate? Can you sign multiple applications with the same certificate?
Thanks in advance.
Alberto
You need 2 certificates: One for code signing (that is, signing the .exe) and one for SSL (for the website).
You can not sign the application using the same cert as your are using for SSL.
You can sign as many applications with your code signing certificate as you like.
You may or may not use the SSL cert for multiple hosts (e.g.: blog.domain.com, www.domain.com, chat.domina.com, static.domain.com...), this depends on the type of certificate you are using.
Also: Please note that you can get free SSL certificates (e.g.: LetsEncrypt provides them, and azure website can use free "managed" certs from microsoft.). However, to my knowledge, there are no free code signing certificates.
How do I add a Connected Service that requires a Certificate?
I need to call a SOAP API developed by another company. The company has supplied me with a pfx-file based on a cer-file I've created. I've installed the certificate in "Trusted Root Certification Authorities" (in local computer and current user) using the supplied password. But when i try to add a WCF Web Service Provider either through the URL or the wsdl-file I get the error: "Could not create SSL/TLS secure channel", and the addition of the service is abandoned.
When I contacted the company they asked me to check if the certificate was installed correctly by calling the API from SOAP UI (adding a jks-file they gave me) - this works fine. They could not be of further assistance.
I'm writing a aps.net core web application and using .net core 3.0 in VS19
I'll have to mention that this is my first practical encounter with certificates and the question might be somewhat in concise.
The PFX might contain more than one certificate.
Are you shure you created a .cer (Certificate) and not a .csr (Certificate signing request)?
Nonetheless, the certificate must be in the personal store and the the certificate that issued it must be place into the Trusted Root Certification Authorities (if it is the last one in the chain).
Here is an example ( i ran certlm.msc and clicked the end entity certificate:
Sectico is the root certificate and goes to Trusted Root Certification Authorities
COMODO RSA ... is the intermediate certificate and goes to Intermediate Certification Authorities
Daniel... is the end entity certificate and goes to Personal
I recommend to import into Personal and then move (drag-drop) the certificates.
For the end entity there must be a private key associated - which can be identified by the key icon:
Microsoft also provides some documentation on the topic: https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648360(v=pandp.10)?redirectedfrom=MSDN
I developed a web service to be consumed by another team.
These were my steps:
developed a web service with jax-ws 2.2.8 and jdk 1.7
deployed the web service to run on Tomcat 7
generated the client classes
created a self-signed server certificate using the jdk's keytool
configured Tomcat to support SSL connection
exported the generated server certificate to a certificate file
imported the server certificate into the truststore file
specified CONFIDENTIAL transport-guarantee in web.xml for the web service's servlet
developed a test client to consume the web service using the client classes
So then the other team started working with it and I was informed that the certificate is not properly signed. Is a self-signed certificate improperly signed? Is that true? I didn't think so. Well I don't want to argue the point. I was informed that they have their own signing authority that is already trusted by most of their system and it was suggested to me that I replace my cert with the one that is signed by the certs displayed in two screenshots that I was provided. I wasn't provided any further information but I guessed the screenshots were taken in Internet Explorer, Tools, Internet Options, Content, Certificates, Intermediate Certification Authorities, then in the list I found a certificate and clicked on View, clicked on Certification Path and my screen matches the screen of the other team member with one exception. His screen displays:
Company Name Root CA
Company Name Issuing CA
teamname.companyname.com
Whereas my screen only displays:
Company Name Root CA
Company Name Issuing CA
I don't see the
team.companyname.com
on my screen and not too sure how that got there or if I need that.
Then I clicked on Details and compared Version, Serial number, Signature algorithm, Signature hash algorithm, Issuer, Valid from, Valid To, Subject and Public key and they are all the same. The rest of the fields are not visible in the screenshot.
So where do I go from here? I am not certain.
According to: Apache Tomcat 7 documentation, Tomcat operates only on JKS, PKCS11 or PKCS12 format keystores.
My questions are these:
1) Should I export the certificate using the Certificate Export Wizard? (I am using Windows 7)
2) If so, should I select the format Personal Information Exchange - PKCS #12 (.PFX)?
3) And if so, which of the following options need to be selected?
Include all certificates in the certification path if possible
Delete the private key if the export is successful
Export all extended properties
Wait! Hold on! I just tried to select Personal Information Exchange - PKCS #12 and it is disabled. Hmmm.
Is there a way to export the certificate from the browser for the purposes of somehow getting a keystore format supported by Tomcat? And I must add that I don't know how to get from point a to point b and any help would be appreciated. And it also concerns me that my certificate doesn't display:
teamname.companyname.com
in
Company Name Root CA
Company Name Issuing CA
teamname.companyname.com
Any ideas/suggestions/feedback would be greatly appreciated as I not too familiar with certificates!
None of the above.
You need to follow the same steps you used to create your self-signed certificate but after you have created your Certificate Signing Request (CSR) you need to give that to the other team to get them to sign it with their Certificate Authority (CA). Then you continue as you did before.
I want to be clear with a question about Sideloading applications for Windows 8 (for use within the company.) Read some articles about it, always write the application before deployment must be cryptographically signed (http://technet.microsoft.com/en-us/library/hh852635.aspx). I found how to sign my app (http://msdn.microsoft.com/ru-RU/library/hh446592%28v=vs.85%29.aspx), but there was a question where to get the key for signature applications. It can be purchased from Verisign, Comodo or a another? If so, what will it take, how much time it takes? Do I understand correctly that the App Packager is not needed for signing app, because the app package generated a Visual Studio, after that you must use CertMgr install the certificate to the domain and sign this certificate application with SignTool? If I'm wrong - please correct me, please
Thank you.
You should be able to generate certificate using Active Directory Certificate Services.
Here is a quick walkthrough on how to generate certificate from AD CS
Active Directory Certificate Services Step-by-Step Guide
If you're doing this without access to AD CS, you may purchase a code signing certificate from any Certificate Authority that offers a RFC3161 timestamping service. The time it takes to get a code signing certificate varies based on how long it takes the certificate authority to verify you are who you say you are.
You will need to manually timestamp the appx file, however, as VS2013 doesn't support using a third party CA's timestamping service when generating appx files. You need to timestamp the appx because otherwise the software will expire the date your code signing certificate expires.
This is how I use the signtool:
signtool sign /fd SHA256 /a /f YourCertKey.pfx /p mypassword /tr http://timestampserver.yourca.com/somepath YourApp.appx
Here is more information on using signtool to sign app packages: http://msdn.microsoft.com/en-us/library/windows/desktop/jj835835(v=vs.85).aspx
If you're attempting to sideload these appx files, you may also need to enable sideload privileges on the computers in question. If you aren't using a domain-joined Windows Enterprise on the client computers, this may involve purchasing side load licenses from Microsoft volume licensing or a partner.
Here is more information about sideloading: http://technet.microsoft.com/en-ca/windows/jj874388.aspx
I am developing an html application where an user has to first login using his digital certificate. After login he has to perform encryption and decryption of data using his digital certificate.
Now in case when the certificate is available in the form of .pfx file then we can just install it and the certificate appears in the container and we can use it during login and during encryption and decryption.
This works fine in case if we have .pfx for our digital certificate.
But now i want to enhance it for etoken's(security token). I dont know much about etoken's. The problem is that how can i use the digital certificate stored in it while login?
Also how should i use the private key stored in it while decryption?
Can anyone please tell me about any tutorials (if any) which will explain the usage of etoken and the CryptoAPI's.
As I mentioned in the answer to your previous question, Windows CSPs map the certificate from hardware to Windows certificate storage, so this is transparent to you. If you can access the certificate via Windows certificate storage API, then you don't need to care where the certificate is actually located.
Note that you can't transfer a private key to the server, i.e. you would have to use a client-side module (either ActiveX or Java applet) that will perform operations locally. This is not specific to certificates on hardware, but also to certificates which have non-exportable private keys.