如何在Windows上创建用于代码签名的自签名证书? [英] How do I create a self-signed certificate for code signing on Windows?

查看:577
本文介绍了如何在Windows上创建用于代码签名的自签名证书?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

如何使用Windows SDK中的工具创建用于代码签名的自签名证书?

解决方案

更新的答案



如果您使用以下Windows版本或更高版本:Windows Server 2012,Windows Server 2012 R2或Windows 8.1,则 MakeCert已被弃用,Microsoft建议使用 PowerShell Cmdlet New-SelfSignedCertificate



如果您使用的是Windows 7等旧版本,则需要坚持使用MakeCert或其他解决方案。有些人建议 公共密钥基础架构Powershell(PSPKI)模块



原始答案



尽管您可以创建自签名代码签名证书(SPC-软件发布者证书),我更愿意执行以下操作:



创建自签名证书颁发机构(CA)



  makecert -r -pe -n CN = My CA -ss CA -sr CurrentUser ^ 
 -a sha256 -cy授权-sky签名-sv MyCA.pvk MyCA.cer

(^ =允许批处理命令行换行)



这将创建一个带有可导出私钥(-pe)的自签名(-r)证书。名为我的CA,应放在当前用户的CA存储中。我们正在使用 SHA-256 算法。密钥用于签名(-sky)。



私钥应存储在MyCA.pvk文件中,证书应存储在MyCA.cer文件中。 / p>

导入CA证书



因为如果您不信任CA证书没有任何意义,您需要将其导入Windows证书存储区。您可以使用证书 MMC管理单元,但是可以从命令行使用:

  certutil -user -addstore根MyCA.cer



创建代码签名证书(SPC)



  makecert -pe -n CN = My SPC -a sha256 -cy end ^ 
 -sky signature ^ 
 -ic MyCA。 cer -iv MyCA.pvk ^ 
 -sv MySPC.pvk MySPC.cer

这是



我们还将要转换发行人的密钥和证书(-ic和-iv开关)。证书和PFX文件中的密钥:

  pvk2pfx -pvk MySPC.pvk -spc MySPC.cer -pfx MySPC.pfx

如果要保护PFX文件,请添加-po开关,否则PVK2PFX创建的PFX文件不包含



使用证书作为签名代码



  signtool sign / v / f MySPC.pfx ^ 
 / t http://timestamp.url MyExecutable.exe

查看为什么时间戳很重要



如果您将PFX文件导入证书存储(可以使用PVKIMPRT或MMC管理单元),您可以按以下方式对代码进行签名:

  signtool sign / v / n Me / s SPC ^ 
 / t http://timestamp.url MyExecutable.exe

某些可能的时间戳 signtool / t 的URL为:




  • http: //timestamp.verisign.com/scripts/timstamp.dll

  • http://timestamp.globalsign.com/scripts/timstamp .dll

  • http://timestamp.comodoca.com/authenticode



完整的Microsoft文档





下载



对于那些不是.NET开发人员的人,您将需要Windows SDK和.NET框架的副本。当前链接可在此处找到: SDK和.NET (将makecert安装在 C:\Program Files\Microsoft SDKs\Windows\v7.1 中)。您的里程可能会有所不同。



MakeCert可从Visual Studio命令提示符中获得。 Visual Studio 2015确实具有此功能,可以从Windows 7的开始菜单中的 VS 2015开发人员命令提示符或 VS2015 x64本机工具命令提示符(可能它们都在同一个文件夹中)启动。


How do I create a self-signed certificate for code signing using tools from the Windows SDK?

解决方案

Updated Answer

If you are using the following Windows versions or later: Windows Server 2012, Windows Server 2012 R2, or Windows 8.1 then MakeCert is now deprecated, and Microsoft recommends using the PowerShell Cmdlet New-SelfSignedCertificate.

If you're using an older version such as Windows 7, you'll need to stick with MakeCert or another solution. Some people suggest the Public Key Infrastructure Powershell (PSPKI) Module.

Original Answer

While you can create a self-signed code-signing certificate (SPC - Software Publisher Certificate) in one go, I prefer to do the following:

Creating a self-signed certificate authority (CA)

makecert -r -pe -n "CN=My CA" -ss CA -sr CurrentUser ^
         -a sha256 -cy authority -sky signature -sv MyCA.pvk MyCA.cer

(^ = allow batch command-line to wrap line)

This creates a self-signed (-r) certificate, with an exportable private key (-pe). It's named "My CA", and should be put in the CA store for the current user. We're using the SHA-256 algorithm. The key is meant for signing (-sky).

The private key should be stored in the MyCA.pvk file, and the certificate in the MyCA.cer file.

Importing the CA certificate

Because there's no point in having a CA certificate if you don't trust it, you'll need to import it into the Windows certificate store. You can use the Certificates MMC snapin, but from the command line:

certutil -user -addstore Root MyCA.cer

Creating a code-signing certificate (SPC)

makecert -pe -n "CN=My SPC" -a sha256 -cy end ^
         -sky signature ^
         -ic MyCA.cer -iv MyCA.pvk ^
         -sv MySPC.pvk MySPC.cer

It is pretty much the same as above, but we're providing an issuer key and certificate (the -ic and -iv switches).

We'll also want to convert the certificate and key into a PFX file:

pvk2pfx -pvk MySPC.pvk -spc MySPC.cer -pfx MySPC.pfx

If you want to protect the PFX file, add the -po switch, otherwise PVK2PFX creates a PFX file with no passphrase.

Using the certificate for signing code

signtool sign /v /f MySPC.pfx ^
              /t http://timestamp.url MyExecutable.exe

(See why timestamps may matter)

If you import the PFX file into the certificate store (you can use PVKIMPRT or the MMC snapin), you can sign code as follows:

signtool sign /v /n "Me" /s SPC ^
              /t http://timestamp.url MyExecutable.exe

Some possible timestamp URLs for signtool /t are:

  • http://timestamp.verisign.com/scripts/timstamp.dll
  • http://timestamp.globalsign.com/scripts/timstamp.dll
  • http://timestamp.comodoca.com/authenticode

Full Microsoft documentation

Downloads

For those who are not .NET developers, you will need a copy of the Windows SDK and .NET framework. A current link is available here: SDK & .NET (which installs makecert in C:\Program Files\Microsoft SDKs\Windows\v7.1). Your mileage may vary.

MakeCert is available from the Visual Studio Command Prompt. Visual Studio 2015 does have it, and it can be launched from the Start Menu in Windows 7 under "Developer Command Prompt for VS 2015" or "VS2015 x64 Native Tools Command Prompt" (probably all of them in the same folder).

这篇关于如何在Windows上创建用于代码签名的自签名证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆