如何在 Windows 上创建用于代码签名的自签名证书? [英] How do I create a self-signed certificate for code signing on Windows?
问题描述
如何使用 Windows SDK 中的工具创建用于代码签名的自签名证书?
How do I create a self-signed certificate for code signing using tools from the Windows SDK?
推荐答案
更新答案
如果您使用以下 Windows 版本或更高版本:Windows Server 2012、Windows Server 2012 R2 或 Windows 8.1,则 MakeCert 现已弃用,Microsoft 建议使用 PowerShell Cmdlet New-SelfSignedCertificate.
Updated Answer
If you are using the following Windows versions or later: Windows Server 2012, Windows Server 2012 R2, or Windows 8.1 then MakeCert is now deprecated, and Microsoft recommends using the PowerShell Cmdlet New-SelfSignedCertificate.
如果您使用的是旧版本(例如 Windows 7),则需要坚持使用 MakeCert 或其他解决方案.有些人建议公钥基础设施 Powershell (PSPKI) 模块.
If you're using an older version such as Windows 7, you'll need to stick with MakeCert or another solution. Some people suggest the Public Key Infrastructure Powershell (PSPKI) Module.
虽然您可以创建自签名代码签名证书(SPC - Software出版商证书),我更愿意执行以下操作:
While you can create a self-signed code-signing certificate (SPC - Software Publisher Certificate) in one go, I prefer to do the following:
makecert -r -pe -n "CN=My CA" -ss CA -sr CurrentUser ^
-a sha256 -cy authority -sky signature -sv MyCA.pvk MyCA.cer
(^ = 允许批处理命令行换行)
(^ = allow batch command-line to wrap line)
这将创建一个自签名 (-r) 证书,带有可导出的私钥 (-pe).它被命名为我的 CA",并且应该放在当前用户的 CA 存储中.我们正在使用 SHA-256 算法.密钥用于签名 (-sky).
This creates a self-signed (-r) certificate, with an exportable private key (-pe). It's named "My CA", and should be put in the CA store for the current user. We're using the SHA-256 algorithm. The key is meant for signing (-sky).
私钥应存储在 MyCA.pvk 文件中,证书应存储在 MyCA.cer 文件中.
The private key should be stored in the MyCA.pvk file, and the certificate in the MyCA.cer file.
因为如果您不信任 CA 证书,就没有任何意义,所以您需要将其导入 Windows 证书存储区.您可以使用证书 MMC 管理单元,但是从命令行:
Because there's no point in having a CA certificate if you don't trust it, you'll need to import it into the Windows certificate store. You can use the Certificates MMC snapin, but from the command line:
certutil -user -addstore Root MyCA.cer
创建代码签名证书 (SPC)
makecert -pe -n "CN=My SPC" -a sha256 -cy end ^
-sky signature ^
-ic MyCA.cer -iv MyCA.pvk ^
-sv MySPC.pvk MySPC.cer
它与上面几乎相同,但我们提供了颁发者密钥和证书(-ic 和 -iv 开关).
It is pretty much the same as above, but we're providing an issuer key and certificate (the -ic and -iv switches).
我们还想将证书和密钥转换为 PFX 文件:
We'll also want to convert the certificate and key into a PFX file:
pvk2pfx -pvk MySPC.pvk -spc MySPC.cer -pfx MySPC.pfx
如果您正在使用密码,请使用以下内容
If you are using a password please use the below
pvk2pfx -pvk MySPC.pvk -spc MySPC.cer -pfx MySPC.pfx -po fess
如果您想保护 PFX 文件,请添加 -po 开关,否则 PVK2PFX 会创建一个没有密码的 PFX 文件.
If you want to protect the PFX file, add the -po switch, otherwise PVK2PFX creates a PFX file with no passphrase.
signtool sign /v /f MySPC.pfx ^
/t http://timestamp.url MyExecutable.exe
如果您将 PFX 文件导入证书存储区(您可以使用 PVKIMPRT 或 MMC 管理单元),您可以对代码进行如下签名:
If you import the PFX file into the certificate store (you can use PVKIMPRT or the MMC snapin), you can sign code as follows:
signtool sign /v /n "Me" /s SPC ^
/t http://timestamp.url MyExecutable.exe
signtool/t 的一些可能的时间戳 URL 是:
Some possible timestamp URLs for signtool /t are:
http://timestamp.verisign.com/scripts/timstamp.dllhttp://timestamp.globalsign.com/scripts/timstamp.dllhttp://timestamp.comodoca.com/authenticodehttp://timestamp.digicert.com
MakeCert 可从 Visual Studio 命令提示符获得.Visual Studio 2015 确实有它,它可以从 Windows 7 的Developer Command Prompt for VS 2015"下的开始"菜单启动.或VS2015 x64 本机工具命令提示符"(可能它们都在同一个文件夹中).
MakeCert is available from the Visual Studio Command Prompt. Visual Studio 2015 does have it, and it can be launched from the Start Menu in Windows 7 under "Developer Command Prompt for VS 2015" or "VS2015 x64 Native Tools Command Prompt" (probably all of them in the same folder).
这篇关于如何在 Windows 上创建用于代码签名的自签名证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
