如何使用代码签名证书签名ActiveX控件并成为已验证的发布者? [英] How can I sign an ActiveX control with a code signing certificate and be a verified publisher?
问题描述
我试图用Thawte签发的代码签名证书签署一个ActiveX控件。我可以使用signtool.exe成功地签署控件。
当我看到文件属性,它说签名中的证书无法验证。
当我查看证书时,表示Windows没有足够的信息来验证证书。
在证书路径选项卡上,它显示找不到此证书的颁发者。
在Internet Explorer中,证书被识别为已签名,但用户收到警告
我已经尝试创建一个包含我的证书的单个PFX文件,以及链接到我的Thawte开发人员证书的根证书和中间证书,然后使用该PFX文件重新签名控件。没有骰子。
有任何建议吗?
正确的过程 - 使用包含根证书,中间证书,开发人员证书和私钥的PFX文件进行签名。另外,使用时间戳服务器。我的问题是,我的PFX中包含错误的根证书,因此用于签名的证书不能链接回根。
根据请求,这里是有关如何创建PFX文件的信息。以下我使用的cert2spc和pvk2pfx也在平台SDK中。
cert2spc certpath1.cer certpath2.cer certpath3.cer codesign .spc
.cer文件列表包括根证书,中间名和代码签名证书, codesign.spc是输出文件。然后:
pvk2pfx -pvk privkey.pvk -spc codesign.spcpre>
以这种方式运行pvk2pfx启动一个向导,提示输入私钥密钥,输出文件的位置和输出文件的密码。 p>
最后,signtool会执行实际的代码签名:
signtool sign / f my_certificates.pfx / p my_passphrase / t http://timestamp.verisign.com/scripts/timstamp.dll my_activex_control.ocx
回想起来,我可能通过使用signcode.exe(也就是我认为是.NET SDK的一部分)直接使用.spc和.pvk文件的代码签名向导来节省时间。
I'm trying to sign an ActiveX control with a code signing certificate issued by Thawte. I was able to successfully sign the control using signtool.exe.
When I look at the file properties, it says "The certificate in the signature cannot be verified."
When I view the certificate it says "Windows does not have enough information to verify the certificate."
On the certification path tab, it says "The issuer of this certificate cannot be found."
In internet explorer, the certificate is recognized as signed but the user receives warnings that the publisher is not verified.
I've tried creating a single PFX file containing my certificate along with the root and intermediate certificates that chain to my Thawte developer certificate, and then re-signing the control using that PFX file. No dice.
Any suggestions?
解决方案The question actually contains the correct procedure-- do the signing using a PFX file that contains the root certificate, intermediate certificate, developer certificate, and private key. Also, use a timestamp server. My problem was that I had the wrong root certificate included in my PFX, so the certificate used to sign couldn't chain back to the root.
By request, here's the information about how to create the PFX file. The cert2spc and pvk2pfx that I use below are also in the platform SDK.
cert2spc certpath1.cer certpath2.cer certpath3.cer codesign.spcWhere the list of .cer files includes the root, intermediate, and code signing certificates, and codesign.spc is the output file. Then:
pvk2pfx -pvk privkey.pvk -spc codesign.spcRunning pvk2pfx in this manner starts a wizard that prompts for the private key passphrase, and the location of the output file, and the passphrase for the output file.
Finally, signtool does the actual code signing:
signtool sign /f my_certificates.pfx /p my_passphrase /t http://timestamp.verisign.com/scripts/timstamp.dll my_activex_control.ocxIn retrospect, I might have saved time by using signcode.exe aka the Code Signing wizard (which I think is part of the .NET SDK) which uses .spc and .pvk files directly.
这篇关于如何使用代码签名证书签名ActiveX控件并成为已验证的发布者?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
