如何使用我的证书链创建PFX？ [英] How to create PFX with my chain of certificates?

问题描述

我正在将数字签名应用于我的可执行文件。在Windows XP或Windows Vista上使用 signtool ：

 > signtool。 exe符号/ f avatar.pfx MyApp.exe 
  

自动将整个认证链包含在数字中

从Windows 7开始，整个认证链 有相同的问题。在此他自己回答，他说我需要

使用PFX文件进行签名包含根证书，中间证书，开发人员证书和私钥。

创建适当的PFX文件后-这本身就是一个冒险之旅...

但是他没有透露创建包含整个认证链的PFX的方式。

---

另请参见

• 如何使用代码签名证书对ActiveX控件进行签名并成为经过验证的发布者？


• 使用证书链签署WinForms ClickOnce应用


• ClickOnce：无法验证证书


• 如何包含完整的认证路径

解决方案

安装适用于Windows的OpenSSL 。完成后，您就可以在系统中的某个位置具有 openssl.exe 可执行文件。

现在继续执行以下操作。

1. 
   

   openssl pkcs12 -in avatar.pfx -out avatar.pem -nodes

   
   

（您需要在此处输入.pfx密码）

2. 
   

   openssl pkcs12 -in avatar.pfx -out mycert.pem -nodes -clcerts

   
   

（还是PW）

3. 
   

   openssl x509 -in mycert.pem -out mycert.cer -outform DER

   
   

现在打开资源管理器，然后双击mycert.cer。查看详细信息以及它将讨论发行人的地方。这是发行密钥库的公司，您的下一个目标是获取其中间证书和最终的根证书。如果幸运的话，您的证书中会有一个名为 Authority Information Access的扩展名，该扩展名告诉您直接从何处获得颁发证书。如果不是那么幸运，那么您将在授权信息访问中找到用于OCSP访问的URL，或者在扩展名 CRL分发点中找到CRL的URL。这些至少应该使您对供应商的主页有一个模糊的认识。如有疑问，请四处搜寻，或再次询问我：）

如果您在供应商页面上，则必须当心 CA证书或中级证书。您需要下载一个名称，该名称与您自己的证书的颁发者字段中找到的名称完全相同。

现在有趣的部分：您刚刚找到的证书将再次具有颁发者字段。幸运的是，如果颁发者是同一公司（通常是大型CA，例如VeriSign），那么您将在当前使用的同一站点上找到相应的证书。如果没有，请重复前面的步骤。

重复此繁琐的过程，直到找到其主题字段与主题字段完全相同的证书为止。其发行人字段。这样就完成了。这就是所谓的自签名根证书。

大多数这些证书将出现在 DER / ASN.1 / X.509中格式-如果可以选择，请下载 PEM格式，否则首先需要通过以下方式将证书转换为 PEM格式：

  openssl x509 -in cert.der -inform DER -out cert.pem 
  

将所有丢失的证书都以PEM格式

4. 打开在步骤1中创建的初始文件avatar.pem ，在文本编辑器中。




5. 在单独的窗口中打开丢失的证书PEM文件




6. 复制丢失的证书（整个文件，包括 ----- BEGIN CERTIFICATE -----和 ----- END CERTIFICATE -----），并将它们附加到avatar.pem




7. 保存结果




8. 问题

openssl pkcs12 -export -in avatar.pem -out newavatar.pfx -name

您将必须输入要与新文件一起使用的新密码。

i'm applying a digital signature to my executable. Using signtool on Windows XP or Windows Vista:

>signtool.exe sign /f "avatar.pfx" MyApp.exe

automatically included the entire certification chain in the digital signature.

Starting with Windows 7 the entire certification chain is no longer included. You must manually include the certificate that:

• signed your key
• signed the certificate that signed your key
• ...
• ...until there are no more certificates to include

i am told that i have to do this using the /ac switch with the signtool utility.

From MSDN documentation of signtool:

/ac FileName
Specifies a file that contains an additional certificate to add to the signature block.

How do i get the filename of the certificate that signed my certificate?

It's more confusing because i don't have any such file. i have my digitally signed executable with no embedded certification chain:

---

Stackoverflow user davidcl had the same question. In this self-answered answer he says that i need to

do the signing using a PFX file that contains the root certificate, intermediate certificate, developer certificate, and private key.
After creating the appropriate PFX file - which was an odyssey in itself...

But he doesn't give how he created the PFX that contains the entire certification chain.

---

See also

• How can I sign an ActiveX control with a code signing certificate and be a verified publisher?
• Signing WinForms ClickOnce app with Certificate Chain
• ClickOnce: Certificate cannot be validated
• How to include entire certification path when signing code with signtool?

解决方案

Install OpenSSL for Windows. Once accomplished, you have the openssl.exe executable somewhere on your system.

Now proceed as follows.

1. openssl pkcs12 -in avatar.pfx -out avatar.pem -nodes

(You need to enter the .pfx password here)

2. openssl pkcs12 -in avatar.pfx -out mycert.pem -nodes -clcerts

(again the PW)

3. openssl x509 -in mycert.pem -out mycert.cer -outform DER

Now open your Explorer and double-click on the mycert.cer. View the details and somewhere it will talk about an issuer. This is the company that issued your key store, your next goal is to get their intermediate certificates and the final root certificate. If you are lucky, there is an extension called "Authority Information Access" in your certificate that tells you where to get the issuing certificate directly. If you are not so lucky, then you will find a URL for OCSP access in the "Authority Information Access" or a URL for CRLs in the extension "CRL Distribution Points". These should at least give you a vague idea of the vendor's "homepage". In case of doubt, just google around, or ask me again :)

If you are on the vendor's page, you will have to watch out for "CA certificates" or "Intermediate Certificates". You need to download the one whose name is exactly the same as what you found in the "Issuer" field of your own certificate.

Now the funny part: The certificate you just found will again have an "Issuer" field. Lucky you if the issuer is the same company (typically the case for large CAs such as VeriSign), then you will find the corresponding certificate on the same site you are currently on. If not, repeat the previous steps.

Repeat this cumbersome procedure until you're at a point where you have found a certificate whose "Subject" field is exactly the same as its "Issuer" field. You're done then. This is a so-called "self-signed root certificate".

Most of these certificates will come in "DER"/"ASN.1"/"X.509" format - if you have the choice, download "PEM" format, otherwise you will first need to convert the certificates into "PEM" format by

openssl x509 -in cert.der -inform DER -out cert.pem

Once you have all the missing certificates in PEM format

4. open the initial file created in step 1, avatar.pem, in a text editor.

5. open the missing certificate PEM files in separate windows

6. copy the missing certificates (the entire file, including the "----- BEGIN CERTIFICATE -----" and "----- END CERTIFICATE -----") and append them to avatar.pem

7. save the result

8. issue

openssl pkcs12 -export -in avatar.pem -out newavatar.pfx -name ""

You will have to enter a new password that is to be used with the new file.

这篇关于如何使用我的证书链创建PFX？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！