为签名文件制作自己的证书? [英] Make your own certificate for signing files?

问题描述

有什么方法可以制作自己的签名证书，以便对安装包等文件进行签名?

Is there any way to make your own signing certificate in order to sign files such as installation packages?

问题是证书供应商必须是 Windows 的受信任来源，否则您会收到警告消息?

Is the problem that the certificate supplier has to be a trusted source with Windows otherwise you will get warning messages?

推荐答案

如果你有 PKI 和 X.509 的基本知识，你可以用 openssl 来做.

If you have basic knowledge about PKI and X.509 you can do it with openssl.

Openssl 已预先配置 CA.pl 或 CA.sh 脚本可用于设置您的 CA 并以最少的配置生成证书.

Openssl has preconfigured CA.pl or CA.sh script that may be used to setup your CA and generate certificates with minimal configuration.

主要命令有:

# generate CA (need to do it only once)
CA.sh -newca
# create certificate request
openssl req -new -keyout user.key -out user.req -config yourconf.cnf
# sign request by CA
openssl ca -policy policy_anything -config yourconf.cnf -out user.pem -infiles user.req
# convert it into PKCS#12 (pfx) container, that can be used from various soft
openssl pkcs12 -export -in user.pem -inkey user.key -out user.p12 -name user -caname your_ca_name -chain -CAfile ./demoCA/cacert.pem

yourconf.cnf 是一个主配置文件，基于 openssl 附带的默认 openssl.cnf.要使您的证书适合代码签名，您应该在允许的密钥使用字段中指定它，如下所示(它会将您的证书限制为仅代码签名):

yourconf.cnf is a main config file based on default openssl.cnf included with openssl. To make your certificate suitable for code signing you should specify it in permitted key usage fields like this (it will limit your certificate to code-signing only):

[ usr_cert ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature
extendedKeyUsage = codeSigning  
[ v3_req ]
keyUsage = digitalSignature
extendedKeyUsage = codeSigning

要在 Windows 中使用此证书，您应该将 CA 证书作为 CA 授权安装到 Windows 证书存储中.您必须在要验证文件标志的每个工作场所执行此操作.

To use this certificate in windows your should install your CA certificate into windows certificate store as CA authority. You must do it on every workplace where you want to validate signs on your files.

这篇关于为签名文件制作自己的证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！