制作您自己的证书以签名文件？ [英] Make your own certificate for signing files?

问题描述

有没有办法自己签署证书，以便为安装包等文件签名？

Is there any way to make your own signing certificate in order to sign files such as installation packages?

证书供应商必须是可信的

Is the problem that the certificate supplier has to be a trusted source with Windows otherwise you will get warning messages?

推荐答案

如果你有PKI和X.509的基本知识，你可以做它与openssl。

If you have basic knowledge about PKI and X.509 you can do it with openssl.

Openssl已预先配置了 CA.pl或CA. sh脚本，可用于设置CA并使用最少配置生成证书。

Openssl has preconfigured CA.pl or CA.sh script that may be used to setup your CA and generate certificates with minimal configuration.

主要命令是：

# generate CA (need to do it only once)
CA.sh -newca
# create certificate request
openssl req -new -keyout user.key -out user.req -config yourconf.cnf
# sign request by CA
openssl ca -policy policy_anything -config yourconf.cnf -out user.pem -infiles user.req
# convert it into PKCS#12 (pfx) container, that can be used from various soft
openssl pkcs12 -export -in user.pem -inkey user.key -out user.p12 -name user -caname your_ca_name -chain -CAfile ./demoCA/cacert.pem

yourconf.cnf是一个主配置文件on openssl.cnf包含在openssl中。
为了使您的证书适合代码签名，您应该在允许的密钥使用字段中指定它（这将限制您的证书仅限于代码签名）：

yourconf.cnf is a main config file based on default openssl.cnf included with openssl. To make your certificate suitable for code signing you should specify it in permitted key usage fields like this (it will limit your certificate to code-signing only):

[ usr_cert ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature
extendedKeyUsage = codeSigning  
[ v3_req ]
keyUsage = digitalSignature
extendedKeyUsage = codeSigning

要在Windows中使用此证书，您应该将CA证书安装到Windows证书存储作为CA授权。您必须在每个想要验证文件上的标志的工作场所上进行。

To use this certificate in windows your should install your CA certificate into windows certificate store as CA authority. You must do it on every workplace where you want to validate signs on your files.

这篇关于制作您自己的证书以签名文件？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！