Generating CodeSigning Certificate Request File

Developer Tools Depending on the type(s) of apps you're developing, you may already have the tools you need to generate a Certificate Request file. However, if you're developing stand-alone application software using tools such as Borland's C++ Builder or Delphi or Microsoft's .Net platform, you may not have acquired (or be familiar with) tools to generate X509 certificate requests. If you currently have an application on your computer which is capable of generating a PKCS#10 format CSR file, simply follow the directions provided with that application. If you don't have such a program on your computer, you may use the CryptGuard Certificate Wizard. This easy-to-use, fill-in-the-blanks utility generates both the cryptographic private/public key-pair and the certificate request file. You can download CryptGuard Certificate Wizard utility program The Certificate Wizard incorporates the OpenSSL executable program developed by the OpenSSL Project. It is dual licensed under a CreativeCommons Attribution-ShareAlike license and the OpenSSL License.

Microsoft Windows XP [Версия 5.1.2600]
(С) Корпорация Майкрософт, 1985-2001.

C:\Documents and Settings\Boss>cd C:\OpenSSL\bin

C:\OpenSSL\bin>openssl req -new -keyout myprivkey.pem -out mynewcert.req -config  openssl.cfg
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
......................................................................................+++
......................................................................................................+++
writing new private key to 'myprivkey.pem'

Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UA
State or Province Name (full name) [Some-State]:Khmelnitska
Locality Name (eg, city) []:Khmelnitsky
Organization Name (eg, company) [Internet Widgits Pty Ltd]:adgrafics inc.
Organizational Unit Name (eg, section) []:SSL department
Common Name (eg, YOUR name) []:adgrafics.ua
Email Address []:admin@adgrafics.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

C:\OpenSSL\bin>

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,F59FB85F9715DCA5

ruhFDJrhYGFmQArZmhfTmG2YXV+MFEInvKOszXBZrc+wPtlNV0cLWJZROUpQ/n4/
3IliLutW2HhZqGzJdiYj8FLaqFPPNNW4I0G9XWhpR5EVJJDJQx9YIiG0kLzw8eHq
0QCDVx5kOGwxkH0OcauLi7Su0YnEs015N27lXFqnWqyDqMpsGrlVeKZQGbp0hfPz
FOl4Q7E3ZT1bTsnuiVTn+V6SfT0+s1Rwl7au236PS2+jjSeqO+Epn4uiVwNYxQtK
GiIZeNiKhif6KcYvG5tT8kG82jP7rI0VdEPqjqF4zuK1qL7ypU3ESS5Lzi8Q3pMb
J1jF8Xc1sD9KR5/GCT6Rbwlfw/OTS2xBAJH2Q1PTUxytFJS8Vp8DDM5u+rnYXKHp
A71D3Ows12hm/l8YgKBb2i7FxH8sy4Jpm1/F8ybZVJWKqkTwffBQn8EKaY60Vv1K
JPhDOwxr/Y/d/Uf8fD+EqUI7wEN9+Dn1w33hhL+FFUbLuMzfdK3KNws7Muj7W68K
nQUUFCbJHvlPvdQ/CD4/m4sxnnGTjhmSY/6THCCse3v0XzBJV7MDrorJJ6Gz5167
I4Dhn1f3x8WYxDqsY2e5viFfDlpR8Kh9FJYkjYaXefPfTmYyjhga/ld4AoqutHA/
fel3/nf+Ob7HhnY54NhpB2fkou6h7jAhtIqfKpELXEqXFFBvp2u+7I4Qu1hj0JBa
sM/NlTH0FT79sFjCYzPACegElASm/0Z3ti+PbaCf+fVYVctlI31o/MVNyQWx62Fo
nCD9jTq0W3iiz4mYEdZ3i13UGqqPSK+h5y5tKYHQgnMqy53awnz6P1LSMmt1NhlY
3U2+su8zCXt0/ueL5IY4fQ/QnqZRdRM7fQpcb/qPUd+nKQAcXHr4vfKb4DuByOtT
4Z2aEGkfT2AIrSkXrUD59MWo6BfjnJ5LhllWx7bH3V5Fx5L8nBUaT/ngjIOYsLkq
zKJZ8jleDtvlpe61N6aymKBe6MMB2fHBUimUKzkc2Q+38R99IGfrhahx933IVD5B
vK2orzE0Yo0gPwD2HU3DK9aoX/KqemM23KsfXTg1h0klhAc5658t5COi4SGtwsX4
G43nZrILnbkzUKv6LOljs4cBhJU2ICrbC53iV0fN39DdU7fTqBFUD8ePY+raz7EH
sQGq1RVLNVJ36I8YlCuTc63M4/E8BGxGWeK0TKx+6lEGKMJPR5ZWewoYLXHbjr7R
YGuDRIzqcY8Eh7z69HfYEQbvXF6SWqICC2hMn9qHvlYahwddg9fmw6LflhgI3Voa
CJK7FnoLkdGYePQ2IFAOR5spQUqZ4ed0jLJHcpTleJvheUROK9THW43vyY+8ORQy
QgDZ7NP6M9aJHwYb4ubMoJ/Gq9CeDkj0rWUGIVXt1iO803iEfMoUcogXHYSE34LQ
NLuSFM8106funG/w/20CVs7MxFbVFOfNvgPKVM+HONxBdEYIWqAG/c1ulI627vAo
F9EnnLXh58AQo1gqPqauq9vkYywxdQTbQKa6lOU79s74iG7C95GClEPx8ZYQqUt3
0RZgJCMwJwpWSAzu2MesuBmlpqrSkbf7iARUCtQyQLAx0hRw0cZbHpXd13Ur69JK
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE REQUEST-----
MIIC7DCCAdQCAQAwgaYxCzAJBgNVBAYTAlVBMRQwEgYDVQQIEwtLaG1lbG5pdHNr
YTEUMBIGA1UEBxMLS2htZWxuaXRza3kxFzAVBgNVBAoTDmFkZ3JhZmljcyBpbmMu
MRcwFQYDVQQLEw5TU0wgZGVwYXJ0bWVudDEVMBMGA1UEAxMMYWRncmFmaWNzLnVh
MSIwIAYJKoZIhvcNAQkBFhNhZG1pbkBhZGdyYWZpY3MubmV0MIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6MlujLqJpFSOwTyUdt6A/xSpVUJq3XsxPtyP
EG18+jh4SWH+gVurmR7aRqI7/VnFmXpQ5AUDi2OCcRIfZIZ62ljpatxQkvWlTIG7
MKT0/Xw92r7UaUc5rf0eXhn6ozRy2jA4WmPvAmYrlPmWWBVxGZIbxZ7crUGg1RwN
3C5AgYNiANiO5UyoMu12yFxnOAs1lEVTpbjCtykSjX5VHlJKGzTafPh8ydnrnSWx
VukIKPC1OYgs3NPKRk5foZdRqyno+ebN6RvZm7XDtcFpugNawfGftrMTutsEB9EW
tB6N1vI81d4MNV/mx0JhJxCsk56KED61w47CJV2kg5p00bpLZQIDAQABoAAwDQYJ
KoZIhvcNAQEFBQADggEBAGClSpW+2OI/r9KYoFEGXGP6wFciOBRjHBROcBsByECo
Mk2AvA22PnKaCiaZ136DHzOrXhtUMiGoEamNpCQ+akeJjNk8Lpx83CefVJ2JyCbi
ZB97I4fjgPPw/c/kAEuYJDaoh5qW8EBXB1E3ipGRAecYmKtQV8z26cLz8fbU96jk
2y6Mo2RTHIHe586AuAKk3gUmpdsvEFXYUjj1V/fU2bjx9jcTXVT10vrQZsQHyf07
LdzMVEI9gLtb6BqiKaFw0b+4lNNERa+LmUt39B0XjlnP3v6ROwcliwgFk2O3RehE
+RGH8p+bt2Tsh4a3n+gkUKTIIc2uYDPB9i7/y/JHlYw=
-----END CERTIFICATE REQUEST-----

0
CN=adgrafics.ua
OU=SSL department
O=adgrafics inc.
POBox=
STREET=
STREET=
STREET=
L=Khmelnitsky
S=Khmelnitska
PostalCode=
C=UA
Email=admin@adgrafics.net
Phone=

Generate the Key-Pair and CSR We will discuss the procedure, and present example screen-shots, using the open source tool, OpenSSL, running in a command prompt on a Microsoft Windows box. For specific detailed guidance pertinent to your particular software (for example, the Sun Microsystems Java toolkit), refer to your software user guide. The CSR creation process is very straight-forward and should only take a couple of minutes to complete on your computer. The important thing, is to remember the information you provide when generating your request, as you will need to provide EXACTLY the same information when you complete the signing enrollment request using our online forms. During the CSR process you will be asked to provide a number of pieces of information. Most of the names of the information fields you will be asked to supply are easily-understood, but there are a few field names which might be confusing. We'll explain them as we go through the screenshots of the various stages of the process.

Screenshot 1 — Command Prompt — OpenSSL To create a certificate request with OpenSSL, you must first open a command prompt, locate the OpenSSL directory, and type in the command string to create a new request. The command to create a new request contains three important pieces of information. the name to give to the private key file the program will create the name to give to the Certificate Signing Request (CSR) file the program will create the name of the OpenSSL configuration file for the OpenSSL program to use In this example we've told the program to give the private key file the filename of myprivkey.pem, the CSR file a name of mynewcert.req, and to use the configuration file called openssl.cnf. When you fill in the online form during the CryptGuard certificate signup process, you will be prompted to upload the CSR file that the OpenSSL program creates, so it's important to remember what name you've given it.

Screenshot 2 — Private Key Passphrase Your private key is extremely important. So the first thing the OpenSSL program will prompt you for is a password. It will use this password to protect your private key file. Obviously you should choose a passphrase (it can be a sentence, not just a single password) that you can remember but that others can't guess. It's extremely important that you don't forget the passphrase, as if you do, you won't be able to use your certificate to codesign any files, and will need to obtain a new certificate.

The Fundamental Certificate Information Fields There are 7 pieces of information that the program will ask you to provide. You will need to make note of all of the information that you enter, as you will be asked for these items during the certificate purchase process. The sequence in which each of these seven pieces of information are presented/requested will depend on the manner in which your configuration file is organized. Suffice it to say, all seven items should be requested.

Screenshot 3 — Country Name It should be obvious what the country name field is for. The stipulation is that it must be the 2-character ISO country code, not the full country name or other abbreviation.

Screenshot 4 — State Name Again, it should be obvious what the state name field is for. If you are located in a country where there are no 'states', you may leave the field empty or supply comparable information appropriate to your circumstances (such as Oaxaca, Hunan Province, Yorkshire, or South Australia). The stipulation here is that it requires the full name of the state, NOT the 2-character state abbreviation.

Screenshot 5 — Locality Name The locality implies the city or community where you are located.

Screenshot 6 — Email Address It should be obvious what the email address field is for.

Screenshot 7 — Organizational Unit Name The organizational unit generally makes more sense for a business rather than for a software developer. For a business it could be something like the marketing or accounting department. For a programmer/developer, you should try to provide some kind of meaningful information relevate to your particular purposes, such as 'Software Development' for application programs or 'Accounting Department Sarbanes Scripts' if you are only developing specialized Microsoft Office VBA Macros.

Screenshot 8 — Organization Name If you're operating as a business entity, this will be your company's registered business name. If you are a non-commercial developer you could simply use your full name, or even your email address (it can be duplicated here even though you've already used it in the email address field).

Screenshot 9 — Common Name This is official 'name' that will be associated with the certificate. You have a number of options, depending on how you wish to use the certificate. Most often the developer's email address, or simply the registered domain name belonging to the developer, such as, mycompany.com, is used for the Common Name. For corporate use, just as for a business ecommerce server certificate, a fully-qualified DNS server name should be used, such as, www.mycompany.com. In this example, the developer's email address is used (once again, it can be duplicated here even though it has already been used elsewhere). For a corporate codesign certificate, if an email address is used, it should be one of the primary registered domain contacts, or the company's primary technical support contact email address.

Certificate Signing Request File Generation Completed At this point your Certificate Signing Request file has been created and you're ready to move forward to order certificate sign-up process. We remind you to make note of the information you have used in generating the CSR file, including the filename and where it has been saved, as you will need to provide the EXACT same information when completing the CryptGuard certificate registration form, and will need to upload the CSR file to our server.

Work around to moving Microsoft Authenticode Certificate to different machines running different Windows platforms

There are two solutions you can try, the first solution allows you to move the Certificate and private key to the new machine as an exported .PFX file(PKCS#12) which signcode will recognise if you specify the -cn parameter, you will be unable to use the .spc and .pvk file therefore the -v and -spc parameters will be invalid.

The Second solution makes use of Openssl and a Windows binary program(PVKTOOL) in order to extract the private key and Certificate from the .PFX backup file and convert the Certificate into a .spc file and private key into a .pvk file which will work on the new machine running the different Windows Operating System.

- OpenSSL is an opensource Unix/Linux based tool used to implement PKI. It consists of a set of libraries, which you compile locally, and is capable of generating keys, certificates, and creating SSL connections to a web server. We use it as a troubleshooting tool for SSL connections and to convert keys into different formats.

- PVKTOOL is a conversion tool created by Dr Stephen Henson which you can use to convert the private key into a .pvk file once it has been extracted from the .PFX backup file and converted into a text format using Openssl. For more information please go to: http://www.drh-consultancy.demon.co.uk

Solution 1:
Using the pvkimprt.exe utility import the Certificate(.spc) and private key(.pvk) into the registry on the machine the Certificate was requested on and then export the keys from the registry as a .PFX file which will contain the Certificate and it's corresponding private key, you can then import the Certificate into IE on the new machine and sign using the -cn parameter in the signcode command line.

Follow these instructions to import the .spc and .pvk files into the registry:
1. Download the pvkimprt tool from the Microsoft site: http://www.microsoft.com/downloads/details.aspx?FamilyID=F9992C94-B129-46BC-B240-414BDFF679A7&displaylang=EN
2. Double click the executable file named pvkimprt.exe
3. Complete the installation process.
4. Import the files using the following command: pvkimprt -import mycert.spc mykey.pvk
5. View the imported files in Internet Explorer > Tools > Internet Options > Content > Certificates

To export the keys as a .pfx file using pvkimprt.exe: c:\pvkimprt -pfx mycert.spc mykey.pvk

It will bring up the export wizard, in the first window tick "Yes to export the private key", in the second window untick the option 'Enable strong protection..' and tick the option 'Include all Certificates in the certification path if possible', then click next, in the third window specify a private key password(please do not forget it), in the forth window click 'browse' and save the file to your desktop, click next and finish.

Once done, move the .pfx file to the new machine and import it into the IE browser. In IE click Tools > internet options > content > certificates > personal, click the import button, during the process mark the private key as exportable.
You can now sign and timestamp your code(timestamping is optional): signcode -cn "My Organisation" mycab.cab -t http://timestamp.verisign.com/scripts/timstamp.dll
Your code is now signed and timestamped, please run Checktrust.exe to ensure that the file has been signed correctly: chktrust mycab.cab
* If you are signing VBA Macros, you can import the .PFX backup file into the IE browser on the new machine and use the VB editor to add the digital signature.

Solution 2:
Secure copy(SCP) or FTP the exported .PFX to your Linux machine. In order to extract the private key from the .PFX file please run the following command:
openssl pkcs12 -in mybackup.pfx -nocerts -out mykey.key
In order to extract the Certificate from the .PFX file please run the following command:
openssl pkcs12 -in mybackup.pfx -nokeys -out mycert.crt

In order to convert the Certificate(mycert.crt) into a .spc file please run the following command: openssl crl2pkcs7 -nocrl -certfile mycert.crt -outform DER -out newcertfile.spc

You will now need to download the Windows PVKTOOL utility in order to convert the private key(mykey.key) into a .pvk file. Please download the utility from the following link: http://www.drh-consultancy.demon.co.uk/pvk.html (scroll down to conversion tools and click on where it says Win32 binary here
1.Unzip the file and copy the pvk.exe utility to a new folder named pvktool on your c:\ drive.
2. Secure copy(SCP) or FTP the mykey.key file from the Linux machine to the pvktool folder on the new Windows machine.
3. Please go into your command prompt and change directory(cd) into your pvktool folder. c:\cd pvktool
4. In order to convert the private key(mykey.key) into a .pvk file, please run the following command: pvk -in mykey.key -topvk -out newkeyfile.pvk

Once done you can use the private key file(newkeyfile.pvk) and Certificate file(newcertfile.spc) to sign with signcode. Please read the following solution on how to sign with signcode: SO279

*Please note that timestamping code allows it to be usable for an extended period of time, as the browser validates the timestamp. If the code is downloaded after the Certificate is expired (and it has been timestamped) you will not receive an error indicating that the certificate has expired. Please specify Verisigns' timestamp server url when you sign a file, the timestamp server validates the date and the time the file was signed. The Certificate expires but the signature will be valid for as long as the file is in production

Certificate Signing Request Generation Instructions for Tomcat

To generate a CSR, you will need to create a key pair for your server. These two items are a digital certificate key pair and cannot be separated. If you lose your public/private key file or your password and generate a new one, your SSL Certificate will no longer match. You will have to request a new SSL Certificate and may be charged.

Step 1: Create a Keystore and Private Key

Please use JDK 1.3.1 or later:
If you are running a 1.3 JVM, download JSSE 1.0.2 (or later) from http://java.sun.com/products/jsse/. Make it either an installed extension on the system or set an environment variable JSSE_HOME that points to the directory where JSSE is installed.

1. Create a certificate keystore and private key by executing the following command:
Unix: /bin/keytool -genkey -alias <your_alias_name> -keyalg RSA -keystore <your_keystore_filename>
Note: For Extended Validation certificates the key bit length must be 2048, add in the command above: -keysize 2048
This command will prompt for the following X.509 attributes of the certificate:
First and last name (Common Name (CN)): Enter the domain of your website (i.e. www.myside.org) in the "first- and lastname" field.. It looks like "www.company.com" or "company.com".
Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA. State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: California Locality or City (L): The Locality field is the city or town name, for example: Berkeley. Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll. Example: XY & Z Corportation would be XYZ Corporation Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request.
Note: VeriSign certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain "domain.com" will receive a warning if accessing a site named "www.domain.com" or "secure.domain.com", because "www.domain.com" and "secure.domain.com" are different from "domain.com".

2. Specify a password. The default value will be "changeit".

For further information, please refer to the Tomcat Web site.

Step 2: Generate a CSR
1. The CSR is then created using the following command:
keytool -certreq -keyalg RSA -alias <your_alias_name> -file certreq.csr -keystore <your_keystore_filename>
2. To copy and paste the file certreq.csr into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).

Contact Information
During the verification process, Certification center may need to contact your organization. Be sure to provide an email address, phone number, and fax number that will be checked and responded to quickly. These fields are not part of the certificate.

Certificate Signing Request Generation using keytool Sun Java CodeSigning ID

Посмотрите пожалуйста флеш презентацию