One Day The Sun Will Shine
Home Software Sign-in



 How to create your own certificate for signing ClickOnce manifests and Strong Naming assemblies.
back
  The Ancient Mariner
  PLEASE NOTE:
This page is now well out of date (it comes from a previous version of the site).
  Although Visual Express can create a temporary certificate for you that you can use to perform the above actions, it is also possible to create your own ‘named’ certificate that you can use for signing all your stuff. This is good way to start learning about certificates and good practice if at some point you intend to purchase the real thing.  
 
 
  Visual Express (C# and Visual Basic) Temporary Key  
  As already mentioned, Visual Express can be used to create a temporary certificate for signing ClickOnce Manifests etc. This is done from the ‘Signing’ tab of the application’s Properties page by simply clicking the ‘Create Test Certificate’ button. The resulting key file (its default name will be something like ‘YourProjectName_TemporaryKey.pfx’) can also be used to strong name the assembly. The .pfx extension means this is a ‘Personal Information Exchange’ file which can be looked upon as certificate file containing both a public key and a private key.


Even when you don’t tick the ‘Sign the ClickOnce Manifests’ checkbox but still need to strong name the assembly, if you select ‘New’ from the ‘Select a strong name key file’ dropdown list and then enter a file name and password into the ‘Create Strong Name Key’ dialog box, the file that is produced is still a .pfx file. Note that if you opt NOT to enter a password the resulting file will be a .snk  (Strong Name Key) file but that’s a file path for another day. Here we’ll be concentrating on .pfx (Personal Information Exchange) files. 		 
 
 
  Some things to bear in mind about Strong Names  
 
 
  •  
    		•  It is recommended that shared DLLs (used by more than one application) should be strong named, also those DLLs being deployed to the 'Global Assembly Cache'.
     
  •  
    		•  A strong named component cannot be updated by copying a new version over the old one. You must either recompile the whole application or alter the application's ‘config’ file to instruct the runtime to load the new version (instead of the old one).
     
  •  
    		•  Strong named applications and components cannot reference weak named ones. For this reason, in Visual Express, ClickOnce application ‘exe’ files are not strong named; it is the manifests that are strong named instead. This allows the ‘exe’ to reference any weak named items that are deployed with the application. (There are ways around this in code).
    		 
     
    		 
      Making your certificate  
      Step 1: Getting the tools to do the job  
      The following four files are required for this demonstration.  
     
        makecert.exe
        pvk2pfx.exe
        cert2spc.exe
        pvkimprt.exe
    		 
      If you know that you have these files and are familiar with command line tools, please go to igateUrl="#Step2">Step 2 .  
         
      Beginners command line problems  
      The problems most beginners have with command line tools are three fold:  
     
    1   Finding the tools.
    Are they included in my operating system? Where can I download them? Are they buried in some resource kit? Which resource kit?
    2   Getting the tools to run.
    I've got the tools but when I enter their names at the command prompt I get an error as if they can't be found or that the executable is not a valid Win32 application.
    3   Telling the tools where my files are.
    The tools are available at the command line but they can't find the files that I'm trying to work on.
    		 
         
     

    Finding the tools.

         		 
      First of all, here is a bit of "Authenticode" history:-
    		  
      Microsoft first released "Authenticode"  code signing in 1998.  This originally consisted of a self-extracting ZIP file by the name of  "codesigningx86.exe" containing the following files:  
     
      signcode.exe
    makecert.exe
    cert2spc.exe
    chktrust.exe
    certmgr.exe
    makecat.exe
    makectl.exe     		 
    		 
      This little bundle is no-longer available from Microsoft (but you may still be able to download it from elsewhere).  
         
      Downloading the files  
      Versions of these files are currently available in various packages. If you have Visual Studio then you will already have them.
    Alternativly, they can be found in the following downloads:

  • Platform SDK for Windows Server 2003


  • Windows Software Development Kit for Windows Vista


  • .NET Framework 2.0 Software Development Kit (SDK) (x86)


  • pvkimprt.exe download


    		•   
      Searching for the files  
    Once you think that the files are on your computer, look for them in directories like:

  • Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin


  • Program Files\Microsoft SDKs\Windows\v6.0\Bin


  • Program Files\Microsoft SDKs\Windows\v6.0A\bin


    •  or just do a search for 'makecert.exe'.
         
      Setting the environment path  
      Once you have the files and know the path, depending on your set-up, you may still need to add this path to the 'PATH' environment system variables.  
      This is done in the following manner:  
     
      XP  
      Copy the file path from the address bar while the 'Bin' folder is open.
    Right click My Computer and select 'Properties'
    Click the Advanced tab.
    Click the 'Environment Variables' button. In the bottom window select 'Path' and double click it.
    An 'Edit System Variable' box pops up.
    In the bottom text box called 'Variable Value': add a semicolon and paste your new path string on to the end of the existing string.     		 
         
      Vista  
      Copy the file path from the address bar while the 'Bin' folder is open.
    Right click My Computer and select 'Properties'
    Click the Advanced System Settings - this will take you to the Advanced tab of System Properties.
    Click the 'Environment Variables' button. In the bottom window select 'Path' and double click it.
    An 'Edit System Variable' box pops up.
    In the bottom text box called 'Variable Value': add a semicolon and paste your new path string on to the end of the existing string.     		 
    		 
         
      To test that the path has been set, enter the following command at the command prompt.  
     
        makecert /?

    		 
      If you're given a list of options, the file path is OK.  
         
      Create a work folder  
      Create a folder. Call it 'CertificateTest' or similar. Lets say that the full path to the folder is: 'C:\Users\Fred\Desktop\CertificateTest'  
      Open a command window and enter 'CD' plus the path to your CertificateTest folder.  
      In this example I use the path to my 'CertificateTest' folder as shown above, you must enter the correct path to your 'CertificateTest' folder.  
     
        CD  C:\Users\Fred\Desktop\CertificateTest 

    		 
         
      NOTE:
    If your path contains spaces, put the path string in double quotes     		 
     
        CD  "C:\Users\Fred Smith\Desktop\Certificate Test"

    		 
         
      Now we're ready to rock!!!  
         
    Step 2: Makecert.exe
      The following notes assume that you have already set a directory path - see the item just above this one (Create a Work Folder).  
      Makecert.exe is the ‘Certificate Creation tool’. It generates X.509 certificates for testing purposes. It creates a public and private key pair for digital signatures and stores it in a certificate file.

    In this example we’ll use ‘Makecert’ with the following options.     		 
     
    Create a self-signed certificate: -r  
    Certificate subject name: -n    "CN=PutYourNameHere"
    The certificate’s signing authority: -$   individual
    A name for the private key file: -sv   YourPrivateKeyFile.pkv  
    Mark the private key as exportable: -pe
    The enhanced key usage string: -eku   1.3.6.1.5.5.7.3.3 (This string denotes a ‘Code Signing’ certificate)
    		 
         
      This command creates a self-signed ‘Code Signing’ certificate issued to you by you. It also produces a private key file.  
     
        makecert   YourCertificateFile.cer  -r  -n  "CN= PutYourNameHere "  -$ individual  -sv  YourPrivateKeyFile.pkv  -pe -eku 1.3.6.1.5.5.7.3.3

    		  
      Run this command as it is (to make this demo easier, don’t enter your own details, just copy the existing text for this first run through).
    A dialog box will popup asking for a password with confirmation followed by a second box asking for a password. Enter the same password in each box. This will be the password that you are asked for whenever you use your pfx file.
    The result will be two new files YourCertificateFile.cer’ and ‘YourPrivateKeyFile.pkv’.
    Now we’re ready for the next step…     		 
         
      Step 3: Creating a .pfx file.  
      There are at least two ways we can go from here, the simplest being the use of ‘pvk2pfx.exe’. This command will use the ‘YourCertificateFile.cer’ and ‘YourPrivateKeyFile.pkv’ files to make a .pfx file.

    Just input the following command line:
    		 
         pvk2pfx  -pvk  YourPrivateKeyFile.pkv  -spc  YourCertificateFile.cer  -pfx  FinallyMyPFX.pfx
      You will be asked once more for the password and lo and behold! There is the pfx file in the form of FinallyMyPFX.pfx.

    This second method uses ‘cert2spc.exe’ and ‘pvkimprt.exe’
    Cert2spc creates a ‘Software Publisher Certificate’ (SPC) from your ‘.cer’ certificate file. The SPC file is also called a digital ID or digital certificate. This is the file type that you will obtain from a Certificate Authority.

    Just enter these commands:     		 
     
        cert2spc YourCertificateFile.cer YourCertificateFile.spc

        pvkimprt -pfx YourCertificateFile.spc YourPrivateKeyFile.pkv
          		 
      Pvkimprt will ask you for the password. Then certificate export wizard will appear and ask you if you wish to export the private key with your certificate: select ‘yes’, then click ‘Next, skip the following page by clicking ‘Next’ again. Enter the password yet again (twice). Click the ‘Next’ button and give the pfx file a name. Click ‘Next’ again, then ‘Finish’.

    You’ve now created the following files:

    A public key certificate (.cer file).

    A private key (.pvk file) that you must keep confidential.

    A Software Publisher Certificate (.spc file).

    A Personal Information Exchange (pfx file) that contains a public key and a private key. You can use this to sign your files including your ClickOnce manifest files. You can also use it to sign your application with mage, mageUI. or Signtool.exe     		 
         
      Now you can delete these files and start again, this time using your own details.  
         
      If you double click the .cer file you will see the Certificate that you have created . It will tell you that it is not trusted!  To get the certificate 'Trusted' it needs to be installed, first in the 'Trusted Root Certification Authorities' store and then in the 'Trusted Publishers' store.

    To do this first click the 'Install Certificate' button followed by the 'Next' button.
    Select 'Place all certificates in the following store' and click the browse button.
    Select 'Trusted Root Certification Authorities'  and click OK. followed by 'Next' and 'Finish'.

    Repeat this action but this time select 'Trusted Publishers'  instead of 'Trusted Root Certification Authorities'.
    		  
         
         
    Copyright © 2010 George Starr. All Rights Reserved.   Page List   Credits   Privacy   Licence Agreement   Support   Shopping Cart