How to use Windows Certificate Authority to Strong Name Assemblies
I recently wanted to use the internal Certificate Authority for all our code signing requirments. After several hours of pain I was able to get it to work but thought I’d document the procedures so other’s won’t have the same problems.
- Ensure a Certificate Authority is installed and running on the Active Directory domain.
- The windows certificate authority uses a web based request form so open IE and browse to the site. (ex http://someserver/certsrv)
- When requesting the certificate, you will need to choose advanced for certificate type and select code signing as the type. Also ensure you choose Microsoft Enhanced Cryptographic Provider and not the Basic or RSA provider. (I’ll explain below) Figure 1
- Choose to Mark Keys as Exportable and choose a password. Save the file with a *.pvk extension.
- Click submit. You will be prompted to save the pvt and then click to save the certificate. Do not save the full certificate path as strong naming does not support certificate chaining.
- Open a Visual Studio command prompt and navigate to the location you saved the files.
- Type cert2spc yournewfile.cer yournewfile.spc where yournewfile is the filename you gave the pvk when saving it. This will convert the cer to a compatible spc file.
- Type pvk2pfx -pvk yournewfile.pvk -spc yournewfile.spc A wizard will open, follow prompts making sure to check the box to make the private keys exportable.
- The new *.pfx file can be used to sign assemblies and the computers inside the network will be able to verify the certificate against the internal Certificate Authority.
You will receive the dreaded “Error Importing Key - Object already existing” error when trying to compile if you choose the wrong provider, ie the provider is incompatible with Visual Studio code signing.
Figuring this was a straight forward procedure, I requested a certificate and private key pair from the Certificate Authority and that’s where the trouble started.
6 Comments so far
Leave a reply
Is it possible to generate the certificate with openssl, and still use it with visual studio?
The only thing I can suggest is try the different encryption providers until you’re successful. I don’t have an openssl install to test with but I have seen several posts about openssl over at http://forums.microsoft.com so you might want to search over there.
Okay, how do I switch provider?
Should I switch, import and then export, to get the certificate written with another provider?
It looks like in genpkey you can specify RSA2 as the algorithm and 1024 as the length. On the ones generated by windows server, SHA is used as the thumbprint algorith on the cert. At a quick glance, I’m not sure openSSL supports this type.
Hmm, okay
“Click submit. You will be prompted to save the pvt and then click to save the certificate. Do not save the full certificate path as strong naming does not support certificate chaining.”
I think I may have a different version of the MS Certification Authority because I don’t see that. I’m using Windows Server 2003 R2
Also it doesn’t make any sense that you say you’re saving the certificate because you haven’t been ISSUED a cert you are only REQUESTING a cert. Are you missing a bunch of steps between 4 and 5?
Now what I can do is finish the request, go to the cert authority and issue a cert for the request, then export the cert as a binary file, and finally continue with step 6.
Doing it that way works.