I needed a fast and scriptable way of signing local binaries. Those “tools” would be distributed around the department, and had to be accepted and run by others. I looked at Microsoft MSH ( powershell ? ) to see if it can help, and it did…. The following procedure was rolled into a script and automated.
Prerequisites I needed
1. Install .Net Framework 2.0
2. Install MSH windows shell
3. Install .Net Development SDK
Note: in this example SRVR ( W2k3 ) server is used as local CA
and ACCT as admin account to run under
Procedure I followed:
1. Login to SRVR as ACCT account
2. Start->Run : type msh
I. Make certificate Authority ( Only one time )
## Create certificate Authority keypair and certificate
MSH> makecert -n “CN=Company Local CA2, O=CompanyBuild, C=US, S=Illinois, O=Company, OU=Chicago” -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine
Succeeded
## Check if it was created
MSH> get-childitem cert:\localmachine\root
Subject : CN=Company Local CA2, O=Company Build,
C=US, S=Illinois, O=Company, OU=Chicago
Issuer : CN=Company Local CA2, O=Company Build,
C=US, S=Illinois, O=Company, OU=Chicago
Thumbprint : FCD5D33001132C770CF0627424B1F2
1E9EECD6DD
FriendlyName :
NotBefore : 3/22/2007 3:11:15 PM
NotAfter : 12/31/2039 5:59:59 PM
Extensions : {System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid}
II. Make Certificate signing Authority ( only one time )
## Create signing authority and sign the certificate by local CA
MSH> makecert -pe -n “CN=Company Local CA2 Signing Validation,
O=Company Build, C=US, S=Illinois OU=Chicago” -ss CF -a
sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer
Succeeded
## Check it was created
MSH> get-childitem cert:\currentuser\CF
Subject : CN=Company Local CA2 Signing Validation,
O=Company Build, C=US, S=”Illinois OU=Chicago”
Issuer : CN=Company Local CA2, O=Company Build,
C=US, S=Illinois, O=Company, OU=Chicago
Thumbprint : E748B0B01AFA1B3CC27B268E7FEB2698D6FA6B95
FriendlyName :
NotBefore : 3/22/2007 3:19:02 PM
NotAfter : 12/31/2039 5:59:59 PM
Extensions : {System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid}
III Sign a file ( every time )
## In case you have multiple CAs installed, select the one certificate
you need ( array element )
MSH> $cert=(get-childitem cert:\currentuser\CF)[1]
## Sign EXE/CAB/DLL/MSH files
MSH> set-authenticodeSignature “c:\Tools\fport\Fport-2.0\fport.exe” $cert
SignerCertificate : [Subject]
CN=Company Local CA2 Signing
Validation, O=Company Build, C=US, S=”Illinois
OU=Chicago”
[Issuer]
CN=Company Local CA2,
O=Company Build, C=US, S=Illinois, O=Company,
OU=Chicago
[Serial Number]
DB0F9C8A691755074AAF551F570DE4E5
[Not Before]
3/22/2007 3:19:02 PM
[Not After]
12/31/2039 5:59:59 PM
[Thumbprint]
E748B0B01AFF1B5FC27B268E7FEB2698D6FA6B95
TimeStamperCertificate :
Status : Valid
StatusMessage : Signature verified.
Path : C:\Tools\fport\Fport-2.0\fport.exe
IV Test and distribute the signed file
