Installing A Code Signing Certificate for Windows Applications

For executable applications created under Windows, it is often desirable to sign the executable with a code signing certificate. This helps end-users of the application to feel safe about installing the application. Given below is the process of obtaining a code signing certificate. The process is virtually the same regardless of which provider generates the certificate. Be sure to buy a code-signing certificate and not a domain SSL certificate as it is easy to get confused between the two.

1.GENERATE A CSR FROM A WINDOWS MACHINE

  1. On the machine where the certificate is to be installed we need to create a CSR request.
  2. From Start Menu go to Control Panel->Manager User Certificates
  3. In the MMC left pane expand Certificates Current User->Personal->Certificates
  4. Right click Certificates and click on All Tasks->Advanced Operations->Create Custom Request
  5. Click Next
  6. In Certificate Enrollment screen select Proceed without enrollment policy and click Next
  7. Keep Template as (No Template) CNG Key and Request Format as PKCS #10. Click Next
  8. Click the Details option and then click on Properties
  9. In the Properties popup, under General tab enter a value for Friendly Name. It could be anything.
  10. Under Private Key tab, under Key Options set Key size as 2048. Check Make private key exportable. Under Select Hash Algorithm set Hash Algorithm as sha256
  11. Under Subject tab, under Subject name, the following values need to be filled:
    1. Common Name – This has to be same value as Organization name (not a domain name)
    2. Country – two letter ISO code for the country
    3. Email – email id to which the certificate will be issued
    4. Organization – name of organization to which it will be issued
    5. State – State name
    6. Street Address – address of the organisation
  12. Click Ok
  13. Click Next
  14. Click Browse to select the location of the file which will be created eg. request.csr Keep File format as Base 64. Click Finish
  15. This will create the csr file on the selected path in the disk.

2.SUBMITTING THE CSR REQUEST

  1. The certificate provider will send a link to fill up a form and submit the details. 
  2. The following fields are needed to be filled:

Individual or Organisation: <choose between one>

Primary contact: <put email id here>

Org. name: <name of the organisation>

Address: <address of the organisation>

City: <city of organisation>

Country: <country or organisation>

Postal code: <postal code or zip code of organisation>


     3.Use Internet Explorer 11 or later in Windows to fill up the form (not Edge). For the CSR field, selected the option to generate it from the browser instead of manual pasting. 

     4.Once that is done, submit the form.

3.INSTALLING THE CERTIFICATE

  1. The certificate provider will send a confirmation mail with a login link to access the certificate. Use Internet Explorer 11 or later in Windows to access the link.
  2. Once the login is successful, the browser will show a prompt asking for permission to allow the website to install a certificate. Click Ok
  3. This will install the certificate in the Windows system.

4.EXPORTING THE CERTIFICATE AS PFX

  1. In order to use the certificate on other machines, we need to export it as a     PFX file. The process is given below:
  2. On the machine where the certificate is to be installed we need to create a CSR request.
  3. From Start Menu go to Control Panel->Manager User Certificates
  4. In the MMC left pane expand Certificates Current User->Personal->Certificates->Personal->Certificates
  5. In the right pane, right click on the certificate and click All Tasks->Export
  6. Click Next
  7. Check Yes, export the private key and click Next
  8. Check Personal Information Exchange -PKCS #12 (PFX) and click Next
  9. Enter and confirm a password for the certificate and click Next
  10. Browse and select a file name for the exported certificate and click Next
  11. Click Finish
  12. This will create the PFX file which can be used for code signing.

Be the first to comment

Leave a Reply

Your email address will not be published.


*