These steps will guide you to make your own public key certificate for digital signatures. There are many tools on the net to do this. This uses OpenSSL and gives you a certificate with a chain to your root CA.
Step 1: First we generate a 4096-bit long RSA key for our root CA and store it in file ca.key:
openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
..........................................................................................
..........................................................................................
is 65537 (0x10001)
If you want to password-protect this key, add option -des3.
Step 2: Next, we create our self-signed root CA certificate ca.crt; you'll need to provide an identity for your root CA:
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
You are about to be asked to enter information that iwll be incorporated into your certificate request.
What you are baout to enter is what is called a Distinguished Name or DN. There are quite a few fields but you can leave some blank For some fields there will be a default valu, If you enter '-', the filed will be left blank.
-----
Country Name(2 letter code) [GB] : IN
State or Province Name (full name) [Berkshire]: TestProvince
Locality Name (eg, city) [Newbury]: TestCity
Organization Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [] :
Email Address []:
The -x509 option is used for a self-signed certificate. 1826 days gives us a cert valid forr 5 years.
Step 3: Create our subordinate CA that will be used for the actual signing. First generate the key:
openssl genrsa -out ia.key 4096
Generating RSA private key, 4096 bit long modulus
...............++
................................................................................................++
e is 65537 (0x10001)
Step 4: Then, request a certificate for this subordinate CA:
openssl x509 -req -days 730 -in ia.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ia.crt
Signature ok
subject=/C=BE/ST=TestCity/L=TestCity/O=https://fdf.com/ON .......
Getting CA Private Key
The cert will be valid for 2 years (730 days) and I decided to choose my own serial number 01 for this cert(-set_serial 01). For the root CA, I let OpenSSL generate a random serial number.
That's all there is to it! Of course, there are many options I didn't use. Consult the OpenSSL documentation for more info.
Step 5: To use this subordinate CA key for Authenticode signatures with Microsoft's signtool, you'll have to package the keys and certs in a PKCS12 file:
openssl pkcs12 -export -out ia.p12 -inkey ia.key -in ia.crt -chain -CAfile ca.crt
Enter Export Password:
Verifying - Enter export Password:
To sign executable in Windows with the signtool: install file ia.p12 in your certificate store and then use signtool to sign your PE file.
Reference:
1. http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/#comments
2. http://www.openssl.org/docs/apps/openssl.html
3. http://www.openssl.org/related/binaries.html
4. http://en.wikipedia.org/wiki/OpenSSL
Step 1: First we generate a 4096-bit long RSA key for our root CA and store it in file ca.key:
openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
..........................................................................................
..........................................................................................
is 65537 (0x10001)
If you want to password-protect this key, add option -des3.
Step 2: Next, we create our self-signed root CA certificate ca.crt; you'll need to provide an identity for your root CA:
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
You are about to be asked to enter information that iwll be incorporated into your certificate request.
What you are baout to enter is what is called a Distinguished Name or DN. There are quite a few fields but you can leave some blank For some fields there will be a default valu, If you enter '-', the filed will be left blank.
-----
Country Name(2 letter code) [GB] : IN
State or Province Name (full name) [Berkshire]: TestProvince
Locality Name (eg, city) [Newbury]: TestCity
Organization Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [] :
Email Address []:
The -x509 option is used for a self-signed certificate. 1826 days gives us a cert valid forr 5 years.
Step 3: Create our subordinate CA that will be used for the actual signing. First generate the key:
openssl genrsa -out ia.key 4096
Generating RSA private key, 4096 bit long modulus
...............++
................................................................................................++
e is 65537 (0x10001)
Step 4: Then, request a certificate for this subordinate CA:
openssl x509 -req -days 730 -in ia.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ia.crt
Signature ok
subject=/C=BE/ST=TestCity/L=TestCity/O=https://fdf.com/ON .......
Getting CA Private Key
The cert will be valid for 2 years (730 days) and I decided to choose my own serial number 01 for this cert(-set_serial 01). For the root CA, I let OpenSSL generate a random serial number.
That's all there is to it! Of course, there are many options I didn't use. Consult the OpenSSL documentation for more info.
Step 5: To use this subordinate CA key for Authenticode signatures with Microsoft's signtool, you'll have to package the keys and certs in a PKCS12 file:
openssl pkcs12 -export -out ia.p12 -inkey ia.key -in ia.crt -chain -CAfile ca.crt
Enter Export Password:
Verifying - Enter export Password:
To sign executable in Windows with the signtool: install file ia.p12 in your certificate store and then use signtool to sign your PE file.
Reference:
1. http://blog.didierstevens.com/2008/12/30/howto-make-your-own-cert-with-openssl/#comments
2. http://www.openssl.org/docs/apps/openssl.html
3. http://www.openssl.org/related/binaries.html
4. http://en.wikipedia.org/wiki/OpenSSL
Maybe you forget following line after Step 3
ReplyDeleteOpenSSL req -new key ia.key -out ia.csr
Thank you for this detailed explanation. I followed these steps and created a digital certificate without facing any issue. I am so glad that I learned the way.
ReplyDeletedigital signature