Code Signing certificates are used to verify the author of software packages and are necessary to avoid security warnings when users install software off the internet. Code signing certificates are purchased from Certificate Authorities and/or resellers which are companies which perform personal amd/or corporate verification. Upon successful verification, the certifying company will provide you with a certificate, which is then used to sign all software work product that will be made available to the public. This post addresses the process by which one installs a Sectigo, formerly Comodo, code signing certificate.
Furthermore, it is important to note that Individual Code signing certificates are only available from Sectigo/Comodo. If you are a corporation, you can buy anywhere, if you are a lone wolf such as myself, you must buy from Sectigo/Comodo.
Code Signing Certificates obtained from Sectigo or Comodo Resellers do not work with Visual Studio in their native form. They must be manipulated. Now this may change in the future, but for now, as of 3/20/2019, they do.
When your purchase is complete, you will be sent, via email, a link that jumps to an instruction document that explains which documents are required to provide verification to the Certificate Auhority. Uusally, this list will include: the need to have a Photo ID. A drivers license or passport will do. A bank statement with your name and address. And third, a utility bill which shows your name and address.
Once you have rounded up the documentation, will need to take the instruction form, along with your photo ID and documents to a notary public. They will stamp the documents, etc. according to the instructions provided on the form you downloaded from the Certificate Authority.
Upon notarization, take the documents and scan them in to your computer. Once that is done, go to the support site and upload the documents. Note that your order number will be required so have it handy.
If all goes good, and you have successfully proven who you are, the Sectigo/Comodo will send you a link, via email, where you can download your certificate. Note that the email will include your collection code.
Collect Your Certificate
You can only collect and install your certificate using the FIREFOX BROWSER. If you don't have it, then you will have to install it.
Click on the link in the email and you will be brought to the following page that looks like this: Note, if Firefox isn't the default browser, enter in the
Click on the Collect Certificate button. The Certificate will install.
Now unless you have configured Firefox to use the Windows Certificate store, then the certificates are installed in Firefox (ie one of the firefox application folders). To view the certificates installed in firefox, (versions 60+):
1) Select Tools - Options from the firefox menu.
2) In the menu options on the left side of the screen, Click Privacy - Security
3) Scroll down and click on the View Certificates Button.
The Certificate Manager screen will appear where you should then see the installed certificates.
Now select your certificate and click on the View button. It should show your name (or your company name), etc. If everything looks
OK, then your certificate was installed under Firefox successfully.
Make A Backup Of The Certificate Installed In FireFox (i.e. Export It)
From the Certificate Manager screen, click on the Backup Button. You will be prompted as to where you want to save the file. It is recommended to create a new folder as there is much work still to be done. Name it something short and memorable.
During the Export process, you will be asked to provide a password. REMEMBER THE PASSWORD. Write it down if you have to.
Note that the file backed up is a full chained certificate file (ending in .p12 extension). In addition to your certificate, this file contains the root and intermediate certificate authorities used in creating your certificate.
Import The "Backed Up" Certificate Into Your Windows Certificate Store
This step involves installing the certificate that was exported out of Firefox into your Windows certificate store. The reason this needs to be done is that the Intermediate and Root Certificate authorities might not exist in your Certificate store. i.e. There might not be an entry for Sectigo in there. To install the certificate (the file ending in .p12 that you just exported) into your Windows Certificate Store:
1) Start the Microsoft Management Console's (MMC) Certificates snap in. Right click the mouse on the Windows Start icon and then select the Run command.
2) Now, if you want to store your new certificate in the Local Machine store, then type in certlm.msc. If you want to store your certficate into the Current User certificate store, type in certmgr.msc and then click OK. I recommend installing the certificate into the Local Computer store as it will be available to all accounts on the computer.
3) Once the Certificates Snap In Console displays, Select the Personal Folder and expand it and select the Certificates subfolder.
4) From the menu, select Action - All Tasks - Import.
5) On the Welcome To Certificate Import screen, click Next.
6) On the File To Import screen, select the backup certificate file you created in the previous section. Click Next.
7) On the Certificate Store screen, select the Automatically select the certificate store based upon type of certificate option. Click Next
8) The certificates will import. Check the various folders to verify where they were saved.
If all goes well, the Personal Certificates folder will look like the following:
Download And Install OpenSSL for Windows
To prepare the certificate for use within Visual Studio 2017 and beyond, as stated previously, we need to manipulate the certificate a such so that Visual Studion recognizes it as a strong name certificate. To get OpenSSL:
It is recommended to select the EXE Win64 OpenSSL v1.1.1b Light version. Of course this will change as time goes by.
After you download and install it, set a path to the binaries. If you took the defaults on installation, the path should be:
Log out and log back in to make sure the path takes hold.
Export The Code Signing Certificate That Was Just Imported
1) Select the Code Signing Certificate located in the Personal Certificates folder of the Local Computer
2) Right click the mouse and select All Tasks - Export
3) On the Welcome To The Certificate Export screen, click Next.
4) On the Export Private Key screen, select the Yes, Export The Private Key option. Click Next.
5) On the Export File Format screen, ensure ONLY the following two options are checked; Export All Extended Properties and Enable Certificate Privacy. Click Next.
6) On the Security screen, Check the Password Box and specify/confirm the Password. Click Next.
7) On the File To Export screen, specify the file name. Put it in the same folder as the folder you originally backed up to. Click Next.
The Certificate will export with a .pk7 file extension. REMEMBER THE NAME.
Using OpenSSL, Rebuild The Certificate
If you try to use the certificate that was previously exported in Visual Studio, you will get an error while trying to build your application. To verify this, Quickly create a WPF application in Visual Studio, select the Properties page, select the Signing menu option, and try and sign the assembly with the certificate. By all accounts, you should get an error.
Thus, we have to rebuild the certficate using the certificate exported in the last step as an input to a process. To rebuild the certificate, please do the following:
1) Open up a command window in Administrative Mode.
2) Change the folder to the folder you stored the certificate in.
3) Enter in the following command at the DOS prompt. NOTE. OriginalCertificateFileName.pfx is the name you chose during export. certfile.key is an actual, real filename.
4) You will next be prompted for the password used when exporting the certificate. And, you will be asked to create a PEM Pass phrase.
5) Next, enter in the following command at the DOS prompt: NOTE. NewCertficateFileName is a new name you will choose. It is up to you.
6) You will then be prompted for the pass phrase you entered in the previous step. Provide it and then specify a new Export password when prompted.
The new .pfx certificate file will be created and that is the one you will use to sign your assemblies.
Using Certificate In Visual Studio
To use the new strong named certificate in Visual Studio when signing manifests:
1) Display the property page of the project.
2) Click on the Signing Menu option.
3) Check the Sign Assembly box.
4) Select the new strong name certificate in the Select a Strong Name Key File field.
5) Specify the password if requested.
6) Build your solution.
You will now get a Build Succeeded.
Signing an assembly is not the same thing as signing a setup executable. Those still need to be signed separately with signtool.
You can verify an assembly is signed by using the sn -vf something.dll or something.exe. The sn (strong name) utility is accessed by starting the Visual Studio Developer Command Prompt. More directions on the strong name tool are here at Microsoft https://docs.microsoft.com/en-us/dotnet/framework/tools/sn-exe-strong-name-tool .
For more information on using SignTool, see here to start https://docs.microsoft.com/en-us/windows/desktop/appxpkg/how-to-sign-a-package-using-signtool
Here is a good stackoverflow reference. https://stackoverflow.com/questions/2815366/cannot-import-the-keyfile-blah-pfx-error-the-keyfile-may-be-password-protec . However, it is from 2010.