So this is my first time having this problem last time my code signing certificate was installed correct and without problems this time however the private key flag is missing from my certificate and after searching for about an hour I found certutil -repairstore my "CertSerialNumber"
This is working if the certificate is installed to the local machine but then signtool is unable to find the certificate, by default it installed to CurrentUser so how do I run certutil -repairstore on a certificate on current user, i have tried adding -sr currentuser and -user and it complains they are invalid parameters (WIN32: 87 ERROR_INVALID_PARAMETER).
Finally fount the answer typical it's within mins of posting this question so for anyone else,
make sure the param's are ordered correctly, the certutil is a little bit of a pain with order of parameters,
certutil -user -repairstore my "CertSerialNumber"
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
Related
I'm seeking some clarification.
I recently purchased a digital cert for code signing from one of the recognised certification authorities.
The approach I've taken is to make a batch file where I use the batch file to digitally sign each .exe file.
The batch file looks like this (password has been modified):
signtool sign /f "C:\DigitalSignaturesAndCerts\ServerCertificate.pfx" /p "PasswordGoesHere" /tr http://timestamp.sectigo.com /td SHA256 /fd SHA256 "C:\SpecificApp\ActualFile.exe"
This is working without issue.
I am not an expert in digital signing and I have two queries:
Am I right in saying what I am doing is sufficient and I don't need to import the cert to visual studio and sign the files when compiling from visual studio.
Am I right in saying the this signed exe file will continue to work after cert has expired based on batch file described above.
Any clarification is appreciated.
This is more of a general query so problem replication description is not relevant.
i am a unity game developer. i am trying to get .pem file from keystore through command prompt in order to enable app signing and commmand is
C:\Users\admin19>java -jar C:\Users\admin19\Desktop\pepk.jar --keystore= F:\Key
Store\abc.keystore --alias=abc --output=C:\Users\admin
19\Desktop\output\key.pem --encryptionkey=eb10fe8f7c7c94656756df715022017b00c6471f8ba8170b13049a11e6c0
9ffe3056a104a3bbe4ac5a955f4ba4fe93fc8fghhjkcef2kk7558a3eb9d2a529a2092761fb833b656cd48b9d
e6a
i press enter after typing this to cmd.
it ask for keystore passward !!! i enter.... then it ask for alias passward !! i enter which is same as keystore passward.. but it is giving error : no key for alias : [aliasname]..what should i do.. plz help
You may follow the suggestions in this thread.
To get the Key Alias: I copied the keytool.exe and my keystore file into C:\Program Files\Java\jdk1.7.0_71\bin folder. Then from command prompt I wrote: keytool -list -v -keystore <name>.keystore It will also ask for keystore password then. Then it will show you the key alias and Certificate fingerprints and other info.
It was also mentioned that if you have the keystore password, keytool might be able to list the aliases.
When I try to sign my exe using a p12 keystore I get the following error:
codesigning.p12 does not contain the complete certificate chain
However, I can sign it without problem using the windows signTool.exe by executing:
signtool sign /f codesigning.p12 /p $keyStorePassword myprogram.exe
Any ideas how to get this working in install4j?
signtool can access intermediate certificates in the Windows keystore, something that install4j does not do.
Other than creating a self-contained certificate (see Adding an intermediate certificates to a pkcs12 file), you can use the "Executable processing" step of the media wizard and call
C:\Path\To\signtool sign /f codesigning.p12 /p $keyStorePassword $EXECUTABLE
to perform external signing of all executables.
Does anybody know if it's possible to issue several certificates from a CSV like this:
CN=TestCertificate1, DNS=testServer1
CN=TestCertificate2, DNS=testServer2
CN=TestCertificate3, DNS=testServer3
Using a given template and getting a pfx as output?
Thank you
This should be doable, although not by simply uploading a .CSV file and downloading the output. The easiest way would be to use some of the PKI Client Cmdlets in Windows PowerShell. These are PowerShell commands that let you interact with a Microsoft CA from a script or the command line.
The first step, would be to generate a certificate request using the DN information you find in the .CSV file. A great tutorial on generating the CSR can be found here. Once the certificates have been approved on the CA, you can export them using the relevant PKI Client Cmdlet, Export-PfxCertificate via your PowerShell script.
Hope this helps!
I am confused about the following concepts in makecert tool. Especially about what means location (-sr parameter) and store (-ss parameter). I read and get my confusion from this link, I tried to find tutorials about what means "location" and "store", but finding nothing. Could anyone help to clarify please?
Those are parts of the specification for how Windows locates the certificate storage. The -sr location parameter tells the tool which certificate store to use: either currentuser to store it for the user, or localmachine to store it for everyone on the machine. The -ss parameter let's you give a name for a particular store, so you could, for example, have
-sr currentuser -ss moe
-sr localmachine -ss moe
and have two different named stores -- one for the current user, one for the machine -- or have
-sr currentuser -ss moe
-sr currentuser -ss curly
and have two different stores for just the current user.
I'm not sure if it exists in windows server 2003 but in win XP i use the Microsoft Management Console to see all available certificates in windows store.
Type 'mmc' in run (from start menu) to open the MS management console.
Then go to 'File' menu and choose 'Add/Remove snap-in'.
Press Add button and now you can choose one of the user, service or computer account.
When you do this you will perfectly understand the diference between -sr and -ss option.