I have created the .pvk and .cer files using the makecert.exe (on commandline) as per - https://msdn.microsoft.com/en-in/library/ff699202.aspx
In my folder the .pvk and .cer files are available. However, when I run the pvk2pfx utility, the .pfx is not created instead I get a prompt for how to use the utility.
Attached is the screenshot of the cmd prompt. I've also tried it at the MSVC bin folder and the behavior is the same.
Kindly help.
makecert and pvk2pfx - Command Screen Shot
You need code sign certificate with private key. Generate request, send it to CA, buy code sign certificate, place certificate into certificate store and use signtool. Specify thumbprint of codesign certificate when using signtool.
More info can be found here.
Documentation on signtool can be found here.
Related
I'm having trouble understanding how to get/generate a private key for some certificates I requested.
I've created a CSR using the DigiCert Certificate Utility for Windows, which gave me a csr.txt file as an output but no .key file.
Then I proceeded to request the certificates by inserting the above mentioned CSR in the Certificate Management portal of my company.
Now I have received the p7b files and the related CSRs, but no private keys: is it possible to generate it now?
Thanks in advance,
Tommaso
Use the import function of the DigiCert Certificate Utility for Windows. The key is stored on software in the machine where the CSR was created. After the import the key and the certificate are associated and should be in the Windows certificate Store. If the key was generated with the exportable flag, you can export a PKCS#12 and convert that to a key file using openSSL.
A little bit of context:
I used to generate CSRs from IIS "Create certificate request", import that in my provider (GoDaddy) and get a .crt in return. Then I used to go again to IIS to "Complete certificate request" and generate the .pfx
I want to automate this process as much as possible including importing the CSR to GoDaddy and downloading the .crt file.
Right now I was able to automate the CSR creation with certreq.exe but note sure how to complete the request using powershell to create the .pfx when I have the .crt file from GoDaddy. I know I can do it with openssl but I'm missing the private key.
I think when I create the CSR request with certreq.exe, it generates the .pfx on "MMC > Certificate Enrollment Requests" which has the private key so I was wondering if every time I request the CSR, I have to export that .pfx and with openssl extract the private key to use it with my.crt file from GoDaddy?
Hopefully I was able to explain correctly what I'm trying to accomplish and somebody can help me with this.
I ONLY have .crt file with me which I purchased from Comodo. No private key or any thing. How can I use this to sign my code and get rid of "publisher unknown" issue in my installer. I have used Inno-Setup for creating the installer too. Code is in C Sharp. I tried to use sign tool and openssl but I don't have any other file than this user.crt file. I just can get .cer format using .crt and thats all. Appreciate any help
Usually, you need sign the application from PC where you are registered Comodo certificate. The private key saved by your browser in the local storage.
You cannot sign files with a public key only.
You need the private key.
If it were possible to sign files with a public key only, anyone could sign malicious content with your public key.
Im sitting with a bit of a problem. Im busy creating a php/html website (intranet) for our support team to make life a bit easier when support linux machines.
I have a .jar app called mindterm (the free version) and want to run it as an applet in the site.
However according to their site you have to have the .jar file signed before loading it as an applet otherwise it cant open tcp connections.
So i did as much research as i could in the time i had and came up with the jarsigner.exe and keytool.exe files provided in the JDK installation.
However i do not have a clue how to go about signing this app so that i can actually use it.
Any help?
Thanks
First create a key-pair using keytool.
keytool -genkey -alias somekeyname
Then use jarsigner to sign it with the key you just created.
jarsigner /path/to/jar somekeyname
Note, you need to use the same alias (somekeyname here) as the one you create the key with.
Now, since the certificate is self-signed, the user of your applet will be prompted to approve the certificate. Once they do so, your tcp connections should work.
Since I assume you're only using the applet internally in your organization, self-signed certs should be fine. Otherwise you will have to pay for a certificate. In that case, your users will not need to accept the certificates after the first time (if they choose Always Allow").
You can sign jars using :
Install this Eclipse plugin
Eclipse Webstart Plugin.
You will just need to export as "Webstart". It will prompt you to sign the jars.
DEMO
Combined the top answer with some useful hints to get completely unattanded script:
keytool -genkey -noprompt -alias Alias -dname "CN=Hostname, OU=OrganizationalUnit, O=Organization, L=City, S=State, C=Country" -keystore path.to.keystore -storepass password -keypass password -validity 3650
jarsigner -keystore path.to.keystore -storepass password -keypass password -signedjar signed.jar unsigned.jar Alias
This is a somewhat complex area, and you essentially need to know what you are doing, and you may have to pay real money for a signing certificate.
The Sun Java Tutorial cover the topic well: http://docs.oracle.com/javase/tutorial/deployment/jar/signing.html
If the intent is to give the support people a ssh client, there might be better solutions.
I was able to develop a mdm solution.
I started facing problem when I moved my agent from Developer account's provisioning profile to Enterprise account's in-house distribution profile.
Now I am totally confused which certificate is used where?
Please guide me his is the certificate used in the below places:
Certificate in credentials section of enrollment profile (is it having BI as com.apple.mgmt._ ? or can be any like com.abc.mdm ? or it's the one received by customer)
Certificate .pem file used to wake up device?
Thanks
You need to use your iOS Enterprise developer account use the Agent account's credentials.
Follow this page http://www.softhinker.com/in-the-news/iosmdmvendorcsrsigning and then verify few things as remove the passphrase from customerPrivateKey.pem using this command
openssl rsa -in customerPrivateKey.pem -out PlainKey.pem
Verify the .pem certificate downloaded from https://identity.apple.com/pushcert/
You can install this .pem in you Mac's Keychain and then see the Get Info and the certificate should have com.apple.mgmt.External.b503419d-1e2a-a60f-7451-5b8832b5a9cb, which you can use as push topic while generating enroll mobileconfig .
Then merge your APNS certificate (for example CustomerCompanyName.pem) downloaded from the portal https://identity.apple.com/pushcert/ using this command
cat CustomerCompanyName.pem PlainKey.pem > PlainCert.pem
Now the PlainCert.pem you can use as APNS/MDM certificate.
Please see this for Identity.p12 and respective password, which you have to use in Credential section.
1) it HAS to be com.apple.mgmt._ however this does not come from the provisioning portal - all you can set up here is your vendor certificate. See here
2) the certificate is used to make the connection to the APNS service, but you should get this from the the Apple Push Certificates Portal