Thanks for replying.

From: "Dr. Stephen Henson" <[EMAIL PROTECTED]>
I looked at this some time ago so this may not be up to date...

There wasn't anything special about an authenticode certificate provided you didn't set the extensions to specifically exclude the usages. So a "vanilla"
CA and EE certificate are sufficient. The root CA also has to be added and
trusted for code signing in the Windows certificate stores.

The certificates you get from CAs not intended for authenticode generally
aren't usable, normally because the root CA isn't trusted for code signing and
occasionally because the extended key usage doesn't allow it either.

Netscape object signing used to also require that the netscape certificate
signing extension and its object signing bit set. If this extension was not
present then it couldn't be used. I'm not sure if that's still the case since
netscape certificate type is largely obsolete.

Ok, sounds simple enough, so I create a root CA with openssl, then sign a certificate
for a fictitious user, which use that to sign an Office VBA (just some dummy
stuff, doing nothing).

After loading up my VBA, I see it has no timestamp, and according to the
msdn site, the signature is timestamped by connecting to the CA (which issued
the certificate) and get the timestamp signed by that CA. And this is done
in the background, during code signing. I digged around, there's no other
way to do it.

Ok, it's getting interesting. Let's say if I set up a TSA server (using opentsa
or something), but my certifcates are created using openssl. How do I add
that information into the certificate I signed, so that during code signing,
Windows knows how to connect to my tsa server to get a timestamp?

So what is the extension that I need to put in, what information and how?

That's what I was asking, what's the difference between the code signing
cert and a plain vanilla cert?

Thanks for any hint.


Is your PC infected? Get a FREE online computer virus scan from McAfee® Security.

OpenSSL Project                       
User Support Mailing List          
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to