There are two major things necessary to create a code-signing key. First, your certificate needs to be signed by a CA which you have accepted to sign code. This is part of the Windows certificate management interface, and is not discussed here. (You can import your own self-signed certificate for it, but there are many reasons why it's better to have a CA than to import your end-use certificate into the root store.)
Second, your certificate needs to specifically include the "code-signing" OID (1.3.6.1.5.5.7.3.3) in the extendedKeyUsage extension. This requires a modification to your openssl.cnf file, and I don't remember the syntax for it off-hand. Also, I'd recommend you not use the "v3_ca" extensions section. Copy it to something else with some other name, and remove the part that puts the "CA:true" bit into the certificate. -Kyle H On Sun, Feb 22, 2009 at 10:59 PM, shalin mishra <[email protected]> wrote: > hi...i created a certificate for my own use to try signing binaries...i get > a security warning when i verify my file through a cpp code.but when i > verify winword.exe, i gives a successful output... > > i m using openssl (version openssl-0.9.8h-1-doc) to create > certificates...following are the commands by which i created my > certificate... > > //to create .pvk key file > > openssl genrsa -des3 -out my.pvk > > //to generate self signed certificate > > openssl req -new -key my.pvk -x509 -out my.crt -extensions v3_ca -config > openssl.cnf > > //to generate .pfx file > > openssl pkcs12 -export -in my.crt -inkey my.pvk -passout pass:my -out my.pfx > > i think i am missng something in the command for creating certificates.can > someone plz help me??? if you require any more information regarding the > process then plz tell me... ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
