Advertisement Jump to content
  • Advertisement
Sign in to follow this  
  • entries
  • comments
  • views

Signing with a Verisign 2048 bit Cert

Sign in to follow this  


This entry is a little out of order for my manifest discussion; however,
I've finally mastered this monstrosity and its a good time to share the
the wealth. To do a winsxs install on Vista or 7 MS requires you to
sign with a trusted 2048bit cert.

This is a MAJOR problem, and is probably the reason that when you do
a "dir \windows\winsxs" you will typically only see MS products.
(Well, and mine now!) Who are the trusted certificate authorities? (ca's)
Thawte and Verisign among others. Now the problems begin. As of writing this,
Thawte doesn't off ANY 2048 certs let a lone code signing ones.

Verisign does offer certs of that strength; however, we are in a brave
new ground. They only offer two forms of code signing certs: MS authenticode
at 1024 bit only, and Java Signing at whatever strength you request in
your certificate sign request (csr). [I'm not sure what their limit is, but
can definitely do 2048 bit.]

Here is the rub: Verisign has no idea how to issue a certificate for use
with MS Signing tools (ignoring authenticode) that is anything but 1024! We are
approaching the realm of true black magic since we cannot use the Java signing
for what we need, not even to generate the request since their tool can't
override the bit depth to 2048 bit in a way we can use.

There are a couple challenges here: first getting the
correct certificate. Verisign only really support Java certs for Java use. Kinda
retarded: its just a public key/private key pair. In my opinion they should not
make things as obfuscated as they do. They ought provide the key pair in
whatever format the client requests, especially since they are not cheap.

The next challenge is converting what they give you to a useful format. Then
finally, we have to do the signing. To do this you will have to d'l a couple
tools: pvk.exe and signcode.exe. The signtool.exe that comes with newer
versions of visual studio will work--but only from the wizard mode. The command
line doesn't work. If you are doing an automated build, signcode is only
way to go.

Here is the step by step:
[You will need OpenSSL 9.8 or higher (for the -nocerts option), otherwise
when you try to extract your PFX you will be hosed. You have to be able to
extract just the key without its associated match since Verisign's format
doesn't provide it in any useful way [eg, its keyed for Java]]

1. Make your key (this is a pem file format)
openssl genrsa -out private.key 2048

2. Make your csr
openssl req -new -nodes -key private.key -out codesign.csr

3. Verify your key/csr pair
[if this doesn't work your openssl distribution is torqued]
openssl req -in codesign.csr -noout -verify -key private.key

4. Deliver CSR to Verisign [You need a Java Object Signing (Class 3)]
(wait for them to do your background check and email you your cert)

5. Save the cert that Verisign emails you to "ssl-cert.crt" (this is a spc file format)

6. Export your PFX
openssl pkcs12 -export -in ssl-cert.crt -inkey private.key -nocerts -out cert-export.pfx

7. Do the intermediate conversions to get the valid format for signcode
openssl pkcs12 -in cert-export.pfx -nocerts -nodes -out userkey.pem
pvk -in userkey.pem -topvk -nocrypt -out ssl-cert.pvk

[... note: you need to PERMANENTLY keep your private.key, codesign.csr,
ssl-cert.crt, and ssl-cert.pvk. You will need to recycle the csr
to keep your keys the same next year when your cert expires. The other
files are consumed by signcode...]

8. Extract your public key token to use in your manifests
[copy out the second publicKeyToken="****************"]
pktextract.exe ssl-cert.crt

9. Now to do the signing, we have to use the older signcode, not signtool!
signcode -spc ssl-cert.crt -v ssl-cert.pvk -t -n "ProgramName" -i "Associated Website"

You now have a binary signed with 2048 security. MS is forcing all the ca's
to move to 2048 at some point. Before you do all these steps contact your ca
and specifically ask if they can give you a 2048 bit authenticode cert. As
of this date, they will not even think what you are asking for is possible...

EDIT Oct 2010: Please Read this: I got this email from Verisign:

2048-bit root upgrade completed for SSL

Dear customer,

On October 10, 2010, at 0600 PDT, VeriSign Identity and Authentication Security,
now a Division of Symantec, completed the upgrade to the 2048-bit VeriSign
Class 3 Public Primary Root Certification Authority-G5?, creating a stronger,
chained CA hierarchy for all our SSL and Code Signing Certificates.

All new SSL and Code Signing certificates are NOW being issued from inter-
mediate CAs under this 2048-bit root.
Sign in to follow this  


Recommended Comments

There are no comments to display.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Advertisement

Important Information

By using, you agree to our community Guidelines, Terms of Use, and Privacy Policy. is your game development community. Create an account for your GameDev Portfolio and participate in the largest developer community in the games industry.

Sign me up!