Loading…

		

		
		
		
		
		

	
						
		
			

				
				

					
					
Certificates

				

				
				

					


	
Using certificates for signing parcels



	


		
Running an unknown program is a risk – by running it, you grant it
		access to your computer, and there always is a possibility that the program
		you have just started is not what you expect it to be. An executable parcel
		is a program, and like any program, it may be infected or modified to do
		something harmful.


		
Signing a parcel solves this problem. Digital signature assures the recipient
		that it is really a legitimate parcel and not a trojan, just pretending to be
		sent by someone the recipient knows. A valid signature guarantees that the sender
		is indeed the person to whom the certificate belongs, and that the parcel has not
		been modified or infected during transfer.


		
Signing
		non-executable (i.e. standard or hidden) parcels is not necessary, as they don't
		contain any executable code.


		
Silver Key Enterprise edition can create digitally signed executable parcels.
		All you need is to provide the paths to your certificate and your private key files:


			Crypto Settings Panel

		
Certificate file has either .cer (Certificate) or .spc (Software
		Publisher Credentials) extension. Private key file's extension is .pvk.


		
Compare the warning boxes for an unsigned


			Opening a non-signed parcel.

		
and for a signed parcel:


			Opening a properly signed parcel.



		
Where Do I Get a Certificate?


		
There are two ways to obtain a certificate – either to create it yourself,
		or to buy it from a Certificate Authority.


		
A self-created (or more precisely, self-signed) certificate will not be recognized
		on other computers because you are not an established well-known Certificate Authority
		(well, unless you are). You need to send your certificate to your correspondents first,
		and to provide them instructions on how to install your certificate on their computers.


		
A certificate, signed by a CA (Certificate Authority) is recognized everywhere.
		Such a certificate has only one, but a huge drawback: it is not free, and you will
		have to pay for it annually.


		
Summing up,


		
    

			
  • Self-signed certificate can be used when your parcels are being sent to a small
			circle of well-known correspondents, and when it is possible to install your
			certificate on the recipients' computers
    • 

			
  • CA-signed certificate is necessary when there are too many recipients, or when
			the audience is not defined, in short, whenever it is not possible to install
			a self-signed certificate.
    • 

		




		
CA-issued Certificates


		
There are several Certificate Authorities you can obtain a certificate from.
		The certificate type that you need is called Code Signing Certificate or Microsoft
		Authenticode Certificate. After verifying your identity the Certificate Authority
		will send you your certificate in some form and instructions how to convert it to
		the pair .spc/.pvk (or equivalent .cer/.pvk).


		
Open Settings panel, select the Digital Signature
		page, and enter the paths to the .spc and the .pvk files. Create any
		executable parcel, right-click it, select Properties, and check the tab
		Digital Signature.




		
Self-signed Certificates


		
You will need MakeCert tool, which is a part of Windows SDK. If there is
		no makecert.exe on your computer, download
		Windows SDK
		from Microsoft Web site.


		
The first step is a creation of the root (CA) certificate. Open Windows Command
		Prompt and enter


		

			makecert -r -pe -n "CN=Head & Feet Research Institite"

			    -ss CA -sr CurrentUser -a sha1 -cy authority

			    -sky signature -sv hfri.pvk hfri.cer
		


		
The command above must be entered as a single line.


		
It creates two files in the current directory – hfri.cer (certificate)
		and hfri.pvk (private key) issued to an organization Head & Feet Research
		Institite. Store the private key in a safe place; it must not be kept in the open.


		
File hfri.cer contains the organization's root certificate, which will
		be used for signing children certificates, which, in turn, will be used for
		signing parcels. The root certificate must be installed either by using CertUtil
		command-line tool


		

			certutil -user -addstore Root hfri.cer
		


		
or simply by right-clicking the certificate file and selecting Install.


		
The next step is creating the certificate, which will actually be used for parcel signing:


		

			makecert -pe -n "CN=HFRI Feet Department" -a sha1 -cy end

			    -sky signature -iv hfri.pvk -ic hfri.cer

			    -sv hfri-fd.pvk hfri-fd.cer
		


		
The command above must be entered as a single line.


		
Now open Settings panel, select the Digital Signature
		page, and enter the paths to the just created files hfri-fd.cer and
		hfri-fd.pvk. Any newly created executable parcel will now be signed with
		this certificate. Create an executable parcel, right-click it, select Properties,
		and make sure that the tab Digital Signature correctly displays your
		certificate.


		
In order for your certificate to be recognized on recipients' computers,
		send your correspondents the root certificate file hfri.cer (not
		hfri.pvk!) and ask them to install the certificate by right-clicking
		it and selecting Install.




		
Timestamp or not Timestamp?


		
Timestamping adds the date of signing to the digital signature record.
		Its purpose is best illustrated by a simple example: let's assume that your
		certificate expires at 1st May 2013, and you are signing your parcel at
		1st April 2013. What will happen with your digital signature at May 1st?


		
    

			
  • If you have not timestamped the parcel, at May 1st the signature will
			also expire and will become invalid.
    • 

			
  • If the parcel is timestamped, the signature will remain valid, as
			the system will be able to determine that the certificate was valid at
			the moment of signing.
    • 

		


		
Timestamp is necessary if your parcel is supposed to live longer
		than your certificate.