Currently we publish the application , the user may download is 360 as a Trojan virus directly isolation. The executable file for the application marked with a digital signature allows the relaxation of 360 antivirus detection rules. The following is about the process of how to create a digital signature certificates.
What You Need: makecert.exe, cert2spc.exe, pvk2pfx.exe, signtool.exe.
There is a certificate generation tool makecert.exe, you can use this tool to generate a certificate test in the SDK6.0 in MS.
The first step to generate a self-signed root certificate (issuer, issuer).
>makecert -n "CN=Root" -r -sv RootIssuer.pvk RootIssuer.cer
This time, it will pop-up boxes, first set up the private key file to RootIssuer.pvk password protection;
Then, enter the password again (in RootIssuer.pvk file) to give a public key with a private key encryption (in RootIssuer.cer file).
The second step, using a sub-certificate issuing this certificate (user, subject).
>makecert -n "CN=Child" -iv RootIssuer.pvk -ic RootIssuer.cer -sv ChildSubject.pvk ChildSubject.cer
Private key file At this point, it will pop-up boxes give the child a certificate ChildSubject.pvk set password protection;
Then, enter the sub public key certificate private key (in ChildSubject.cer in) (in ChildSubject.pvk in) password to protect the child certificates.
Next will be prompted to enter the root certificate private key (in RootIssuer.pvk in) password to issue the entire sub-certificate (public key and user information).
如果你还要签发更多的子证书,类似的,使用这个证书来签发再下层的证书,前提是ChildSubject证书也可以用于签发(作为Issuer)用途。
备注:
(1)如果你需要一个交互证书,用于安全通信,那么,加入选项 -sky exchange;
(2)如果你需要一个签名证书来签发证书或者二进制文件,那么,加入选项 -sky signature.
(3)如果你需要一个客户端证书来标志你的身份,或者个人信息保护(电子邮件),那么,选项-n 中的E字段是不可缺少的。
举例:-n "CN=公司名称, E=E-MAIL地址, O=组织名称, OU=组织单位, C=国家, S=省份(州), P=县城"
参数为:makecert -r -pe -n "cn=MyCA" -$ commercial -a sha1 -b 08/05/2010 -e 01/01/2012 -cy authority -ss my -sr currentuser
其中各部分的意义:
-r: 自签名
-pe: 将所生成的私钥标记为可导出。这样可将私钥包括在证书中。
-n "cn=MyCA": 证书的subject name,.net自带类库中有X509Store类,可以在store中根据证书subject name,来找到改证书
store参考:X509Store 类
-$ commercial:指明证书商业使用。。。
-a:指定签名算法。必须是 md5(默认值)或 sha1。
-b 08/05/2010:证书有效期的开始时间,默认为证书的创建日期。格式为:mm/dd/yyyy
-e 01/01/2012:指定有效期的结束时间。默认为 12/31/2039 11:59:59 GMT。格式同上
-ss my:证书产生到my个人store区
-sr currentuser:保持到计算机当前个人用户区,其他用户登录系统后则看不到该证书。。
查看该生成的证书并导出:
可以在MMC的证书管理单元中对证书存储区进行管理。Windows没有给我们准备好直接的管理证书的入口。自己在MMC中添加,步骤如下:
1. 开始→运行→MMC,打开一个空的MMC控制台。
2. 在控制台菜单,文件→添加/删除管理单元→添加按钮→选”证书”→添加→选”我的用户账户”→关闭→确定
3. 在控制台菜单,文件→添加/删除管理单元→添加按钮→选”证书”→添加→选”计算机账户”→关闭→确定
然后导出为PFX格式的证书,PKCS#12规范的证书,包含了公钥和私钥,导出时需要提供一个私钥的保护密码,在导出时设置即可
其他辅助工具:
1) converting the public key certificate format to SPC. cert2spc.exe
>cert2spc TestRoot.cer TestRoot.spc
.spc means that the software publisher certificate (Software Pulisher Cerificate).
2) the public key certificate and private key are combined into a PFX certificate file format. pvk2pfx.exe
>pvk2pfx -pvk TestRoot.pvk -spc TestRoot.spc -pfx TestRoot.pfx
Enter password protection TestRoot.pvk to merge .pvk and .spc file, if you do not set about to merge out of TestRoot.pfx protection password, then this password protection and password protection input file TestRoot.pvk same. (Note: you can also directly from the cer file, the file does not have to get SPC).
3) signature tool. signtool.exe
Binary digital signatures. In order to ensure the integrity of a binary file, the digital signature is a good method.
The following command starts a graphical interface wizard file signature tool:
>signtool wizard
The following is the signature of the command line:
> "Pfx file full path" signtool sign / f / p "pfx password protected file" / t "http://timestamp.verisign.com/scripts/timstamp.dll" / d "signature described in this" " full path is the signature program "