How can I sign an ActiveX control with a code signing certificate and be a verified publisher?

1
votes

I'm trying to sign an ActiveX control with a code signing certificate issued by Thawte. I was able to successfully sign the control using signtool.exe.

When I look at the file properties, it says "The certificate in the signature cannot be verified."

When I view the certificate it says "Windows does not have enough information to verify the certificate."

On the certification path tab, it says "The issuer of this certificate cannot be found."

In internet explorer, the certificate is recognized as signed but the user receives warnings that the publisher is not verified.

I've tried creating a single PFX file containing my certificate along with the root and intermediate certificates that chain to my Thawte developer certificate, and then re-signing the control using that PFX file. No dice.

Any suggestions?

1
activexcertificateauthenticodesigntoolthawte
Hm, I may have resolved this-- looks like the problem may have been that one of the root certificates I included was incorrect. I'll know for sure tomorrow when I deploy the newly-signed control...davidcl
A description using OpenSSL for Windows.emboss

1 Answers

2
votes

The question actually contains the correct procedure-- do the signing using a PFX file that contains the root certificate, intermediate certificate, developer certificate, and private key. Also, use a timestamp server. My problem was that I had the wrong root certificate included in my PFX, so the certificate used to sign couldn't chain back to the root.

By request, here's the information about how to create the PFX file. The cert2spc and pvk2pfx that I use below are also in the platform SDK.

cert2spc certpath1.cer certpath2.cer certpath3.cer codesign.spc

Where the list of .cer files includes the root, intermediate, and code signing certificates, and codesign.spc is the output file. Then:

pvk2pfx -pvk privkey.pvk -spc codesign.spc

Running pvk2pfx in this manner starts a wizard that prompts for the private key passphrase, and the location of the output file, and the passphrase for the output file.

Finally, signtool does the actual code signing:

signtool sign /f my_certificates.pfx /p my_passphrase /t http://timestamp.verisign.com/scripts/timstamp.dll my_activex_control.ocx

In retrospect, I might have saved time by using signcode.exe aka the Code Signing wizard (which I think is part of the .NET SDK) which uses .spc and .pvk files directly.