Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Issuing Code-signing Certificate with Private Key

26 views
Skip to first unread message

jwgoe...@gmail.com

unread,
Dec 27, 2007, 11:41:46 AM12/27/07
to
Hello group,

I am issuing a code-signing certificate from an Enterprise CA. I am
currently using the Certificate Services' web interface with the code-
signing template.

There does not seem to be an option to export the private key, though
I understand that is a requirement in Visual Studio 2005. When using
ClickOnce, Visual Studio reponds that "The selected file does not
contain a private key. You must choose a certificate that contains a
private key."

I have exported the key using the Certificates MMC. The Certificate
Authority is reporting that "the associated private key is marked as
not exportable."

What am I missing?

J Wolfgang Goerlich


Related Links:

ClickOnce Manifest Signing and Strong-Name Assembly Signing Using
Visual Studio Project Designer's Signing Page
http://msdn2.microsoft.com/en-us/library/aa730868(vs.80).aspx

Brian Komar

unread,
Dec 27, 2007, 12:58:11 PM12/27/07
to
You need to create a v2 certificate template based on the default Code
Signing certificate that allows key export. Of course, your enterprise CA
must be running on Enterprise Edition to allow the issuance of the v2
certificate template.
A certificate based on the custom template will allow export as you require
Brian

<jwgoe...@gmail.com> wrote in message
news:fc467fd0-5571-4851...@v4g2000hsf.googlegroups.com...

John Xie

unread,
Jan 4, 2008, 11:26:03 AM1/4/08
to
Hi Brian,

I would like to know what the default code sign template used for? If we
can't use it to sign code.

Thanks.

Paul Adare

unread,
Jan 4, 2008, 12:28:06 PM1/4/08
to
On Fri, 4 Jan 2008 08:26:03 -0800, John Xie wrote:

> Hi Brian,
>
> I would like to know what the default code sign template used for? If we
> can't use it to sign code.

Brian never said that you couldn't use a certificate based on the default
V1 template to sign code. All he said was that you couldn't modify the
template to allow private key export like the OP wanted to do.


--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
BPI: A 1960s term used to describe unmentionable parts of the anatomy, as
in
"you bet your bpi".

John Xie

unread,
Jan 4, 2008, 2:02:00 PM1/4/08
to
Actually, I tried use the v1 template to sign my code. The result is that the
certificate doesn't appear in trusted software publisher store. it is in
personal folder store.

According the link (http://www.kinook.com/blog/?p=10), in order to sign a
code, we need to have the code signing certificate with private key
exportable, and it looks like that we are not able to do that with windows
server 2003 standard edtion.

Also, I would like to know what are this code signing will do? I can list
the following:
1. sign VBA code, so you don't need to change security setting to low to
let it work.
2. When you download the signned code, it will show you certificate in the
Security Warning window.
3. when you run the program, it will show your certificate in the security
warning window.

what else?

thanks.

John

jwgoe...@gmail.com

unread,
Jan 4, 2008, 6:21:12 PM1/4/08
to
That is the ticket. Much obliged, Brian.

On Dec 27 2007, 12:58 pm, "Brian Komar"


<brian.ko...@nospam.identit.ca> wrote:
> You need to create a v2 certificate template based on the default Code
> Signing certificate that allows key export. Of course, your enterprise CA
> must be running on Enterprise Edition to allow the issuance of the v2
> certificate template.
> A certificate based on the custom template will allow export as you require
> Brian
>

> <jwgoerl...@gmail.com> wrote in message


>
> news:fc467fd0-5571-4851...@v4g2000hsf.googlegroups.com...
>
>
>
> > Hello group,
>
> > I am issuing a code-signing certificate from an Enterprise CA. I am
> > currently using the Certificate Services' web interface with the code-
> > signing template.
>
> > There does not seem to be an option to export the private key, though
> > I understand that is a requirement in Visual Studio 2005. When using
> > ClickOnce, Visual Studio reponds that "The selected file does not
> > contain a private key. You must choose a certificate that contains a
> > private key."
>
> > I have exported the key using the Certificates MMC. The Certificate
> > Authority is reporting that "the associated private key is marked as
> > not exportable."
>
> > What am I missing?
>
> > J Wolfgang Goerlich
>
> > Related Links:
>
> > ClickOnce Manifest Signing and Strong-Name Assembly Signing Using
> > Visual Studio Project Designer's Signing Page

> >http://msdn2.microsoft.com/en-us/library/aa730868(vs.80).aspx- Hide quoted text -
>
> - Show quoted text -

Brian Komar

unread,
Jan 4, 2008, 8:45:42 PM1/4/08
to
You can use it to sign code.
But, it disables private key export
You stated you want private key export, so you must create a v2 certificate
template to meet this requirement
Brian

"John Xie" <Joh...@discussions.microsoft.com> wrote in message
news:A45DDD69-B4E4-436D...@microsoft.com...

0 new messages