how do you install a test certificate for test signing?

NTDEV
1

I can create AND install a test certificate just fine;
makecert -r -pe -ss PrivateCertStore -n CN=“Blah (Internal test)” BlahTest.cer

and the cert can then be used to sign just fine. I would like to add the generated test cert to source control, so that anyone else in-house can sign with the same test cert - so we only need to install the one test cert on internal machines.

the makecert command above creates, and installs the test cert, but I can’t find a way of JUST installing the test cert which will allow me to use signtool successfully;

I create & install the cert with makecert
I can use signtool just fine.
I uninstall the test cert (certmgr /del /all /s PrivateCertStore)
then re-install it, as a colleague would have to (certmgr /add BlahTest.cer /s PrivateCertStore)
when I not try to use signtool, I get an error message stating “No certificates were found that met all the given criteria”

Either I am trying to do something stupid, or I am trying to do something in a stupid fashion… help!

Simon

2

certmgr.exe -add testcert.cer -s -r localMachine root
certmgr.exe -add testcert.cer -s -r localMachine trustedpublisher

Our build system creates packages for all of our drivers that include
a testcert, certmgr.exe, the above shell script and the usual inf sys
pdb cat etc files.

Mark Roddy

On Thu, Jul 2, 2009 at 10:41 AM, wrote:
> I can create AND install a test certificate just fine;
> makecert -r -pe -ss PrivateCertStore -n CN=“Blah (Internal test)” BlahTest.cer
>
> and the cert can then be used to sign just fine. I would like to add the generated test cert to source control, so that anyone else in-house can sign with the same test cert - so we only need to install the one test cert on internal machines.
>
> the makecert command above creates, and installs the test cert, but I can’t find a way of JUST installing the test cert which will allow me to use signtool successfully;
>
> I create & install the cert with makecert
> I can use signtool just fine.
> I uninstall the test cert (certmgr /del /all /s PrivateCertStore)
> then re-install it, as a colleague would have to (certmgr /add BlahTest.cer /s PrivateCertStore)
> when I not try to use signtool, I get an error message stating “No certificates were found that met all the given criteria”
>
> Either I am trying to do something stupid, or I am trying to do something in a stupid fashion… ?help!
>
> Simon
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

3

I generally use the options on signtool to specify the certificate as the
.pfx file instead of using the certificate in the (user) certificate store.
The .pfx can be checked into source control and thus is available to all
users. Of course you either have the password in your build scripts, as an
environment variable, or some other scheme (like no password).

To install the certificate in the store as you are doing, just import the
.pfx file into each machine. Open MMC, add in CertMgr plugin, import the
.pfx, etc.

Good Luck,
Dave Cattley
Consulting Engineer
Systems Software Development

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@quantel.com
Sent: Thursday, July 02, 2009 10:42 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] how do you install a test certificate for test signing?

I can create AND install a test certificate just fine;
makecert -r -pe -ss PrivateCertStore -n CN=“Blah (Internal test)”
BlahTest.cer

and the cert can then be used to sign just fine. I would like to add the
generated test cert to source control, so that anyone else in-house can sign
with the same test cert - so we only need to install the one test cert on
internal machines.

the makecert command above creates, and installs the test cert, but I can’t
find a way of JUST installing the test cert which will allow me to use
signtool successfully;

I create & install the cert with makecert
I can use signtool just fine.
I uninstall the test cert (certmgr /del /all /s PrivateCertStore)
then re-install it, as a colleague would have to (certmgr /add BlahTest.cer
/s PrivateCertStore)
when I not try to use signtool, I get an error message stating “No
certificates were found that met all the given criteria”

Either I am trying to do something stupid, or I am trying to do something in
a stupid fashion… help!

Simon

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

4

I tried that already - that’s the procedure I have (successfully) used to install the test cert to allow the test signed driver to load.

Here’s my failed attempt to install the test cert for SIGNING using certmgr;

:%selfSign%\certmgr /s /c PrivateCertStore
==============No Certificates ==========

CertMgr Succeeded

(showing that the PrivateCertStore is empty at start of test)

:%selfSign%\makecert -r -pe -ss PrivateCertStore -n CN=“Blah (Internal test)” BlahTest.cer
Succeeded

:%selfSign%\certmgr /s /c PrivateCertStore
==============Certificate # 1 ==========
Subject::
[0,0] 2.5.4.3 (CN) Blah (Internal test)
Issuer::
[0,0] 2.5.4.3 (CN) Blah (Internal test)
SerialNumber::
56 E2 37 86 3E 48 68 89 42 5E 27 FE C2 EF D9 D7
SHA1 Thumbprint::
24E6472E 61E13EA2 CD437A89 ACB3A61C 240E64A9
MD5 Thumbprint::
B814B938 BA1E2DA3 29F7642D 427D8396
Key MD5 Thumbprint::
ECD11982 CE39A1B4 91C51F21 A693389B
Provider Type:: 1 Provider Name:: Microsoft Strong Cryptographic Provider Container: 41045c8a-4223-4635-93f3-3971c597d363 KeySpec: 2
NotBefore::
Thu Jul 02 16:36:12 2009
NotAfter::
Sun Jan 01 00:59:59 2040

CertMgr Succeeded

(certificate is there now)

:%selfSign%\signtool sign /s PrivateCertStore /n “Blah (Internal Test)” blah.sys
Done Adding Additional Store
Successfully signed: blah.sys

(certificate works fine to sign something)

:%selfSign%\certmgr /del /all /s PrivateCertStore
CertMgr Succeeded

(remove the cert from PrivateCertStore)

:%selfSign%\certmgr /s /c PrivateCertStore
==============No Certificates ==========

CertMgr Succeeded

(check it has gone)

:%selfSign%\certmgr /add BlahTest.cer /s /r localMachine root
CertMgr Succeeded

:%selfSign%\certmgr /add BlahTest.cer /s /r localMachine trustedPublisher
CertMgr Succeeded

:%selfSign%\certmgr /add BlahTest.cer /s /r localMachine PrivateCertStore
CertMgr Succeeded

:%selfSign%\signtool sign /s PrivateCertStore /n “Blah (Internal Test)” blah.sys
SignTool Error: No certificates were found that met all the given criteria.

Number of errors: 1

(wahhhhhh!)

It will probably all make sense tomorrow…

5

Mark’s procedure is for importing the certificate to use for validation
(trust). You are expecting it to be usable for signing. This requires the
private key be installed along with the certificate on the machine doing the
signing. That is what is in the .pfx file - certificate & private key
(protected by a password typicall). If you don’t have a .pfx file then
export one with Certmgr on the machine that you ‘generated’ the certificate
from. If you did not generate the certificate with an exportable private
key, then, start over.

Good Luck,
Dave Cattley

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@quantel.com
Sent: Thursday, July 02, 2009 11:44 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] how do you install a test certificate for test signing?

I tried that already - that’s the procedure I have (successfully) used to
install the test cert to allow the test signed driver to load.

Here’s my failed attempt to install the test cert for SIGNING using certmgr;

:%selfSign%\certmgr /s /c PrivateCertStore
==============No Certificates ==========

CertMgr Succeeded

(showing that the PrivateCertStore is empty at start of test)

:%selfSign%\makecert -r -pe -ss PrivateCertStore -n CN=“Blah (Internal
test)” BlahTest.cer
Succeeded

:%selfSign%\certmgr /s /c PrivateCertStore
==============Certificate # 1 ==========
Subject::
[0,0] 2.5.4.3 (CN) Blah (Internal test)
Issuer::
[0,0] 2.5.4.3 (CN) Blah (Internal test)
SerialNumber::
56 E2 37 86 3E 48 68 89 42 5E 27 FE C2 EF D9 D7
SHA1 Thumbprint::
24E6472E 61E13EA2 CD437A89 ACB3A61C 240E64A9
MD5 Thumbprint::
B814B938 BA1E2DA3 29F7642D 427D8396
Key MD5 Thumbprint::
ECD11982 CE39A1B4 91C51F21 A693389B
Provider Type:: 1 Provider Name:: Microsoft Strong Cryptographic Provider
Container: 41045c8a-4223-4635-93f3-3971c597d363 KeySpec: 2
NotBefore::
Thu Jul 02 16:36:12 2009
NotAfter::
Sun Jan 01 00:59:59 2040

CertMgr Succeeded

(certificate is there now)

:%selfSign%\signtool sign /s PrivateCertStore /n “Blah (Internal Test)”
blah.sys
Done Adding Additional Store
Successfully signed: blah.sys

(certificate works fine to sign something)

:%selfSign%\certmgr /del /all /s PrivateCertStore
CertMgr Succeeded

(remove the cert from PrivateCertStore)

:%selfSign%\certmgr /s /c PrivateCertStore
==============No Certificates ==========

CertMgr Succeeded

(check it has gone)

:%selfSign%\certmgr /add BlahTest.cer /s /r localMachine root
CertMgr Succeeded

:%selfSign%\certmgr /add BlahTest.cer /s /r localMachine trustedPublisher
CertMgr Succeeded

:%selfSign%\certmgr /add BlahTest.cer /s /r localMachine PrivateCertStore
CertMgr Succeeded

:%selfSign%\signtool sign /s PrivateCertStore /n “Blah (Internal Test)”
blah.sys
SignTool Error: No certificates were found that met all the given criteria.

Number of errors: 1

(wahhhhhh!)

It will probably all make sense tomorrow…

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

6

Thanks for all your help. I have switched to using a PFX instead - much nicer not to have to install the certificates on the build machines. certificateFile is either the release cert, on the release build machine, or the test cert from source control.

Simon

create PFX:
%selfSign%\makecert -r -pe -n “CN=Blah (Internal test)” -sv BlahTest.pvk BlahTest.cer
%selfSign%\pvk2pfx.exe /pvk BlahTest.pvk /spc BlahTest.cer /pfx BlahTest.pfx /po somePassword /f

sign using the PFX:
%selfSign%\signtool.exe sign /f %certificateFile% /p somePassword /t %timestampURL% %destDir%*.cat

7

hi all, smon,

reading this thread, I was a bit confused. So here are my questions:

  1. the steps mentioned below to create a PFX, does it give me a signed
    binary(driver) that will work on vista 64 without turning on “TEST SIGNING”?
  2. Do I need to install the created .cer file into the test machine to get
    this driver to load? If so, then in this method we effectively skip
    installing the .cer file on the build machines, rest all remains same?

Thanks
ap

On Fri, Jul 3, 2009 at 3:48 PM, wrote:

> Thanks for all your help. I have switched to using a PFX instead - much
> nicer not to have to install the certificates on the build machines.
> certificateFile is either the release cert, on the release build machine, or
> the test cert from source control.
>
> Simon
>
> create PFX:
> %selfSign%\makecert -r -pe -n “CN=Blah (Internal test)” -sv BlahTest.pvk
> BlahTest.cer
> %selfSign%\pvk2pfx.exe /pvk BlahTest.pvk /spc BlahTest.cer /pfx
> BlahTest.pfx /po somePassword /f
>
> sign using the PFX:
> %selfSign%\signtool.exe sign /f %certificateFile% /p somePassword /t
> %timestampURL% %destDir%*.cat
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

8

Hi AP,
1 > nope. This method provides just another way to sign the driver
binary (or package). You still have to enable “Test signing” method.
2 > Yes you have to install the certificate in the test system. Its
just that the installation step wasnt explained in the quoted text.

what you are avoiding is the need to install the certificate in build
machine, nothing more

rtshiva

On Fri, Jul 10, 2009 at 4:34 PM, A P wrote:

> hi all, smon,
>
> reading this thread, I was a bit confused. So here are my questions:
>
> 1. the steps mentioned below to create a PFX, does it give me a signed
> binary(driver) that will work on vista 64 without turning on “TEST SIGNING”?
> 2. Do I need to install the created .cer file into the test machine to get
> this driver to load? If so, then in this method we effectively skip
> installing the .cer file on the build machines, rest all remains same?
>
> Thanks
> ap
>
> On Fri, Jul 3, 2009 at 3:48 PM, wrote:
>
>> Thanks for all your help. I have switched to using a PFX instead - much
>> nicer not to have to install the certificates on the build machines.
>> certificateFile is either the release cert, on the release build machine, or
>> the test cert from source control.
>>
>> Simon
>>
>> create PFX:
>> %selfSign%\makecert -r -pe -n “CN=Blah (Internal test)” -sv BlahTest.pvk
>> BlahTest.cer
>> %selfSign%\pvk2pfx.exe /pvk BlahTest.pvk /spc BlahTest.cer /pfx
>> BlahTest.pfx /po somePassword /f
>>
>> sign using the PFX:
>> %selfSign%\signtool.exe sign /f %certificateFile% /p somePassword /t
>> %timestampURL% %destDir%*.cat
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer