CodeSigning mit crt-Dateien
 

Hallo zusammen,

mein Codesigning-Zertifikat war abgelaufen und ich habe es erneuert. Jetzt habe ich von DigiCert 3 Dateien bekommen:
MeinName.crt, DigiCertCA.crt und TrustedRoot.crt.

Wie bringe ich jetzt dem SignTool bei, dass es dieses Zertifikat nutzt?

Bisher hatte ich eine p12-Datei und diese Commandozeile verwendet (in InnoSetup hinterlegt:
signtool.exe sign /f MeinName.p12 /p MeinPasswort /du https://www.MeineWebseite.de /t "http://timestamp.digicert.com" $p

Signtool kann anscheinend mit den crt-Dateien nichts anfangen (oder doch?). Meine Umwandlungsversuche sind bisher auch fehlgeschlagen.

AW: CodeSigning mit crt-Dateien
 

Mir wurde vom Zertifikatsverkäufer (ssl2buy) damals die Erstellung mittels folgender Webseite empfohlen: sslshopper ssl-converter.html
Achtung: Das hat vor 1.5 Jahren funktioniert. Die Seite ist aber jetzt anscheinend unsicher. Bitte nicht verwenden.
Ich lass den Text trotzdem mal stehen, vielleicht findest du ja eine ähnliche Seite.

AW: CodeSigning mit crt-Dateien
 

Wait !, that is wrong, and never convert your certificates online under any circumstance.

I was expecting who can explain this in German because this is like 101 for certificate and signing.

.crt/.cer file is a certificate, that simple.
.p12 (also practically is .pfx) is also a certiciate same as .crt, But encrypted and most likely have the private key !

Now to sign, meaning to make a signature you need a private key, and that is it, with or without a certificate, for digital signature for Microsoft Authnticode, you need the certificate along the private key.

the certificate you received are the plain one with the chain of trust, ( the root, and CAs in your case there is only one CA).

Now the question is : and this is what you should have asked : Where is my Private Key ?
The quick answer is i don't know ! and i can't say !

However i can this:
Either it is attached to PKCS11 meaning will need hardware token/USB, or simply it is already imported in your OS store, or you used a (the specific) browser to receive the certificate and the key was imported in that store, like the case with FireFox, ( i use portable version of FireFox ESR, https://portableapps.com/apps/intern...x-portable-esr to handle my online certified presence and certificates).

Anyways, if you have hardware token then, i believe others here would be more helpful, in case you can open your OS store and check if that certificate is imported in personal and there is private key then you can use SignTool, but first i want to point that private key from OS certificate store, might be exportable !
If they imported at first with exportable flag then you can export it and build/convert your crt and the key into either pfx or p12, but if it is non exportable then you limited to use it on your device (account!!) as user.
if case non exportable then you use
where ISSUED_TO_FIELD is from the certificate and will be shown in the store, while "/a" will select the certificate automatically.

Hope that help, and a i said someone with German might explain this in cleaner way.

AW: CodeSigning mit crt-Dateien
 

Ich habe das Zertifikat im Windows Zertifikatspeicher und so wird es vom Signtool direkt aufgerufen. Das funktioniert (in innosetup, extern hab ich es noch nicht probiert) wunderbar.

AW: CodeSigning mit crt-Dateien
 

OK,
das Zertifikat ist jetzt im Zertifikatsspeicher\Aktueller Benutzer\Eigene Zertifikate\Zertifikate

Commandozeile ist:

Ergebnis:
SignTool Error: No certificates were found that met all the given criteria.

Was läuft da falsch?

AW: CodeSigning mit crt-Dateien
 

This only will work if the store has also the private key for this certificate !
You can check for the small key icon in the store, or open the certificate and it will the private key do exist and stored like these screenshots
Anhang 57111
Anhang 57112

AW: CodeSigning mit crt-Dateien
 

Also notice my old and expired Sectigo issued certificate doesn't have key, as i didn't imported it, so can't be used for signing automatically.

while my Kas issued by Kas is root one and does have key, but it is not for code signing, it is for different usage, and IIS will automatically use/offer it for localhost on my device.

AW: CodeSigning mit crt-Dateien
 

My certificate doesn't show this private key. And I dont't know even if I have a private key. I have a passwort that I used with the old p12 certificate.

From where do I get a private key?

AW: CodeSigning mit crt-Dateien
 

Ich kenne DigiCert nicht, aber vielleicht hilft das DigiCert Certificate Utility weiter? Ansonsten kannst du auch deren Hotline anrufen oder den Support schriftlich kontaktieren. Soweit ich gehört habe, antworten die recht schnell.

AW: CodeSigning mit crt-Dateien
 

Seit 01.06.2023 dürfen Paare von privaten und öffentlichen Schlüsseln nur noch über Hardware-Sicherheitsmodule (USB-Stick, Crypto-Card) ausgeliefert werden.
Du hast damit keinen Zugriff mehr auf den privaten Schlüssel, der bleibt im Hardwaremodul.
Aber für diese Module gibt es Software/Treiber, die das MS-Signtool ansprechen und damit auch die Software signaieren kann.
Alle notwendigen Infos solltest du auf der Webseite des Zertifikatsanbieter finden.

AW: CodeSigning mit crt-Dateien
 

Well, only you and the support can answer the question where is your private key.
See, i have no knowledge for USB/Hardware Token per se, but i know and read RFCs, in fact all code signing certificate (per standard) issued by a CSR (Code Signing Request), this happen either manually or automatically, manually when you build your CSR while the private key stay on device, or automatically, by software you are running like a Browser (namely Internet Explorer, Edge or FireFox to my knowledge only these are supported and capable), the difference is Edge and Internet Explorer (using applet or whatsoever) will generate the key and import it to your OS store and never send it with the CSR, the issuer will generate the certificate (that include your public key from the pair auto generated) from the CSR and sign it, while FireFox will do the same only will save it to its Store !, FireFox has its own store.

You didn't give any more detail, how and using what did you download your certificates, did you use some specified browser as per their request (almost all providers ask for that),... do you have a cabinet or account ? When and Where your CSR had being generated and stored ?...
There is many questions here, and the strange thing i can't find a nice, helpful and detailed resources on the internet explain this matter :gruebel: , may be there is and someone can point it.

As for the latest modification to lock all of these to Hardware Token, i don't have knowledge on how and where CSR (with private key generated) as if they are being sent with already flashed key then the whole thing is farce and circus, and will collapse sooner or later (yes this is a prophecy by me), this must not be the case nor how security should be implemented.

As Sebastian said, their support is your best answer, most likely you are not sure, and they should revoke this certificate and issue new one, and (in theory) their utility should be communicate with their servers and issue a new one, where they (as they will might say) the private key didn't leave you device (PC/token/USB), but who knows and who can tell ?!! yet again this is in theory and my imagination on how it should be done, if it can't be done remotely then either they will ask you send the token back or issue new one for you,
Yet again, you didn't even mention if you have a hardware token, or you ordered and completed the request, then may be they issued the certificate, sent it you in anticipation for the USB/Token to be delivered by mail (shipping i mean) ...

So many questions and so many variables, so sorry .... :duck:

AW: CodeSigning mit crt-Dateien
 

So, zusammen mit dem DigiCert Support habe ich das Signieren jetzt über den DigiCert KeyLocker hinbekommen. Ist aber schon eine Wissenschaft für sich.