I created a code certificate using:
$cert = New-SelfSignedCertificate -CertStoreLocation "Cert:\CurrentUser\My" -dnsname testcert.test.io
$cert
$secPassword = ConvertTo-SecureString -String 'password1234' -Force -AsPlainText
$certPath = "Cert:\CurrentUser\My\$($cert.Thumbprint)"
Export-PfxCertificate -Cert $certPath -FilePath C:\selfcert.pfx -Password $secPassword
I'm trying to use it to sign my .exe using:
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x86\signtool.exe" sign /debug /f "C:\selfcert.pfx" /p password1234 "A:\mysoft\sign\myexe.EXE"
the debug throws this:
The following certificates were considered:
Issued to: testcert.test.io
Issued by: testcert.test.io
Expires: Fri Aug 12 15:25:13 2022
SHA1 hash: 0CDA91D628CA855B49FA1CB8DFD0F53C121BEB27
After EKU filter, 0 certs were left.
After expiry filter, 0 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
Running certmgr shows my certificate in Personal>certificates as testcert.test.io (I suppose because of the dnsname)
What I think, (it is my first time trying to certificate a .exe so I might be wrong) it means that my certificate is not passing the EKU filter, afaik EKU filter means certificates that are listed as trusted (I'm not sure on that one)
What am I doing wrong? or what am I missing to do?
You need aCode Signing-Certificate, which means that it has an Extended Key Usage (EKU) with the Code signing Object Identifier (OID).
$ku_codeSigning = "1.3.6.1.5.5.7.3.3";
$codeSignCert = New-SelfSignedCertificate `
-Type "CodeSigningCert" `
-KeyExportPolicy "Exportable" `
-Subject "..." `
-KeyUsageProperty @("Sign") `
-KeyUsage @("DigitalSignature") `
-TextExtension @("2.5.29.37={text}$($ku_codeSigning)", "2.5.29.19={text}false") `
-CertStoreLocation cert:\CurrentUser\My `
-KeyLength 2048 `
-NotAfter ([DateTime]::Now.AddDays(90)) `
-Provider "Microsoft Software Key Storage Provider" `
-Signer $subCaCert;
The -Signer argument is used to create a trust chain consisting of a root and a sub CA certificate.
$rootCaCert = New-SelfSignedCertificate `
-Type "Custom" `
-KeyExportPolicy "Exportable" `
-KeyUsageProperty "All" `
-KeyUsage @("CertSign", "CrlSign") `
-Subject "My Fake Root CA" `
-CertStoreLocation cert:\LocalMachine\My `
-NotAfter ([DateTime]::Now.AddYears(20)) `
-Provider "Microsoft Software Key Storage Provider" `
-KeyLength 4096 `
-TextExtension @("2.5.29.19={text}cA=true&pathLength=1");
$subCaCert = New-SelfSignedCertificate `
-Type "Custom" `
-KeyExportPolicy "Exportable" `
-KeyUsageProperty "All" `
-KeyUsage @("CertSign", "CrlSign") `
-Subject "My Fake Sub CA" `
-CertStoreLocation cert:\LocalMachine\My `
-NotAfter ([DateTime]::Now.AddYears(5)) `
-Provider "Microsoft Software Key Storage Provider" `
-KeyLength 4096 `
-TextExtension @("2.5.29.19={text}cA=true&pathLength=0") `
-Signer $rootCaCert;