Results 1 to 5 of 5

Thread: VS - Creating your own code signing certificates

  1. #1

    Thread Starter
    Junior Member rkinci's Avatar
    Join Date
    Jan 2012

    VS - Creating your own code signing certificates

    Creating a self signed Code Signing certificate is not easy to figure out, but is easy to do. The Microsoft SDK's includes a utility called makecert.exe. Since I develop applications for private use and use ClickOnce deployment, I needed a certificate to sign my application that would not expire in one year. I took it a step further and created my own Root Certificate which I then used to create and sign my Code Signing certificate.

    To create a root certificate go to the Windows command prompt and type the following command. Makecert.exe should be in the local directory or located in the windows path.

    makecert -r -pe -a sha1 -n "CN=MyCompanyNameRoot,, C=US" -b 01/01/2012 -e 01/01/2050 -ss My
    This created a root self signed certificate that will expire in 2050. The certificate was stored in the local certificate store. We will export it to a file shortly.

    Next I created my Code Signing certificate. If you are working as a group on a project and want each developer to be able to sign assemblies with a unique certificate, just create one for each.

    makecert -pe -a sha1 -n "CN=EmpOneCodeSigning,, C=US" -b 01/01/2012 -e 01/01/2050 -eku -ss My -is My -in "MyCompanyNameRoot"
    makecert -pe -a sha1 -n "CN=EmpTwoCodeSigning,, C=US" -b 01/01/2012 -e 01/01/2050 -eku -ss My -is My -in "MyCompanyNameRoot"
    This created two code signing certificates and stored them in the local certificate store.

    Now lets export them so we can burn them onto a cd. You will need to find another utility on your windows computer called certmgr.exe. Run it. You will find all of the certificates installed on you computer, separated by category. The certificates just created are stored under the 'personal' tab. You will export each certificate twice, first will be a *.cer and the second a *.pfx. The *.cer will be your public key certificate, and the *.pfx will be your private/public key certificate that you must keep 'private'.

    1. Select certificate and click export.
    2. Choose 'do not export private key'
    3. Choose 'Base-64 encoded X.509(.CER)'
    4. Pick a file name such as c:\example.cer
    5. Export and finish. This is your public certificate.

    6. Select certifcate and click export.
    7. Choose 'yes export the private key'
    8. Choose 'Personal Information Exchange - PKCS #12(.PFX)
    9. Choose a password to protect your private certificate.
    10. Pick a file name such as c:\example.pfx
    11. Export and finish. This is your private certificate.

    Repeat the above steps for each certificate.

    To sign your assemblies, open VS, and under the project signing tab, choose 'Sign the ClickOnce manifests' and then 'select from file'. You will be prompted for your password. Also choose 'Sign the assembly' and choose the same certificate. You will need to sign each project that is referenced in the application you wish to publish. The private key *.pfx file gets added to your project.

    If you ever need to publish from a different computer, or you have re-formated your own computer, you will receive errors when you try to publish. This is because the password you typed to access your private certificate is stored in your windows user profile. Simply return to the project signing tab, reselect your certificate and type in the password again.

    You can avoid some of the errors and warning about certificates on the client computer by installing your new 'public' root certificate, the *.cer file. This would be a good solution for a company using click once applications for internal use. Each developer that had a code signing certificate signed by your root certificate would automatically be trusted.

    You can install certificates on a client machine by typing the following at the windows command prompt.

    certmgr.exe -add -all MyRootCerFileName.cer -s -r localMachine root
    certmgr.exe -add -all MyEmpOneFileName.cer -s -r localMachine TrustedPublisher
    certmgr.exe -add -all MyEmpTwoFileName.cer -s -r localMachine TrustedPublisher
    You can install the certificates using code as well. This example was written with VB.NET 2008.

    Imports System.Security.Cryptography.X509Certificates
    Public Class installcerts
        Private rootcert As New System.Security.Cryptography.X509Certificates.X509Certificate2("MyRootCerFileName.cer")
        Private emp1cert As New System.Security.Cryptography.X509Certificates.X509Certificate2("MyEmpOneFileName.cer")
        Private emp2cert As New System.Security.Cryptography.X509Certificates.X509Certificate2("MyEmpTwoFileName.cer")
        Public Sub cert_Load()
            Dim rs As New X509Store("root", StoreLocation.LocalMachine)
            Dim store As New X509Store("TrustedPublisher", StoreLocation.LocalMachine)
        End Sub
    End Class
    You can view the certificates in a local store and even add a private key certificate using the following snippets.

    'example to load a private key certificate   
    'Public privatecert As New System.Security.Cryptography.X509Certificates.X509Certificate2("privatekeyfilename.pfx", "certpassword")
    'Console.Writeline(store.Name)   'MsgBox(store.Name)
    'For Each cert As X509Certificate2 In store.Certificates
    '    Console.Writeline(cert.Subject)
    Last edited by rkinci; Mar 9th, 2012 at 11:49 AM. Reason: typos

  2. #2
    PowerPoster Nightwalker83's Avatar
    Join Date
    Dec 2001
    Adelaide, Australia

    Re: VS - Creating your own code signing certificates

    Cool! I was wondering how to do this.
    when you quote a post could you please do it via the "Reply With Quote" button or if it multiple post click the "''+" button then "Reply With Quote" button.
    If this thread is finished with please mark it "Resolved" by selecting "Mark thread resolved" from the "Thread tools" drop-down menu.

  3. #3
    Junior Member
    Join Date
    Jun 2021

    Re: VS - Creating your own code signing certificates

    I did the steps and both reported as successful.
    But, when I run certmgr.exe, my certificate doesn't show up.
    However, when I try to create the certicate again, it reports that is has already been added to the store!

    Can someone help me out further?
    Thank you!

  4. #4
    PowerPoster wqweto's Avatar
    Join Date
    May 2011
    Sofia, Bulgaria

    Re: VS - Creating your own code signing certificates

    You are currently using certmgr.msc (not .exe) to view certificates in LOCAL_USER certificate stores.

    You can use certlm.msc to view certificates in LOCAL_MACHINE certificate stores.

    There are even more identities under which certificate stores are available in Windows.


  5. #5
    Junior Member
    Join Date
    Jun 2021

    Re: VS - Creating your own code signing certificates

    Ok, I see it now!
    Thank you.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Click Here to Expand Forum to Full Width