3.1 Description sommaire de la section4
https://www.thawte.com/ssl-digital-certificates/technical-support/code/msauth.html
Technical Support
[ Contact us 24x5 ]
microsoft authenticode faq
Choose from our detailed faqs below:
- Introduction
- Technical Overview
- System Requirements
- Requesting the Certificate
- Enter a Password for the Private Key
- Downloading the Certificate
- General Key Usage
- Authenticode platform dependency
- How do I request a Microsoft Authenticode Certificates?
- How to backup my Private Key (.pvk file)?
- How do I actually use the Certificate to sign code?
- Sign code with Microsoft Authenticode Certificate using signcode wizard:
- How do I sign Java Applets?
- How do I sign all my code with a Microsoft Authenticode Certificate?
- What happens when my Certificate expires?
- Do you have a timestamping service for Microsoft Authenticode?
- Do your Authenticode certificates work with IE 3.x?
- My version of signcode.exe doesn't use the '-v' command-line switch?
- Using a Microsoft Authenticode Certificate to sign VBA projects.
- Getcert.exe does not execute when I try to run it!
- Certificate dialog box does not display when download of executable is initiated
Error Messages
- Troubleshooting the Error: “Unable to open a CSP provider with the correct private key"
- Troubleshooting: Error: “The software publishing certificate and private key do not match or do not contain valid information”
- Error: "Invalid Certificate", when IE4.01 on Win95/NT views a signed object.
- Error: " An ActiveX control on this page is not safe. Your current security setting prohibit running unsafe controls on this page"
- Error: "java.security.keystoreException: pkcs12 not found
- Error:"The certificate issuer is not recognized”
Choose from our detailed faqs below:
Introduction
Microsoft launched a preliminary version of the Authenticode system with MS Internet Explorer 3.0. Authenticode has been revised and updated in IE 4.0 and IE 5.0. thawte code signing certificates will work with MSIE 4.0 and later.
Technical Overview
The general documentation for Authenticode can be confusing to the new user, so we provide a quick and simplified overview. Please make sure that you check this against the latest documentation from Microsoft:http://msdn.microsoft.com/library/? url=/workshop/security/authcode/intro_authenticode.asp
Note: If you want to sign executables you should be aware that Microsoft Authenticode only allows you to sign 32-bit executables.
System Requirements
There is a known issue with Internet Explorer 4.72.3110 (40 bit) SP 1a on Windows 98. Due to a scripting change to our backend, we no longer support Internet Explorer 4.x on Windows 98.
Other software development kits provide the required code-signing utilities. We have tested our Microsoft Authenticode (Multi-Purpose) Certificate and VBA Developer Certificate with Microsoft Java SDK 3.01. Users have reported that Visual C++ 6.0 works as well. Visual J++ 6.0 provides the same version of the code-signing tool that the Java SDK provides (Signcode.exe version 5.101.1670.1) and our certificates are compatible with its automated signing utility.
Requesting the Certificate
Gather your documents and make a Certificate request to thawte. The process is detailed on the developer cert request walkthrough page, which you should print out to help you through the process. During the certificate request process you will be asked to enter important information that our verification staff will need in order to process your request. Please fill in the appropriate fields as accurately as possible. In particular, make sure the organization name is EXACTLY the same as the name on your proof of name documentation. Doing so will allow the request to be processed quickly.
Enter a Password for the Private Key
It is very important that that you remember the password when your browser generates this private key. Failure to remember the password will result in a complete inability to use the Certificate, and you will need to re-issue your Certificate free of charge.
However, having password protection on the private key requires that you enter the password every time you sign an object. If you are going to automate the signing procedure, you can choose not to have password protection on the private key. Click on the "None" button to do without a password. This is a big security risk, and is not recommended
The private key is saved as a .pvk file on your hard drive, the default being "C:\mykey.pvk". Unfortunately some applications are not able to access the private key if it is in this format. However, you can import the private key into the registry at a later stage. At the appropriate time, please make a backup of this key file. Once we've checked your documentation and verified your details we'll issue the Developer Certificate as a Software Publishing Certificate (.spc) file.
Downloading the Certificate
The Certificate will be downloaded as a "*.spc" file on your hard drive. Make sure you have that file, as you will need it whenever you sign code. The default is "C:\mycert.spc".
General Key Usage
1. Timestamping
We do not offer a timestamping service. You can use the Verisign timestamping server by adding "-t http://timestamp.verisign.com/ scripts/timstamp.dll to the signcode command line.
2. Backups
By far the most common problem users have when going through this process is related to Private Keys. If you lose or cannot access a Private Key or it has been over-written, you cannot use the Certificate we issue to you. Please note, that thawte does not come into contact with the Private Key file or the password thereof. To ensure this never happens, we advise that a backup of the Private Key file(.pvk) is made and that a note is made of the password that is used to protect the Private Key.
3. More info
If you have questions concerning the use of Microsoft Authenticode, the best place to pose them would be with Microsoft support mailing listauthenticode@discuss.microsoft.com
Authenticode platform dependency
Microsoft has published information about a known bug in the signcode and pvkimprt utilities they currently make available to clients. This vulnerability will only be addressed in the release of Windows XP. When clients attempt to move certificates and keys between e.g. Windows NT and Windows ME or Windows XP, they may encounter problems when importing the files into the registry. This is caused by a default key length discrepancy between the platforms. To workaround this issue please read the following KB solution:vs27954.
For further information about this bug, please refer to the article published on Microsoft's website at the following url, http://www.microsoft.com/mind/0299/faq/faq0299.asp
How do I request a Microsoft Authenticode Certificates?
For instructions on how to request a Microsoft Authenticode Certificate, follow the instructions listed in KB solution:vs25869
How to backup my Private Key (.pvk file)?
For instructions on how to backup your .pvk file, follow the instructions listed in KB solution: vs23026
How do I actually use the Certificate to sign code?
To sign and timestamp a CAB file use the instructions in the following solution:vs12036
To sign and timestamp an EXE file use the instructions at the following solution:vs27783
To sign and timestamp a DLL file use the instructions at the following solution: vs27785
Sign code with Microsoft Authenticode Certificate using signcode wizard:
You have the choice of signing code using the command line or the signcode wizard. If you prefer to sign using the signcode wizard please refer to the instructions in solution:vs20643
How do I sign Java Applets?
It is possible to sign JAR files with a Microsoft Authenticode Certificate.
To convert a Microsoft Authenticode Certificate for Netscape Object-Signing, please refer to the instructions listed in the following KB solution: vs23028
To convert a Microsoft Authenticode Certificate for Java signing with jarsigner please refer to the instructions listed in the following knowledge base solution: vs10593
How do I sign all my code with a Microsoft Authenticode Certificate?
For instructions on how to sign code with a Microsoft Authenticode Certificate under different environments, follow the instructions listed in KB solution:vs26925
What happens when my Certificate expires?
As long as you timestamp your code and your Certificate is valid when you sign, your code will remain signed after your Certificate has expired (the signature never expires). Of course, until your expired certificate is renewed, you will not be able to sign any further code.
Do you have a timestamping service for Microsoft Authenticode?
thawte does not provide this service. We thank VeriSign for allowing public use of their timestamping server.
Add the following to the signcode command line:
-t http://timestamp.verisign.com/scripts/timstamp.dll
Do your Authenticode certificates work with IE 3.x?
No. IE 3.x is broken for Authenticode since all the CA certificates have now expired. It is possible to add some new roots, using the Authenticode 2.x Update, however this does not add the correct thawte roots, therefore thawte certificates are not supported by this browser.
My version of signcode.exe doesn't use the '-v' command-line switch?
The ‘-v’ switch is not supported by older versions of Microsoft Internet Client SDK or Microsoft Java SDK.
To troubleshoot this problem, please refer to KB solution:vs23093
Using a Microsoft Authenticode Certificate to sign VBA projects.
In order to use the Microsoft Authenticode Certificate to sign VBA projects, your Certificate needs to be installed in the Windows registry. If you have saved your .pvk and .spc files to your hard drive, then you will need to import the .pvk and .spc file into your registry using a tool called pvkimprt, which will then make the files viewable, and usable, through the VBE.
For detailed instructions on how to sign Office XP VBA projects, please refer to KB solution:vs26211
For detailed instructions on how to sign Office 2000 VBA projects, please refer to KB solution:vs11392
For more information on Macro Security, please refer to Microsoft’s TechNet website.
Getcert.exe does not execute when I try to run it!
When you download your certificate it may be called 'getcert.exe'. Rename it as an *.spc file (for example, mycert.spc). Use it with the private key you saved to your hard drive when you requested the cert (*.pvk).
Certificate dialog box does not display when download of executable is initiated
Error occurs because user selected to save the file to disk. The file is not being downloaded and run under the IE security context therefore the dialog box will not display. Please read the following KB solution for more information on this issue:vs27829
Troubleshooting the Error: “Unable to open a CSP provider with the correct private key"
There are a number of reasons for this error message. To troubleshoot this error follow the instructions in the following KB solution:vs12400
Troubleshooting: Error: “The software publishing certificate and private key do not match or do not contain valid information”
There are a number of reasons for this error message. To troubleshoot this error follow the instructions in the following KB solution:vs19394
Error: "Invalid Certificate", when IE4.01 on Win95/NT views a signed object.
A known bug in Microsoft Internet Explorer 4.01 causes this error. To resolve this you have to either upgrade the browser being used or install Service Pack 2 for Microsoft Internet Explorer 4.01 on the machine. The error is a Microsoft error and is not related to the certificate in any way.
Error: " An ActiveX control on this page is not safe. Your current security setting prohibit running unsafe controls on this page"
Even though the ActiveX has been signed it needs to be marked as safe for scripting and initialization in order to be run correctly in IE. Please read the following KB solution:vs30244
Error: "java.security.keystoreException: pkcs12 not found
To troubleshoot this problem please have a look at the following KB solution: vs23272
Error:"The certificate issuer is not recognized”
To troubleshoot this problem please have a look at the following KB solution:vs26481
search the thawte knowledgebase
Try our top solutions
- Retrieve your lost thawte ID and password
- Generate a CSR
- Test your CSR
- Backup your Private Key
- Buy a certificate
- Required documentation
- Install SSL Web Server Certificate
- Install SGC SuperCert
- Install SSL123 Certificate
- Display thawte Site Seal on website
- Renew a certificate
- Retrieve your Status page password
- Reissue your certificate
- Choose a code signing certificate?
- Sign all your code with a Microsoft Authenticode Certificate
- Supported browser software
- Download thawte Root Certificates
Click here for more top solutions.
|