319 | | > makecert -pe -n "CN=OpenVPN community project" -a sha1 -sky signature -ic openvpntestca.cer -iv openvpntestca.pvk -sv openvpnproject.pvk openvpnproject.cer |
320 | | }}} |
321 | | |
| 319 | > makecert -pe -n "CN=My organization" -a sha1 -sky signature -ic testca.cer -iv testca.pvk -sv testspc.pvk testspc.cer |
| 320 | }}} |
| 321 | |
| 322 | After all of this is done, you should have four files in the current directory, e.g. |
| 323 | |
| 324 | * testca.cer |
| 325 | * testca.pvk |
| 326 | * testspc.cer |
| 327 | * testspc.pvk |
| 328 | |
| 329 | == Converting the certificate == |
| 330 | |
| 331 | The next step is to convert these into a format [http://sourceforge.net/projects/osslsigncode/ osslsigncode] can understand. As described [http://sourceforge.net/projects/osslsigncode/forums/forum/438747/topic/1706587 here], first you need to convert the actual code-signing certificate into p7b format. One way to do that is described below: |
| 332 | |
| 333 | * Navigate to the directory with the generated certificates using Windows Explorer |
| 334 | * Right-click on the code-signing certificate file (e.g. ''testspc.cer'') |
| 335 | * Select "Install certificate" and place the certificate into the certificate store of your choosing (e.g. ''Personal'') |
| 336 | |
| 337 | Next you need to export the just imported certificate in a different format: |
| 338 | |
| 339 | * Launch ''mmc.exe'' |
| 340 | * Add the ''Certificates'' snap-in |
| 341 | * Locate the ''My organization'' certificate you just installed using ''mmc.exe'' |
| 342 | * Double click on the certificate |
| 343 | * Select ''Details'' tab |
| 344 | * Click on ''Copy to File'' and export the certificate in p7b format |
| 345 | |
| 346 | == Converting the private key == |
| 347 | |
| 348 | As described [http://sourceforge.net/projects/osslsigncode/forums/forum/438747/topic/1706587 here], you will also need to convert the private key. Because it's in a proprietary [http://www.drh-consultancy.demon.co.uk/pvk.html PVK] format, you need to use the [http://www.drh-consultancy.demon.co.uk/pvk.html pvk.exe] tool on the Windows box to convert it into PEM format: |
| 349 | |
| 350 | {{{ |
| 351 | > pvk -in testspc.pvk -nocrypt -out testspc.pem |
| 352 | }}} |
| 353 | |
| 354 | This will prompt you for the private key's password. After this, you can use [http://openssl.org/ OpenSSL] to convert the PEM file into DER format, which ''osslsigncode'' requires. Below we use ''openssl'' on Linux for the job; adapt as necessary for Windows (i.e. ''openssl'' -> ''openssl.exe'': |
| 355 | |
| 356 | {{{ |
| 357 | $ openssl rsa -in testspc.pem -inform PEM -out testpsc.der -outform DER |
| 358 | }}} |
| 359 | |
| 360 | == Signing OpenVPN components == |
| 361 | |
| 362 | At this point you should have these files: |
| 363 | |
| 364 | * testca.cer: CA certificate |
| 365 | * testca.pvk: CA certificate's private key (in proprietary PVK format) |
| 366 | * testspc.cer: Code-signing certificate |
| 367 | * testspc.p7b: Code-signing certificate (in P7B format) |
| 368 | * testspc.pvk: Code-signing certificate's private key (in proprietary PVK format) |
| 369 | * testspc.pem: Code-signing certificate's private key (in PEM format) |
| 370 | * testpsc.der: Code-signing certificate's private key (in DER format) |
| 371 | |
| 372 | We can now sign whatever executables we want like this: |
| 373 | |
| 374 | {{{ |
| 375 | $ osslsigncode -spc testspc.p7b -key testspc.der -n "OpenVPN custom version" -i "http://company.domain.com" -in openvpn-2.3-alpha1-custom-install.exe -out openvpn-2.3-alpha1-custom-install-signed.exe |
| 376 | }}} |
| 377 | |
| 378 | Next you can test the installer to see whether the ''Program Name'' and ''Verified publisher'' are correct. |
| 379 | |