| 319 | | > makecert -pe -n "CN=OpenVPN community project" -a sha1 -sky signature -ic openvpntestca.cer -iv openvpntestca.pvk -sv openvpnproject.pvk openvpnproject.cer |
| 320 | | }}} |
| 321 | | |
| | 319 | > makecert -pe -n "CN=My organization" -a sha1 -sky signature -ic testca.cer -iv testca.pvk -sv testspc.pvk testspc.cer |
| | 320 | }}} |
| | 321 | |
| | 322 | After all of this is done, you should have four files in the current directory, e.g. |
| | 323 | |
| | 324 | * testca.cer |
| | 325 | * testca.pvk |
| | 326 | * testspc.cer |
| | 327 | * testspc.pvk |
| | 328 | |
| | 329 | == Converting the certificate == |
| | 330 | |
| | 331 | The next step is to convert these into a format [http://sourceforge.net/projects/osslsigncode/ osslsigncode] can understand. As described [http://sourceforge.net/projects/osslsigncode/forums/forum/438747/topic/1706587 here], first you need to convert the actual code-signing certificate into p7b format. One way to do that is described below: |
| | 332 | |
| | 333 | * Navigate to the directory with the generated certificates using Windows Explorer |
| | 334 | * Right-click on the code-signing certificate file (e.g. ''testspc.cer'') |
| | 335 | * Select "Install certificate" and place the certificate into the certificate store of your choosing (e.g. ''Personal'') |
| | 336 | |
| | 337 | Next you need to export the just imported certificate in a different format: |
| | 338 | |
| | 339 | * Launch ''mmc.exe'' |
| | 340 | * Add the ''Certificates'' snap-in |
| | 341 | * Locate the ''My organization'' certificate you just installed using ''mmc.exe'' |
| | 342 | * Double click on the certificate |
| | 343 | * Select ''Details'' tab |
| | 344 | * Click on ''Copy to File'' and export the certificate in p7b format |
| | 345 | |
| | 346 | == Converting the private key == |
| | 347 | |
| | 348 | As described [http://sourceforge.net/projects/osslsigncode/forums/forum/438747/topic/1706587 here], you will also need to convert the private key. Because it's in a proprietary [http://www.drh-consultancy.demon.co.uk/pvk.html PVK] format, you need to use the [http://www.drh-consultancy.demon.co.uk/pvk.html pvk.exe] tool on the Windows box to convert it into PEM format: |
| | 349 | |
| | 350 | {{{ |
| | 351 | > pvk -in testspc.pvk -nocrypt -out testspc.pem |
| | 352 | }}} |
| | 353 | |
| | 354 | This will prompt you for the private key's password. After this, you can use [http://openssl.org/ OpenSSL] to convert the PEM file into DER format, which ''osslsigncode'' requires. Below we use ''openssl'' on Linux for the job; adapt as necessary for Windows (i.e. ''openssl'' -> ''openssl.exe'': |
| | 355 | |
| | 356 | {{{ |
| | 357 | $ openssl rsa -in testspc.pem -inform PEM -out testpsc.der -outform DER |
| | 358 | }}} |
| | 359 | |
| | 360 | == Signing OpenVPN components == |
| | 361 | |
| | 362 | At this point you should have these files: |
| | 363 | |
| | 364 | * testca.cer: CA certificate |
| | 365 | * testca.pvk: CA certificate's private key (in proprietary PVK format) |
| | 366 | * testspc.cer: Code-signing certificate |
| | 367 | * testspc.p7b: Code-signing certificate (in P7B format) |
| | 368 | * testspc.pvk: Code-signing certificate's private key (in proprietary PVK format) |
| | 369 | * testspc.pem: Code-signing certificate's private key (in PEM format) |
| | 370 | * testpsc.der: Code-signing certificate's private key (in DER format) |
| | 371 | |
| | 372 | We can now sign whatever executables we want like this: |
| | 373 | |
| | 374 | {{{ |
| | 375 | $ osslsigncode -spc testspc.p7b -key testspc.der -n "OpenVPN custom version" -i "http://company.domain.com" -in openvpn-2.3-alpha1-custom-install.exe -out openvpn-2.3-alpha1-custom-install-signed.exe |
| | 376 | }}} |
| | 377 | |
| | 378 | Next you can test the installer to see whether the ''Program Name'' and ''Verified publisher'' are correct. |
| | 379 | |
