How to create your own code signing certificate and sign an ActiveX component in Windows

All feedback and comments should be directed to support@versinique.com

Problem Overview

Users can not install an ActiveX component because it is not signed. They can not override the security settings of Internet Explorer to allow installation.

Usual solution is to obtain a code signing certificate from a CA like Verisign or Thawte, but this is overkill for internal networks or small scale applications

Solution Overview

This article describes how to do the following:
  • Create Root CA certificate using OpenSSL
  • Create Intermediate Certificate using OpenSSL
  • Create Personal Code-Signing Certificate using OpenSSL
  • Install Root certificate in Windows KeyStore using Internet Explorer
  • Install Intermediate Certificate in Windows KeyStore using Internet Explorer
  • Install Personal Certificate using Windows KeyStore using Internet Explorer
  • Sign an ActiveX CAB file using Microsoft Signtool

Limitations

Once signed you can distribute the ActiveX component to any user, BUT the user must install the Root CA and Intermediate Certificates as well for installation to be allowed.

If you want users to install an ActiveX component without the Root and Intermediate certificates then buy a code-signing certificate online from Thawte or Verisign.

Step 1 : Download and Install OpenSSL

  • Download OpenSSL distribution [Click here to find]
  • Install the OpenSSL software to c:\openssl (or c:\program files\openssl if you like to keep installations consistent)

Step 2 : Create Root CA Certificate

  • Open a DOS Command Prompt
  • Navigate to the OpenSSL Binaries directory type
    CD c:\openssl\bin
  • Create the private key. Type
    openssl genrsa -des3 -out ca.key 4096
  • When prompted enter a *very* strong password
  • And then verify the password
  • Create the public key. Type
    openssl req -new -x509 -days 365 -key ca.key -out ca.crt
  • When prompted enter the *very* strong password
  • For Country Name enter the international standard two letter abbreviation (use GB, NOT UK if in the UK)
  • For State enter the state name in full, or for UK the county name
  • For Locality, enter where your company is registered, town or city
  • For organisation name enter either the full company name e.g. Mycompany LTD
  • For organisation unit enter Development or Support
  • For common name use your domain name e.g mycompany.com
  • For email address enter a valid address e.g. support@mycompany.com

Step 3 : Create and Sign Intermediate Certificate

  • Create the private key. Type
    openssl genrsa -des3 -out server.key 4096
  • When prompted enter a *very* strong password (can be the same as before)
  • And then verify the password
  • Create a certificate request for signing by the Root CA. Type
    openssl req -new -key server.key -out server.csr
  • Enter the *very* strong password
  • Repeat the information entered above for the Root CA certificate, EXCEPT for the common name add "www." e.g. www.mycompany.com
  • When prompted for Challenge Password press Enter to skip
  • When prompted for Optional Company Name press Enter to skip
  • Sign the request with the Root CA and make a public key. Type
    openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
  • When prompted enter the *very* strong password used to create the CA certificate

Step 4 : Create a combined cert that simplifies SignTool

  • Combine the two certificates into a single package. Type
    openssl pkcs12 -export -out exported.pfx -inkey server.key -in server.crt
  • When prompted enter the *very* strong password used to create the Intermediate certificate
  • Repeat password for Export Password, and Export Password verify

Step 5: Install Root CA certificate using Internet Explorer

  • Launch Internet Explorer
  • Select Tools->Internet Options from the menu bar
  • Select Content Tab
  • Click CERTIFICATES
  • Select the Trusted Root Certification Authorities Tab
  • Click IMPORT
  • Click NEXT>
  • Click BROWSE to locate the required filename
  • Browse to C:\openssl\bin and highlight ca.crt
  • Click OPEN
  • Click NEXT>
  • Ensure Place all certificates in the following store is selected
  • Ensure Certificate store: = Trusted Root Certification Authorities
  • Click NEXT>
  • Click FINISH
  • Click YES to trust
  • Click OK

Step 6: Install Intermediate certificate using Internet Explorer

  • Change tabs to Intermediate Certification Authorities
  • Click IMPORT
  • Click NEXT>
  • Click BROWSE to locate the required filename
  • Browse to C:\openssl\bin and highlight server.crt
  • Click OPEN
  • Click NEXT>
  • Ensure Place all certificates in the following store is selected
  • Ensure Certificate store: = Intermediate Certification Authorities
  • Click NEXT>
  • Click FINISH
  • Click OK

Step 7: Install Personal certificate using Internet Explorer

    Note: This simplifies code signing with signtool for the developer, but end users do not need to do this
  • Change tabs to Personal
  • Click IMPORT
  • Click NEXT>
  • Click BROWSE to locate the required filename
  • Change the file extension type to Personal Information Exchange *.pfx, *.p12
  • Browse to C:\openssl\bin and highlight exported.pfx
  • Click OPEN
  • Click NEXT>
  • Enter the *very* strong password entered when EXPORTING the key (in these instructions its the same password used to create the intermediate key)
  • Ensure Place all certificates in the following store is selected
  • Ensure Certificate store: = Personal
  • Click NEXT>
  • Click FINISH
  • Click OK

Step 8 : Download and Install Microsoft Platform SDK

  • Download SDK [Click here to find]
  • To reduce the download size use the Web Install (download and run PSDK-x86.exe), Perform custom install and select only Microsoft Windows Core SDK. Remove AMD and Documentation sub-options
  • Install the Microsoft Platform SDK tools into c:\program files\microsoft platform sdk

Step 9 : Sign ActiveX CAB file (or exe etc)

  • Open a DOS Command Prompt
  • Change to the SDK binaries directory. Type
    CD c:\program files\microsoft platform sdk\bin
  • Launch the signing tool wizard. Type
    signtool signwizard
  • Click NEXT
  • Browse and select the ActiveX component to sign
  • Click NEXT
  • Click TYPICAL
  • Click NEXT
  • Click SELECT FROM STORE
  • Highlight the simplecodesign.com certificate
  • Click OK
  • Click NEXT
  • Click NEXT
  • Click NEXT
  • Click FINISH
  • Click OK

Step 10 : User Installation Instructions

  • As per steps 5 and 6 and then go to the web page where the Signed ActiveX CAB is used and installation will be allowed

Step 11 : Don't want to create certificates? Or don't have time?

  • Click here for free code signing certificate and authentication chain, and simplified certificate installation

Step 12 : Still not found what you're looking for?

Try our search engine integrator: Scoorch and Accelerate your search experience!

Acknowledgements

It took several days to work through to this final simple solution because there was no end-to-end document available for creating the certificates and signing an ActiveX component. The following links proved useful in finding the solution:

Microsoft overview
Verisign notes on signtool
Dallaway on creating and signing Java Apps
Mark Foster on OpenSSL and KeyTool exchanges
Self signed cert for Apache
Self signed cert for Mobile Phones
More on self signing cert for Mobile Phones

Update history

23 May 2007 - Added more detailed SDK instructions to avoid downloading the whole SDK
05 Feb 2007 - Added links to find the Microsoft SDK and a simple OpenSSL install for download