You’ve Got a New Verisign Authenticode Certificate – Now What?

The good news first: You can get a Verisign Authenticode code signing certificate for $99. Just check out https://sysdev.microsoft.com/ for details. This price even applies to the renewal when the original certificate expires after a year.

The bad news: Actually getting the certificate and using it is not so easy. Here are some tips.

Getting the Certificate

I only tried this with my company, and I heard it is a lot easier for companies than for individuals.

Make sure to have had a valid telephone number on your website for some time. Verisign uses a firm called Dun & Bradstreet to get information about your company. D&B apparently collects data from websites, so having the right phone number up on the web site really helps a lot.

After you have submitted the order on Verisign’s website you need to wait. A representative of Verisign will call you on your official company number (see above) in the next two or three days. If they cannot reach you there you will get an e-mail with instructions on how to contact them. The best way is to contact Verisign support via chat and let them know when you can be reached at your official company number. Once that phone call is over (they just ask you to confirm the company name and address) you get an e-mail with a link to download the certificate.

Now, if you are a modern netizen living in the year 2012 you might have tried using Chrome or Firefox to order the certificate. Forget it! IE only!

Open the link you got in Verisign’s e-mail in IE and your new Authenticode certificate will be imported into your personal certificate store.

Now what?

Using the Certificate

Open Certmgr.msc and navigate to Personal -> Certificates. You should see you new certificate there:

The first thing you should do is to back it up – the only copy you currently have is in the certificate store of the computer you used to buy the certificate. It does not help you much there anyway – you need a .PFX file to sign your files.

Right-click the certificate and select “All Tasks -> Export”. Make sure to select “Yes, export the private key”:

Check the export properties to include all certificates in the certification path and to export all extended properties:

Choose a good, strong password!

Then select where to store the resulting .PFX-File and you are done. Take good care of this file – anyone in possession of it and the password you selected can sign files in your name.

Intermediate Certificates

In order to use your new certificate for signing you need to do one more thing: In the e-mail you got from Verisign they ask you to install two intermediate certificates. Do take that seriously, or your files will not be signed properly!

Unfortunately Verisign only provides the two intermediate certificates in text format without any instructions what to do:

As so often, the answer is simple (once you know it). Copy each certificate’s text into a new text file and save it with the extension .CER. Then, in Explorer, double-click the .CER file and use the wizard that pops up to install it.

Now you are ready to sign your executables.

Signing Code

Put Signtool.exe and your certificate in a separate folder next to your project folders. Add something like the following as post-build step:

"$(ProjectDir)..\Signing\signtool.exe" sign /f "$(ProjectDir)..\Signing\MyCertificate.pfx" /p PasswordForCertificate /d "Name of product" /du "URL of product" /t "http://timestamp.verisign.com/scripts/timestamp.dll" "$(TargetPath)"

, , ,

6 Responses to You’ve Got a New Verisign Authenticode Certificate – Now What?

  1. ta.speot.is November 20, 2012 at 22:58 #

    Nice article. My two cents:

    There’s an MSBuild task that can sign files that might be neater than using a post build action.

    Also, last time I used Verisign’s timestamping server it was timstamp.dll not timEstamp.dll

    • Helge November 21, 2012 at 11:06 #

      I have been using “timestamp.dll” (with an e) for a long time. It works well ;-)

  2. John Lueders January 19, 2013 at 06:21 #

    Thank you for the command line code, that is very helpful.
    On a 64-bit Windows 8 now, and Tech-Pro’s CodeSign does not work on 64-bit.

  3. mike October 25, 2013 at 19:09 #

    DigiCert has a nice, free utility that will pull your code-signing certs easily. I purchased my cert from Comodo, but this tool made it easy to find and export, even giving options to export the public key or the entire chain.

    It also has a file-signing feature built-in.

    And Visual Studio 2010+ supports code signing on build for some apps if you go into the project properties.

  4. Ryan December 11, 2013 at 19:31 #

    Hey Helge,

    I hate to comment on this post since it was posted well over a year ago, but I have been searching the web for information on the “Include all certificate in in certification path if possible” option and keep coming up empty handed. Do you know what this option does, specifically, to the certificate? Do you know of any resources that detail this option’s effects?

  5. Vinai June 11, 2014 at 10:09 #

    Nice article, Very helpful.

Leave a Reply