Edit 02Jan2017: Even if you wanted to ignore the revelations of dubious practices of StartSSL and with them now being owned by WoSign, there is another matter to consider - StartSSL authenticode certificates don't support lifetime signing. Meaning, when your certificate has expired, your signed binaries are no longer trusted, negating the point of signing them in the first place. For this reason, I don't recommend using StartSSL any further.
The process of obtaining a code signing certificate from StartSSL differs significantly from the process I originally went through with Comodo. This blog post serves to document how I did it for StartSSL, both as a reference for myself and for anyone else! Personally I find this approach easier than fiddling around exporting certificates from a browser, and it gives you a lot more control.
This post assumes you have already validated a level 2 personal/organization identity with StartSSL. Free level 1 validations cannot be used to create code signing certificates.
The usual caveat applies - I have tested this process and signed software with the final certificate and all seems well. However, it's entirely possible I'm missing something and something drastic given the apparent compromising of the previous certificate. I'll update this post should I discover anything untoward, but your mileage may vary. I am not a security expert.
In order to generate the certificate signing request (CSR) and convert the certificate, you're going to need to use OpenSSL. As I'm running on Windows, you'll more than likely want to download pre-compiled Win32 binaries - you can find these here. I mostly use 64bit versions of Windows, but I found the 32bit version of OpenSSL to suffice.
The OPENSSL_CONF environment variable, or avoiding "WARNING: can't open config file: /usr/local/ssl/openssl.cnf"
When trying to use the OpenSSL command line tools, you may receive
WARNING: can't open config file: /usr/local/ssl/openssl.cnf. It might be a warning, but it is a fatal one.
If this happens, just run the following line in your command window (or add it to your batch script), replacing the path as appropriate for your local installation.
As a side note, the OpenSSL installer does register this as a global environment variable, but it doesn't seem to kick in right away - I received this warning when initially testing on a Windows 8.1 development machine, and I received it again when installing on an XP VM for testing as I write this post.
A note on paths
By default, the OpenSSL installer linked to above will install the binaries to your Windows system directory. If (as I did) you choose not to do this, you will either need to include the OpenSSL bin folder in your path, include the path in the executable call, or set the current directory to the OpenSSL bin folder. Whatever method you choose, the rest of this article assumes that this has been done.
Generating the certificate signing request
A CSR or Certificate Signing request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality, and country source.
StartSSL requires a CSR that you need to create yourself. Although this might sound a little ominous (and something StartSSL could improve upon, as they offer zero guidance on the subject) it's pretty easy to do.
Open a command window and run the following command, replacing
yournamehere as appropriate.
openssl req -out yournamehere.csr -new -newkey rsa:2048 -nodes -keyout yournamehere.key
When you run the command, you'll be asked for a number of different values, such as Country, State, Common Name and so on. Make sure these values match the details you have validated with StartSSL.
Once you have submitted all the requested values, OpenSSL will generate both a certificate request and a private key with a bit size of 2048. By default it will use the SHA1 algorithm. For a more secure key, change
2048 to a larger value such as 4096. Do not use a value lower that 2048 however.
You've probably heard that Google is doing away with SHA1 SSL and while I don't think this applies to code signing certificates, you may wish to use something newer, for example appending to the above command line
-sha256will use SHA2. However, I didn't discover this option until after I'd created the certificate so I can't say if this works or not. I also remember Windows XP didn't support one of the .NET SHA algorithms so this too may factor into your choice.
yournamehere.key somewhere secure. If you lose this file, you won't be able to generate any more certificates from that CSR. And you don't want anyone else getting their hands on the key either.
Make sure all details are correct before submitting the CSR to StartSSL. You won't be able to create a new certificate without revoking the previous one - and StartSSL will charge you for this.
yournamehere.csr in your favourite text editor, copy out the entire contents of the file and paste it into StartSSL's CSR request field and submit the form.
Creating the certificate
Once StartSSL has processed your request, you'll be able to download the certificate. When you request your certificate from them you'll be presented with another unfriendly form containing a block of text. Copy this into a new file and save it somewhere with a
If you double click this file from Windows Explorer, then it should display the certificate allowing you to check all the details.
The certificate you have just downloaded is actually in PEM format, but Windows doesn't recognize the
.pemextension in order to view it as described above.
However, you're not quite done. Microsoft's
signtool.exe command requires that certificates be in the Personal Information Exchange (PFX) format instead. So we'll need to convert the certificate using the private key we created earlier.
Open a command window and run the following, as usual replacing file names as appropriate. If you omit the
-password argument then OpenSSL will prompt for one. Older versions of Windows only support password lengths of 32 characters. Make sure the password is as secure as you can, random characters, symbols, the works.
If your chosen password includes the & character, surround the password in double quotes otherwise the command parser will get a little confused and the command will fail
openssl pkcs12 -export -out yournamehere.pfx -inkey yournamehere.key -in yournamehere.crt -password pass:"yourpasswordhere"
This should then generate
yournamehere.pfx in a format that
signtool.exe will understand. Don't lose the password, you'll need it whenever you use the certificate to sign files or to import the certificate into a store.
Unlike with the
.crtfile, trying to open the
.pfxfile will display a wizard for importing the certificate into your store.
And you're done
With these simple steps complete you now have a certificate that you can use to code sign your programs. Good luck!
Example signtool.exe usage
Although this article is about creating the certificate, it only make sense to quickly outline the right parameters for signing your files. Again, I'm assuming that
signtool.exe is somewhere in your path for the below command line to work.
Edit 2016Jul27: According to Micheal Herrmann's comment, the time stamping URL is now
http://tsa.startssl.com/rfc3161, so if the example below no longer works try this URL instad.
signtool sign /f yournamehere.pfx /p yourpasswordhere /tr http://www.startssl.com/timestamp yourfilehere.exe
If you've previously use another timestamping service, you may have used
/t http://timestampurlhere.com- this won't work with StartSSL's timestamp server, you must use the