Object code signing with StartSSL

I have used code signing to sign our .NET assemblies, but you should be able to use the same steps to sign any dll, exe, cab or msi files.
Before you can start signing you need those prerequisites:

  1. The actual certificate downloaded from StartSSL.
  2. OpenSSL binaries for Windows.
  3. SignTool which is part of Windows SDK.

After you have your object code certificate request approved you can download it from Tool Box > Retrieve Certificate section in you StartSSL account page. Copy the contents in textbox and save it into some file for example cert.pem.
Now we have to convert the certificate into some format which is readable by SignTool. To do this you need file with private key (key.pem) which was used for certificate request.

openssl.exe pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem

You will have to provide pass phrase used when key.pem has been created and define password for pfx file, which will be used for signing. As soon as pfx file is created you can sign your first assembly.

signtool sign /d "PRODUCT_NAME" /du "PRODUCT_URL" /f cert.pfx /p "PFX_PASSWORD" /t "http://timestamp.verisign.com/scripts/timestamp.dll" /v "FILE_TO_SIGN"

4 thoughts on “Object code signing with StartSSL

  1. Můžu se zeptat, kolik u StartSSL certifikát stál? Platí, že nějakých $59 za Class 2 identifikaci osoby a pak je samotnej certifikát “zdarma” (aspoň tak to chápu z jejich webu)? A jak má dlouhou platnost? Díky za odpověď. 🙂

  2. Ano je to $59 a dalších $59 pokud by to bylo za firmu. Platí se za ověření identity. Jednou tedy za osobu a jednou za firmu. Certifikát je vygenerovaný na 2 roky.

Leave a Reply

Your email address will not be published. Required fields are marked *