I have an ActiveX control, which is supposed to be installed at the first visit of web-page.
I have self-signed certificate, created with OpenSSL, and its child. The problem is that if I sign an activeX control with root certificate, Windows can't validate it while checking activex, even if it is installed as trusted.
It writes, that
"A certificate's basic extension has not been observed"
and in "view certificate":
"The certificate is not valid because one of certification authorities in the certification path does not appear to be allowed to issue certificates or this certificate cannot be used as an end-entity certificate".
If I use child certificate for signing while root certificate is in trusted, eberything is fine.
I suppose that root certificate can only sign only certificate-related stuff, not files etc, however want to be sure about this.
I think that what that error message is trying to tell you is that the certificate you have generated for your key does not contain the correct certificate extensions. Code-signing requires a certificate that has been generated for code-signing. Other types of certificate -- e.g. those that are generated for signing data -- are subject to less scrutiny by the CA, and so offer a lower level of security that is required for code-signing.
Your own self-signed root certificate should be set up for key-signing, and the child certificate should be set up for code signing. Then your ActiveX signature should be OK, so long as your root certificate is in the browser's trusted key store. Generally a key-signing certificate should be set up only for key-signing and a code-signing certificate should be set op only for code-signing, so you can't use these keys for any other purpose.
That solution is OK within an organization, where you can install your root key on every user's PC in advance. If you want to use your ActiveX control on a webpage on the public internet you will either have to persuade users to trust your certificate (even though they may have no good reason to do so) or you will have to buy a code-signing certificate from one of the commercial CAs whose root certificates are already known to the common browsers.
Finally, I'd really advise against using ActiveX controls for anything as they'll only be able to run on Windows, and then only if they're trusted. Most people who have any sense will have their browser's security set up to reject them. You'll have much more success producing your active content with a different technology (e.g. Javascript)
Using self-signed certificates for digitally signing your binaries pretty much goes against the concept of using digital certificates with programs. The basic idea is to prove the code was created by you (authenticity) and has not been modified since you released it (integrity). This must be done by using a signed certificate that is signed by a trusted Certificate Authority (CA).
I've answered this in a little more detail on the following question.
creating a key and signing executable with signtool
Related
My company has a Apple Developer Id, and I have acquired a distribution certification to release Ad Hoc version app for testing. However, now owing to my leaving, they need me to transfer the company Developer id and the certification to other computers.
I export the p12 file of the Distribution Certification and ruined it on other Mac.
On one computer, everything went well, while it did not work on another one. I have tried to download the WRDCA and run it, yet the solution did not figure out the problem.
In addition, I found that on the computer, there is no the certification of Apple Application Integration Certification Authority. Is this the reason why the p12 file did not work on the Mac? If not, how can I solve this problem?
In short, I carelessly to ensure to delete all the AWDRCA in my keychain.
If any one else finds that the certification is in the situation of "This certificate was signed by an unknown authority" with the AWDRCA installed in you system, please check whether there is any other AWDRCA in the "System" keychain category which is invalid or overtime. Delete them either if there are. And then your other CA might be valid as well.
In addition, for the certification of Apple Application Integration Certification Authority, it might be less likely, if possible, to influence you CA because the direct signer of the certification is AWDRCA. However, if you doubt about this, you could just download the AAICA at the following address.
Apple Original PKI Website
A screen print of the website Apple PKI
There are three kind of AAICA which depends on you. I just use the first one.
Finally, thanks Gary Lip for the patient description. My carelessness might mislead his/her thought of solving my problem.
I got an SSL certificate from OpenSSL (Not the best but free and accepted by chrome). It's used to make a secure payment to Stripe. Everything was working fine in the emulator, but when I loaded the app onto the device I get an error saying that "The certificate for this server is invalid."
Anyone know how to make this work? Looking for a correct solution (I have a feeling that will involve purchasing an SSL cert that's a bit more legit) as opposed to just allowing it a hacky way to just get it to run on the device
Trusted certificates are signed by a certificate authority, so while openssl is good for creating self signed certs to test with, you'll need to purchase a certificate for live use.
If you can install the certificate at both ends (client and server) then you can get away with a self signed certificate. This is basically what happens when you "accept the risk" in chrome.
Will a self signed code-signing certificate get rid of "Unknown Publisher" warnings?
What will be the effect of using a self signed certificate with regards to warnings?
You will still get warnings like untrusted signing authority when using self signed certificates. You usually just self sign on your own servers to test SSL. You don't want to self sign SSL on a production server.
No, a self-signed won't work for that. You'll have to get a code signing cert from a real Ca, see http://codesigning.ksoftware.net or http://www.verisign.com (and there are many more).
Here's what worked for me.
For local testing, yes that is possible.
Right click the installer and go to Properties.
Click on the Digital Signatures tab.
Under Signature list select the signer and click Details
Click View Certificate
Click Install Certificate..., then Next >
Select Place all certificates in the following store radio button
Click Browse and select Trusted Root Certification Authorities
Click OK and click Next >, and then Finish.
A Security Warning will appear informing you that you're doing this at your own risk.
If you want to remove this certificate you can do that by going to certmgr.msc and removing the certificate located under Trusted Root Certification Authorities
If you install your self-signed certificate into the Root Certification Authorities store, you will not get "Unknown Publisher" warnings.
Does the AppleWWDRCA.cer have any bearing on developing certificates using OpenSSL? If so, what? If not, what is it's use?
Edit:
I am using Windows. I do not need an answer concerning Mac development.
So far, using OpenSSL, I have created development apps (signed, and with certificates), ad hoc apps for multiple developers (signed, and with certificates), and they all have worked just fine. This is (probably) only a question about whether it is needed to put an app in Apple's App Store.
No, the WWDR Certificate is only used to authorize your app for selling/integrating on the Apple App Store.
Public OpenSSL certificates are (generally) given to your application from an outside Certificate Authority and used by your users to authenticate (prove that your application is indeed what it claims to be) your application and encrypt the data they send in a SSL connection. These can be generated entirely independently of your WWDR certificate.
Disclaimer: I have no experience in signing the files and this is my first time.
We have a wildcard SSL certificate for our websites. Now we are going to host an ActiveX control on one of our sites. When I try to sign my cab file using that certificate it gives error "private key and the certificate does not match or does not contain valid information". The steps that I performed to sign the cab file are below:
1. I exported the certificate along with the private key to pfx file.
2. I created the pvk file and spc file from pfx file using the instructions given here: http://www.tech-pro.net/export-to-pvk-spc.html
3. I launched signtool signwizard to sign my cab file using the generated pvk and spc files.
I am stuck at this point for last 3 days now and could not seem to find the right answer. I also want to know if our wildcard ssl certificate is good enough to sign files or do I have to purchase a specific certificate for this purpose. When i look at my certificate details by double clicking it, the only purpose mentioned on the certificate is "Ensures the identity of a remote computer". Could this be the reason i am getting error when signing?
Please help me out on this one.
Thanks and Regards,
Naveed
You need a code-signing certificate to sign a CAB or EXE file. SSL certificate won't work.
While code-signing and SSL certificates are both X.509 certificates, they have different value of "Key Usage" property.
Most likely the software that performs signing checks key usage and refuses to use the certificate.