Adding Digital Signature to Executables

24 08 2011

A client I am working with has asked me about importing digital signatures into executables and my first reaction was, gross. So the developer showed me exactly what the issue was and really what they were trying to avoid was a nasty IE message to their end users and provide them with a friendlier message.

Here are the steps it took to accomplish this task.

1. Create a new code signing template from the internal Microsoft CA

a. Logon to CA Issuer server

b. Open MMC and add Certificate Templates

c. Find the template Code Signing, right click it and select Duplicate Template

d. Name the template, check Publish certificate in Active Directory, in Subject Name tab select Supply in the request and in the Security tab, verify the user who will be requesting the certificate has Enroll allow rights.

2. Issue the template to the CA

a. From the CA Issuer server, open Certificate Authority and click on Certificate Templates.

b. Right Click Certificate Templates and New ā€“ Certificate Template to Issue

c. Select the template you created in step 1 and click OK.

3. Request a certificate using the template created in Step 1

a. From a domain server, go to http://<CA Issuer Server>/certsrv

b. Click Request a certificate

c. Click Create and submit a request to this CA

d. Select the template created in Step 1, fill in the necessary Indentifying Information, check Mark keys as exportable, give a Friendly Name and click Submit.

e. Click Install Certificate

4. Export the certificate to a .pfx

a. Open MMC and add Certificates

b. Find the certificate with the personal container.

c. Right click on the certificate and select Export which will start the Export wizard

d. Click Next

e. Select Yes, export the private key and click Next

f. Verify Personal Information Exchange ā€“ PKCS #12(.PFX) and Enable strong protection is checked, click Next

g. Set a password, click Next

h. Determine the file location and click Next

i. Click Finish

5. Have the developer import the cert into the executable using signtool

a. Give the developer the .pfx file and have them use signtool to import the certificate into the executable

Here is a link that explains how to import the cert into an executable.

http://blog.didierstevens.com/2008/12/31/howto-add-a-digital-signature-to-executables/


Comments : Leave a Comment »
Tags: ,
Categories : AD CA

SCCM Mixed to Native Mode Migration

24 04 2010

I recently worked with a client to migrate their SCCM 2007 SP2 R2 enterprise to Native Mode.  Performing this migration allowed me to focus my attention on PKI as there were 4 certificates that were created for this process to complete securely.  Here are the steps I took and the links for instructions.  There are many different scenarios to choose from and for a cost savings measure, we decided to allow communication through both firewalls.  In this case, we allowed http and https traffic to the MP and DP but were able to create a SSL Bridge using their ISA box so not only do you need to have the correct cert installed on your client, you also need to be a domain computer.  Great learning experience and Iā€™d like to thank the folks on the Microsoft forums, especially Carol Bailey.

Native Mode Migration

1. Prereqs for Native Mode

http://technet.microsoft.com/en-us/library/bb680464.aspx

2. Certificate requirements

http://technet.microsoft.com/en-us/library/bb680733.aspx

3. Supported Scenarios for Native Mode

http://technet.microsoft.com/en-us/library/bb693824.aspx

4. Determine Admin roles for each department

http://technet.microsoft.com/en-us/library/bb694253.aspx

5. Create certificates

http://technet.microsoft.com/en-us/library/bb694035.aspx (Server 2003 CA)

http://technet.microsoft.com/en-us/library/cc872789.aspx (Server 2008 CA)

Don’t forget to add Web Site cert to WSUS Custom Website.

If client has ISA, a 4th cert will be used on ISA box for client authentication for SSL bridging. (add cert to Microsoft Firewall service store.) http://technet.microsoft.com/en-us/library/cc707697.aspx

6. Verify Clients are ready for Native Mode

http://technet.microsoft.com/en-us/library/bb680986.aspx

7. Ensure migration to Native mode checklist has been followed

http://technet.microsoft.com/en-us/library/bb632727.aspx

8. Change mode to Native (reboot required)

http://technet.microsoft.com/en-us/library/bb680769.aspx

9. Import root CA for OSD

http://technet.microsoft.com/en-us/library/bb632596.aspx

10. Enable/disable CRL

http://technet.microsoft.com/en-us/library/bb680540.aspx

11. Configure HTTP for roaming and client assignment

http://technet.microsoft.com/en-us/library/bb694220.aspx

12. If you client cert is not in the personal store, follow this procedure

http://technet.microsoft.com/en-us/library/bb632622.aspx

13. If you are using multiple client certificates, configure SCCM to use the correct one

http://technet.microsoft.com/en-us/library/bb632376.aspx

14. Ensure Native Mode migration completed successfully

http://technet.microsoft.com/en-us/library/bb694287.aspx

15. Configure MP for IBC

http://technet.microsoft.com/en-us/library/bb693517.aspx

16. Configure DP for IBC

http://technet.microsoft.com/en-us/library/bb632488.aspx

17. Configure FBSP for IBC

http://technet.microsoft.com/en-us/library/bb680746.aspx

18. Prepare SUP for SSL

http://technet.microsoft.com/en-us/library/bb633246.aspx

19. Configure SUP for IBC

http://technet.microsoft.com/en-us/library/bb694182.aspx

20. Test MP communication through the firewall(s)


Comments : Leave a Comment »

Categories : AD CA, Native Mode, SCCM


Follow

Get every new post delivered to your Inbox.