Creating your own code signing certificate on a smartcard without an internal PKI
By Fredrik "DXter" JonssonOkay, I must admit one thing: even I can use self signed certificates some times! 
However, people usually only associate the term “self signed certificate” with server authentication to use SSL for HTTPS, without the thought that a self sign certificate can be used for basically any purpose as long as it is trusted and valid according to the system.
Sometimes, a self signed certificate can actually be “good enough”, a term I usually never use! The question you should ask your self, is that if there is only one code signer, which in mine and Dalles case is The PKI ToolBox Team;
”Why should we make, trust, manage and use an entire PKI structure when we only need to issue one certificate? Regardless of solution, we need to spread our root certificate to our users!”
I thought that the self signed code signing cert was actually good enough if the private key was kept confidential and stored on a two factor authentication token, such as a smartcard and that we were sure that we only needed to issue a certificate for one identity.
1. First of all we need the .NET 2.0 SDK from Microsoft. We need the .NET 2.0 SDK since it includes a component called makecert.exe which we need to use to issue a self signed certificate.
2. Makecert is located (on a x64 system) in c:\Program Files\Microsoft.NET\SDK\v2.0 64bit\Bin
3. We stand in that folder in the command prompt and run makecert with the following parameters:
makecert -r -a sha1 –n "E=firstname.lastname@domain.com,CN=Firstname Lastname” -eku 1.3.6.1.5.5.7.3.3 -ss My -sp "Microsoft Base Smart Card Crypto Provider"
–r is used to create a self signed certificate.
-a the algorithm used by signature.
-n The subject name of the certificate holder (plus the e-mail address).
-eku Which EKU (Enhanced Key Usage) that will be used in the certificate. In our case we want to use 1.3.6.1.5.5.7.3.3, which specifies that this certificate should be used for code signing.
-ss Which certificate store that should be used. We select our our own personal certificate store.
-sp Which CSP that should be used. We specify in our case in this example the Base CSP. (This requires a smartcard that uses the Base CSP. Otherwise, please change to your CSP!)
After we have enter our PIN to the smartcard, the certificate will be created on the smartcard and the certificate should already be populated in the personal certificate store. Now we export our certificate using certmgr.msc (without the private key of course ) and save it to a file.
Then we import it again with certutil to the “Trusted Root Certification Authority” and “Trusted Publishers” store:
certutil -addstore -f -user -gmt -seconds -v root filename.cer
certutil -addstore -f -user -gmt -seconds -v TrustedPublisher filename.cer
That’s it and you are done! 
However, I whould also recommend you guys to use “SCRoots Tool” from our PKI ToolBox to (with a nice GUI) also import the root certificate to your smartcard to make sure that you always can validate your certificate as a trusted certificate regardless of the computer the smartcard is connected to.
Good luck! 
// Fredrik “DXter” Jonsson
Related posts:
Comments
[...] signing using PowerShell By dxter PoweShell;PKI;PKI ToolBox In my last post Creating your own code signing certificate on a smartcard without an internal PKI, I showed the process to create a code signing certificate on a smartcard. Since PowerShell has the [...]