Tools that need to be prepared: makecert.exe, cert2spc.exe, pvk2pfx.exe, signtool.exe.
There is a certificate generation tool makecert.exe in MS SDK6.0. You can use this tool to generate a certificate for testing.
The first step is to generate a self-signed root certificate (issuer, issuer).
>makecert -n "CN=Root" -r -sv RootIssuer.pvk RootIssuer.cer
At this time, a prompt box will pop up. First set the private key for the RootIssuer.pvk file. Protect the password;
Then, enter the password again and use the private key (in the RootIssuer.pvk file) to encrypt the public key (in the RootIssuer.cer file).
The second step is to use this certificate to issue a sub-certificate (user, subject).
>makecert -n "CN=Child" -iv RootIssuer.pvk -ic RootIssuer.cer -sv ChildSubject.pvk ChildSubject.cer
At this time, a prompt box will pop up. The private key file ChildSubject.pvk of this sub-certificate sets a protection password;
Then, enter the password of the private key (in ChildSubject.pvk) of this sub-certificate to protect the public key of the sub-certificate (in ChildSubject.cer middle).
Next, you will be prompted to enter the root certificate private key (in RootIssuer.pvk) password to issue the entire sub-certificate (public key and user information).
If you want to issue more sub-certificates, similarly, use this certificate to issue lower-level certificates, provided that the ChildSubject certificate can also be used for issuance (as Issuer).
Remarks:
(1) If you need an interactive certificate for secure communication, then add the option -sky exchange;
(2) If You need a signing certificate to sign certificates or binary files, then add the option -sky signature.
(3) If you need a client certificate to mark your identity, or personal information protection (e-mail ), then the E field in option -n is indispensable.
Example: -n "CN=company name, E=E-MAIL address, O=organization name, OU=organization unit, C=country, S=province (state), P=county"< /p>
Other auxiliary tools:
1) Convert the public key certificate format to SPC. cert2spc.exe
>cert2spc TestRoot.cer TestRoot.spc
.spc means Software Publisher Certificate.
2) Will be published The key certificate and private key are combined into a certificate file in PFX format. pvk2pfx.exe
>pvk2pfx -pvk TestRoot.pvk -spc TestRoot.spc -pfx TestRoot.pfx
Enter the protection password of TestRoot.pvk to merge the .pvk and .spc files, If you do not set a protection password for the TestRoot.pfx that will be merged, this protection password will be the same as the protection password for the input file TestRoot.pvk. (Note: You can also get the cer file directly, it is not necessary to get the SPC file).
3) Signature tool. signtool.exe
Digital signature of binary files. In order to ensure the integrity of binary files, digital signatures are a good method.
The following command starts a file signing tool wizard with a graphical interface:
>signtool wizard
The following is a command line signature:
< p>>signtool sign /f "The full path of the pfx file" /p "The protection password of the pfx file" /t "/scripts/timstamp.dll" /d "Description of this signature" "The full path of the signed program" "