Create Certificate Request

It is necessary to create a specific certificate for the code signing purposes. This certificate is installed in the local Windows certificate store (e.g., personal store). To retrieve an official code signing certificate issued by a certification authority you have to create a certificate request (CSR) first. Normally an official certificate authority (e.g., VeriSign, Thawte, DigiCert) will create and sign a certificate based on your certificate request. If you don't need an officially signed certificate, you can also use an in-house certificate authority (e.g., Microsoft Windows Server Certification Authority).

To create a code signing certificate request you first need to create a template file .inf. You will then issue the certificate request based on this template file using Microsoft’s utility certreq.exe.

Create a file called request.inf, which should include with amongst others the following information:

• The subject details must include a 2-letter country code “C” and a common name “CN” which may be your company name.

• Key algorithm and key length as required (e.g., RSA, 2048 bit key).

• Name of the Cryptographic Service Provider. For use with CryptoServer this needs to be Utimaco CryptoServer Key Storage Provider.

• You can add a KeyContainer parameter to set the key name in the CryptoServer. This helps to distinguish several code signing keys from each other. If no KeyContainer is specified a random string is generated, starting with CertReq.

1. Open a command prompt.

2. Change to the directory where you have saved the request.inf file.

3. Execute the following command. If you like to review the actions of the command on the CryptoServer for debug purposes enable logging in the CNG configuration file.

certreq creates a certificate request file request.req that can either be sent to an official certificate authority or be signed with your in-house certificate authority.