Breadcrumbs

Create Certificate Request

It is necessary to create a specific certificate for the code-signing purposes. This certificate is installed in the local Windows certificate store (e.g., personal store). To retrieve an official code signing certificate issued by a certification authority, you have to create a certificate request (CSR) first. Normally, an official certificate authority (e.g., VeriSign, Thawte, DigiCert) will create and sign a certificate based on your certificate request. If you don't need an officially signed certificate, you can use an in-house certificate authority (e.g., Microsoft Windows Server Certification Authority).

To create a code-signing certificate request, you first need to create a template file .inf. You will then issue the certificate request based on this template file using Microsoft’s utility certreq.exe.

Create a file called request.inf, which should include, amongst others, the following information:

  • The subject details must include a 2-letter country code (C) and a common name (CN), which may be your company name.

  • KeyAlgorithm and KeyLength as required (e.g., RSA, 2048 bit key).

  • The Cryptographic Service ProviderName. For use with CryptoServer, this needs to be Utimaco CryptoServer Key Storage Provider.

  • You can add a KeyContainer parameter to set the key name in the CryptoServer. This helps to distinguish several code-signing keys from each other. If no KeyContainer is specified, a random string is generated, starting with “CertReq”.

[Version]

Signature = "$Windows NT$"

[NewRequest]

Subject = "CN=Utimaco Code Signing,O=Utimaco,L=Aachen,C=DE"

KeyAlgorithm = RSA

KeyLength = 2048

Exportable = FALSE

MachineKeySet = FALSE

ProviderName = "Utimaco CryptoServer Key Storage Provider"

KeyUsage = CERT_DIGITAL_SIGNATURE_KEY_USAGE

KeyUsageProperty = NCRYPT_ALLOW_SIGNING_FLAG

HashAlgorithm = SHA256

KeyContainer = Authenticode_CLI_Key

[EnhancedKeyUsageExtension]

OID = 1.3.6.1.5.5.7.3.3 ; Code Signing

It is important that the ProviderName is given as Utimaco CryptoServer Key Storage Provider. This links the code-signing certificate with the private key which is stored in the CryptoServer.

  1. Open a command prompt.

  2. Change to the directory where you have saved the request.inf file.

  3. Execute the following command. If you would like to review the actions of the command on the CryptoServer for debug purposes, enable logging in the CNG configuration file.

certreg -new request.int requestcert.reg
image-20260529-110245.png

Certificate request created

certreq creates a certificate request file request.req that can either be sent to an official certificate authority or be signed with your in-house certificate authority.

If you are using Smartcard Authentication, the PIN Pad device will prompt to insert the Smartcard and enter the PIN. Then, press the OK button on the PIN Pad.