What am I doing wrong ? code-signing, exportable certificate on win2k8 std
so,
Hi & all, let's cut the chase
<snipped>
our domain is based on w2k8-standard.
we do a lot of coding, and so we wanted to sign our own certificates.
and so I issued myself a code-signing certificate.
but in order for my packaging module (PrimalScript) to pack .vbs files in a signed executable, it requires a .pfx file with the private key exported.
as you may know, one can easily edit the CA template for code-signing, such that the private key can be marked exportable. however, using custom certificates is limited to the w2k enterprise edition only.
what I wound up doing (based on a web guide i can no longer locate, and on this guide) is this:
if i now add this certificate to the "trusted publishers" container for all machines in my domain (using group policy) - well, it should work right ?
so is this just an elaborate way to bypass MS's limitation of editing the certificate template?
I did find that I can't renew this certificate - it says "erm, no template specified... can't."
anyone has any tips on this?
do you find this useful ?
Hi & all, let's cut the chase
<snipped>
our domain is based on w2k8-standard.
we do a lot of coding, and so we wanted to sign our own certificates.
and so I issued myself a code-signing certificate.
but in order for my packaging module (PrimalScript) to pack .vbs files in a signed executable, it requires a .pfx file with the private key exported.
as you may know, one can easily edit the CA template for code-signing, such that the private key can be marked exportable. however, using custom certificates is limited to the w2k enterprise edition only.
what I wound up doing (based on a web guide i can no longer locate, and on this guide) is this:
- get makecert, place it on the DC which holds the CA role.
- use this syntax:
makecert -r -pe -n "CN=My User,OU=my ou,DC=my,DC=Domain,DC=local" -b 01/01/2011 -e 01/01/2099 -eku 1.3.6.1.5.5.7.3.3 -ss My -ir LocalMachine -is MY
if i now add this certificate to the "trusted publishers" container for all machines in my domain (using group policy) - well, it should work right ?
so is this just an elaborate way to bypass MS's limitation of editing the certificate template?
I did find that I can't renew this certificate - it says "erm, no template specified... can't."
anyone has any tips on this?
do you find this useful ?
Comments
Post a Comment