1

There is a great question and answer at the link below:

How do I create a self-signed certificate for code signing on Windows?

I am a little confused about the two procedures listed ((a)Creating a self-signed Certificate Authority and (b)Creating a code-signing (SPC) Certificate). Do we do a and then do b or is it an either or ?

Creating a self-signed Certificate Authority (CA)

makecert -r -pe -n "CN=My CA" -ss CA -sr CurrentUser -a sha256 -cy authority -sky signature -sv MyCA.pvk MyCA.cer

Creating a code-signing (SPC) Certificate

makecert -pe -n "CN=My SPC" -a sha256 -cy end -sky signature -ic MyCA.cer -iv MyCA.pvk -sv MySPC.pvk MySPC.cer

Community
  • 1
  • 1
Bill Greer
  • 3,046
  • 9
  • 49
  • 80

2 Answers2

1

Important disclaimer: This of course assumes that these certificates are for internal use only; if you wanted a code-signing certificate that would be trusted by customers, you would skip step (a) and pay an actual CA (one whose certs are already trusted by your customers) to sign your code-signing certificate for you.

You create a (self-signed) CA certificate first (a), then use it to sign your code-signing certificate (b).

You could skip step (a) and just create a self-signed code-signing certificate instead, but there are advantages to creating your own CA cert:

  • This more closely mirrors the setup you're likely to encounter "in the wild", where a code-signing cert (or pretty much any other kind) will be signed by a separate, trusted issuing certificate.
  • If you're generating more than one certificate and signing it with your CA cert, only one certificate (the CA) needs to be installed as "trusted root", and access to it can be better controlled. This limits the scope for misuse and the damage control you need to do in the event that your certificates have to be revoked.
anton.burger
  • 5,637
  • 32
  • 48
0

Why don't you try it? Or read the documentation.

The first command generates a Certificate Authority, which the other certificate is chained to. This is a so-called chain of trust, so if you trust the CA certificate, you trust all certificates built from that.

The second command does generate a certificate based on the CA certificate.

CodeCaster
  • 147,647
  • 23
  • 218
  • 272