Hello,
Can someone please help me with the following question.
I have created and used a code Signing certificate from our Microsoft Enterprise CA before which works OK, but I am not sure I did it correctly, and have a few related questions please.
what I did.
1: Logged on the CA directly, went to the CertSvc web site, requested a code signing cert, issued it and exported it along with the private key.
2: Imported the above certificate into CurrentUser/My store on PC and used it to sign code
3: Took the came certificate (along with the private key, and this is where perhaps I made at least one mistake) and imported it into the 'Trusted Publishers' store the PC that will be running the signed code. This step was done so the user does not receive a message asking if they want to run the code signed by "AAnotherUser" as it were, as although the code is signed by a trusted CA, the user still gets this warning message as the 'Publisher' is not in the 'Trusted Publishers' list. Therefore the way I sorted this at the time was to take the whole certificate as above and import to this store.
The first mistake I made (as far as I can see as I am new to this area) I think I should have not imported the certificate 'along with its private key' into the trusted publishers store? in other words should I have imported the certificate 'minus its private key' into the trusted publishers store?
Also, I understand you have to have the certificate along with is private key to sign code. I am 'assuming' a Hash of the code is taken and this is signed (encrypted) with the private key (in the same way a CA signs a CSR for a WEBServer cert for example), is that correct i.e. is that what it mean to sign code?
if the above is correct then I assume you only need the 'public' key of the code signed cert in the 'Trusted Publishers Store' to verify the code was signed by a trusted CA and it has not been altered e.g. the Hash code still computes to the same value. Is this correct?
My next question is regarding the private key. As I need to 'Login' to AD in order to request a code signing cert, can the 'private key' not be stored securely in AD along with my AD User account?
if the above is possible (which would make good sense to me I think) then I do not have to worry about looking after the safety of the private key as the system 'AD' can do this for me. It would also mean which every computer I logon to in the domain I would have access to the private key (but no other user) and therefore be able to sign code I assume. Does this last paragraph make sense can this be done/is this done?
Basically I need to understand the above, in order to understand more about Crypto.
I also need create a code signing cert for a 'department' of about 10 people. Therefore I was thinking about creating and AD account called 'XYZCorpCodeSigning' or what ever, and issuing a code singing cert to this entity. If the private key could be stored in AD then accessed used once signed in as this account (these 10 people would need to know the password for the account) this would make life easier/more secure, I think.
I know there are several question above, but it would be great it they would be answered as I would help me understand more about how it all works and to solve a problem too
Thanks very much
AAnotherUser__
AAnotherUser__