Using a Custom Code Signing Certificate

 

Important: This topic is for advanced users who want to use a custom (non-default) certificate - if you only want to enable code signing with the default settings, it should work out of the box. Please check the main topic: Enabling code signing

It is possible to enable custom code signing by uploading the appropriate certificate for your company (this certificate is also known as Microsoft Authenticode certificate) to the ISL Conference Proxy and enabling appropriate options. This means that executables downloaded from ISL Conference Proxy (e.g. ISL Light Desk, ISL Light Client etc.) will be digitally signed using your certificate with the appropriate issuer name (e.g. MyCompany Ltd.).

The general procedure is described below, please refer to your certificate provider's website for detailed instructions about verifying your identity, submitting your CSR and downloading the resulting certificate.

You will need two files:

  • your private key (you use this private key to generate a CSR for your certificate provider)
  • your code signing certificate (you get this file from your certificate provider as a reply to your CSR)


Useful OpenSSL conversion commands

Usually you receive a PKCS#7 file (usually called SPC) from your certificate provider - this is your code signing certificate, save it as codesign-cert.p7b. You have generated your private key when generating your CSR. Save your private key as codesign-key.pem and proceed to the next section.

In some cases you receive a PKCS#12 bundle (sometimes called PFX) from your certificate provider and this file contains both the private key and the certificate, so you will need to extract the private key and the code signing certificate from it before proceeding.

The easiest way to do this is through a series of OpenSSL commands (we refer to the bundle as codesign_bundle.pfx):

  1. Extract the private key from the bundle:
$ openssl pkcs12 -in codesign_bundle.pfx -out codesign-key.pem -nocerts
  1. Extract the code signing certificate from the bundle:
$ openssl pkcs12 -in codesign_bundle.pfx -out codesign-cert.pem -nokeys
  1. Convert the code signing certificate into PKCS#7 binary format (DER):
$ openssl crl2pkcs7 -certfile codesign-cert.pem -nocrl -outform DER -out codesign-cert.p7b

Now you have both required files and you can proceed with the steps below.


Private key

The private key file for ISL Conference Proxy (we will refer to it as codesign-key.pem in this example) needs to be in plain text (PEM format) - if you open it with any text editor, you should see the following:

-----BEGIN RSA PRIVATE KEY-----

(... your private key ...)

-----END RSA PRIVATE KEY-----

You can check your private key with the following command:

$ openssl rsa -in codesign-key.pem -check -noout

It should output RSA key ok.

If your private key is protected by a passphrase, you will need to enter it later on in the ISL Conference Proxy settings.


Code signing certificate

The code signing certificate needs to be in PKCS#7 binary format (DER).

You can check the file with the following command:

$ openssl pkcs7 -in codesign-cert.p7b -inform DER -print_certs

It should output the appropriate subject and issuer and below it, the certificate in PEM format:

subject=(... your code sign certificate subject ...)

issuer=(... info about the issuer ...)

-----BEGIN CERTIFICATE-----

(... your code sign certificate...)

-----END CERTIFICATE-----

Important: If there is more than one certificate in your p7b file, please check that the first certificate in the list is your certificate (check the CN part of the subject line), not the certificate vendor's root or intermediate certificate. If your certificate is not the first, you will need to reorder it - these are the steps:

Copy the output of the previous command into a new text file, then adjust the order of the certificates so that your certificate is placed first. Save this as codesign-cert-new.pem and then use the following openssl command to convert it into the binary format (DER):

$ openssl crl2pkcs7 -certfile codesign-cert-new.pem -nocrl -outform DER -out codesign-cert.p7b

Check the new (reordered and converted) codesign-cert.p7b file:

$ openssl pkcs7 -in codesign-cert.p7b -inform DER -print_certs

If the first certificate in the output is your certificate, then you can proceed.

Once you have both files in the required format, you can put them to the ISL Conference Proxy server.


Uploading certificate files to ISL Conference Proxy

The easiest way to put both files to ISL Conference Proxy is to upload them to the private file storage by following these steps:

  1. Login to your ISL Conference Proxy administration (http://localhost:7615/conf).
  2. Go to Configuration -> Advanced ->File storage -> Private.
  3. Click Choose..., select the private key file and click Upload.
  4. Repeat step 3 for the code signing certificate file.
  5. Both files will be shown in the list below - upload complete.

Now you are ready to enable the code signing.


Enabling code signing

  1. Login to your ISL Conference Proxy administration (http://localhost:7615/conf).
  2. Go to Configuration -> Security.
  3. Scroll to the bottom, uncheck the checkbox in front of Use authenticode from license and change the setting to No.
  4. Scroll to the bottom, uncheck the checkbox in front of Authenticode enabled and change the setting to Yes.
  5. Uncheck the checkbox in front of Authenticode publisher certificate file (PKCS#7) and paste the appropriate file location - in this case: objects/codesign-cert.p7b
  6. Uncheck the checkbox in front of Authenticode private key file (PEM) and paste the appropriate file location - in this case: objects/codesign-key.pem
  7. If your private key is protected by a passphrase, click change next to Authenticode private key passphrase and enter the appropriate passphrase.
  8. Click Save to apply these settings.

Now you can proceed to testing.


Testing

Now you can test if it works properly - simply download ISL Light Client (http://serveraddress:7615/start/ISLLightClient) and save it to your desktop. Right-click the executable and select Properties - you should see the Digital Signatures tab with details about the signature.

Important: If you get an internal server error when trying to download, then code signing failed. In that case please go back into settings and disable authenticode, then check both certificate files again and make sure they are in the correct format. If you are using an encrypted private key, please make sure the passphrase is set correctly.

If everything seems fine but it still does not work properly or if you get stuck at one of the steps, you can contact us via e-mail (support@islonline.com) or come to our live chat (at http://www.islonline.com/) and we will be glad to help.

Tags: isl conference proxy, code signing

Was this article helpful?

Cookie Consent

We use cookies to deliver and maintain ISL Online services, as well as to ensure the best browsing experience for our users. Three types of cookies are used:

Detailed information about the Cookies, their purpose, lifetime, expiration date and more can be found in our Cookie Policy and Privacy Policy. You can update your cookie preferences at any time.