Self-cert for macros

*See 2020/11/new-selfsignedcertificate-pkiclient  for update Powershell version

http://www.source-code.biz/snippets/vbasic/3.htm


How to create a self-signed certificate that can be used to sign MS-Office VBA projects (Excel/Word macros) on multiple computers
Problem: When a certificate is created by using selfcert.exe, it's private key cannot be exported. The export wizard of the Windows certificate console says "the associated private key is marked as not exportable".
Solution version 1: Use makecert.exe with the "-pe" option to create and store the certificate with an exportable private key:
makecert -r -pe -n "CN=Your Name" -b 01/01/2000 -e 01/01/2099 -eku 1.3.6.1.5.5.7.3.3 -ss My
Then you can export the certificate from the Windows certificate store, including the private key.
Note: Old versions of makecert.exe do not support the "-pe" option. The .NET Framework SDK 2.0 and the October 2002 version of the Platform SDK (build 3718.1) contain a new version of makecert.exe (5.131) that supports the "-pe" option.
(The .NET Framework SDKs 1.0 and 1.1 both contain old versions of makecert.exe that do not support the "-pe" option).
Solution version 2: The following commands can be used to create a PFX file (PKCS #12) that contains the a self-signed certificate together with the associated private key:
makecert -r -n "CN=Your Name" -b 01/01/2000 -e 01/01/2099 -eku 1.3.6.1.5.5.7.3.3 -sv selfcert.pvk selfcert.cer
cert2spc selfcert.cer selfcert.spc
pvkimprt -pfx selfcert.spc selfcert.pvk
The last command (pvkimprt -pfx) creates the file selfcert.pfx. This PFX file can then be imported into the Windows certificate store and used for code signing.
(makecert.exe and cert2spc.exe are part of several Microsoft SDKs, e.g. the Platform SDK or the DotNet SDKs, which can be downloaded from microsoft.com. pvkimprt.exe can be downloaded individually from Microsoft.)

---
MS Makecert.exe command (to download from MS)
https://msdn.microsoft.com/en-us/library/windows/desktop/aa386968(v=vs.85).aspx


MakeCert

The MakeCert tool creates an X.509 certificate, signed by the test root key or other specified key, that binds your name to the public part of the key pair. The certificate is saved to a file, a system certificate store, or both. The tool is installed in the \Bin folder of the Microsoft Windows Software Development Kit (SDK) installation path.
MakeCert is available as part of the Windows SDK, which you can download fromhttp://go.microsoft.com/fwlink/p/?linkid=84091.
The MakeCert tool uses the following command syntax:
MakeCert [BasicOptions|ExtendedOptions] OutputFile
OutputFile is the name of the file where the certificate will be written. You can omit OutputFile if the certificate is not to be written to a file.

Options

MakeCert includes basic and extended options. Basic options are those most commonly used to create a certificate. Extended options provide more flexibility.
The options for MakeCert are also divided into three functional groups:
  • Basic options specific to certificate store technology only.
  • Extended options specific to SPC-file and private key technology only.
  • Extended options applicable to SPC-file, private key, and certificate store technology.
Options given in the following tables can be used only with Internet Explorer 4.0 or later.
Basic optionDescription
-a AlgorithmHash algorithm. Must be set to either SHA-1 or MD5 (default). For information about MD5, see MD5.
-b DateStartDate the certificate first becomes valid. The default is when the certificate is created. The format of DateStart is mm/dd/yyyy.
-cy CertificateTypesCertificate type. CertificateTypes can be end for end-entity, or authority forcertification authority.
-e DateEndDate when the validity period ends. The default is the year 2039.
-eku OID1OID2 …Inserts a list of one or more comma-separated, enhanced key usage object identifiers (OIDs) into the certificate. For example, -eku 1.3.6.1.5.5.7.3.2 inserts the client authentication OID. For definitions of allowable OIDs, see the Wincrypt.h file in CryptoAPI 2.0.
-h NumChildrenMaximum height of the tree below this certificate.
-l PolicyLinkLink to SPC agency policy information (for example, a URL).
-m nMonthsDuration of the validity period.
-n "Name"Name for the publisher's certificate. This name must conform to the X.500standard. The simplest method is to use the "CN=MyName" format. For example:-n "CN=Test".
-nscpThe Netscape client authentication extension should be included.
-peMarks the private key as exportable.
-rCreates a self-signed certificate.
-sc SubjectCertFileCertificate file name with the existing subject public key to be used.
-sk SubjectKeyLocation of the subject's key container which holds the private key. If a key container does not exist, one is created. If neither the -sk or -sv option is used, a default key container is created and used by default.
-sky SubjectKeySpecSubject's key specification.
SubjectKeySpec must be one of three possible values:
  • Signature (AT_SIGNATURE key specification)
  • Exchange (AT_KEYEXCHANGE key specification)
  • An integer, such as 3
For more information, see the Note that follows this table.
-spSubjectProviderNameCryptoAPI provider for subject. The default is the user's provider. For information about CryptoAPI providers, see the CryptoAPI 2.0 documentation.
-srSubjectCertStoreLocationRegistry location of the subject's certificate store. SubjectCertStoreLocation must be either LocalMachine (registry key HKEY_LOCAL_MACHINE) or CurrentUser(registry key HKEY_CURRENT_USER). CurrentUser is the default.
-ssSubjectCertStoreNameName of the subject's certificate store where the generated certificate will be stored.
-sv SubjectKeyFileName of the subject's .pvk file. If neither the -sk or -sv option is used, a default key container is created and used by default.
-synSubjectProviderTypeCryptoAPI provider type for subject. The default is PROV_RSA_FULL. For information about CryptoAPI provider types, see the CryptoAPI 2.0 documentation.
-# SerialNumberSerial number of the certificate. The maximum value is 2^31. The default is a value generated by the tool that is guaranteed to be unique.
-$ CertificateAuthorityType of certification authorityCertificateAuthority must be set to eithercommercial (for certificates to be used by commercial software publishers) orindividual (for certificates to be used by individual software publishers).
-?Displays the basic options.
-!Displays the extended options.

Note  If the -sky key specification option is used in Internet Explorer version 4.0 or later, the specification must match the key specification indicated by the private key file or private key container. If the key specification option is not used, the key specification indicated by the private key file or private key container will be used. If there is more than one key specification in the key container, MakeCert will first attempt to use the AT_SIGNATURE key specification. If that fails, MakeCert will try to use AT_KEYEXCHANGE. Because most users have either an AT_SIGNATURE key or an AT_KEYEXCHANGE key, this option does not need to be used in most cases.
The following options are only for Software Publisher Certificate (SPC) files and private key technology.
SPC and private key optionDescription
-ic IssuerCertFileLocation of the issuer's certificate.
-ik IssuerKeyLocation of the issuer's key container. The default is the test root key.
-iky IssuerKeySpec
Issuer's key specification, which must be one of three possible values:
  • Signature (AT_SIGNATURE key specification)
  • Exchange (AT_KEYEXCHANGE key specification)
  • An integer, such as 3
For more information, see the Note that follows this table.
-ipIssuerProviderNameCryptoAPI provider for issuer. The default is the user's provider. For information about CryptoAPI providers, see the CryptoAPI 2.0 documentation.
-iv IssuerKeyFileIssuer's private key file. The default is the test root.
-iynIssuerProviderTypeCryptoAPI provider type for issuer. The default is PROV_RSA_FULL. For information about CryptoAPI provider types, see the CryptoAPI 2.0 documentation.

Note  If the -iky key specification option is used in Internet Explorer 4.0 or later, the specification must match the key specification indicated by the private key file or private key container. If the key specification option is not used, the key specification indicated by the private key file or private key container will be used. If there is more than one key specification in the key container, MakeCert will first attempt to use the AT_SIGNATURE key specification. If that fails, MakeCert will try to use AT_KEYEXCHANGE. Because most users have either an AT_SIGNATURE key or an AT_KEYEXCHANGE key, this option does not need to be used in most cases.
The following options are for certificate store technology only.
Certificate store optionDescription
-ic IssuerCertFileFile that contains the issuer's certificate. MakeCert will search in the certificate store for a certificate with an exact match.
-in IssuerNameStringCommon name of the issuer's certificate. MakeCert will search in the certificate store for a certificate whose common name includes IssuerNameString.
-irIssuerCertStoreLocationRegistry location of the issuer's certificate store. IssuerCertStoreLocation must be either LocalMachine (registry key HKEY_LOCAL_MACHINE) or CurrentUser(registry key HKEY_CURRENT_USER). CurrentUser is the default.
-isIssuerCertStoreNameIssuer's certificate store that includes the issuer's certificate and its associated private key information. If there is more than one certificate in the store, the user must uniquely identify it by using the -ic or -in option. If the certificate in the certificate store is not uniquely identified, MakeCert will fail.
 ---
MAKE CERT PART OF a SDK Package:
-----

NOTE POSSIBLE VALUES FOR -eku OPTION:
szOID_PKIX_KP "1.3.6.1.5.5.7.3"
szOID_PKIX_KP_SERVER_AUTH "1.3.6.1.5.5.7.3.1"
szOID_PKIX_KP_CLIENT_AUTH "1.3.6.1.5.5.7.3.2"
szOID_PKIX_KP_CODE_SIGNING "1.3.6.1.5.5.7.3.3"
szOID_PKIX_KP_EMAIL_PROTECTION "1.3.6.1.5.5.7.3.4"



Comments

Popular posts from this blog

Powerpoint countdown and current time in slides VBA

Revit area plans adding new types and references (Gross and rentable)