0

I am new to certificates and I have a driver I have to digitally sign to test otherwise windows blocks it. I have created a self signed test certificate for testing purposes using OpenSSL, using their provided tutorial.

I have installed the certificate to all of the windows stores necessary for it to be trusted, after signing the driver file everything worked until I rebooted my PC, after that it says my certificate is no longer digitally signed due to this issue: A certificate's basic constraint extension has not been observed.

I thought it could be because my test certificate is no longer valid so I create a new one, same issue even before rebooting my PC. I have tried many options I can find in tutorials, I encounter the same issue and I am not willing to buy a certificate just for a couple of tests.

What can I do to get past this issue? These are the basic constraints in my certificate: Subject Type=CA Path Length Constraint=None

If you have a solution, please post me instructions on what I have to do step by step, I am new to OpenSSL and certificates.

Additional information:

This is the tutorial I've tried following when it all started, all other tutorials give me the same result/issue: CLICK ME (LINK)

This is a image of the issue: CLICK ME (LINK)

I don't have enough repution to use embedded images.

jww
  • 97,681
  • 90
  • 411
  • 885
CodeMaster12
  • 15
  • 1
  • 5

1 Answers1

-2

Not using OpenSSL on Windows, but I know how to do this in PowerShell. Open PowerShell console and copy/paste the following command:

$cert = New-SelfSignedCertificate -Type CodeSigningCert `
-Subject "CN=My Subject" `
-CertStoreLocation cert:\currentuser\my `
-KeyAlgorithm rsa `
-Provider "Microsoft Enhanced Cryptographic Provider v1.0"

Export-PfxCertificate -Cert $cert -FilePath "c:\temp\mycert.pfx" -Password (ConvertTo-SecureString -String "Password" -Force -AsPlainText)

This command will generate self-signed certificate suitable for code signing purposes.

Crypt32
  • 12,850
  • 2
  • 41
  • 70
  • Go to `certmgr.msc`, expand Perdonal\Certificates, select your certificate, right-click All Tasks -> Export. Follow export wizard to export the certificate to PFX – Crypt32 Sep 21 '17 at 17:39
  • How can I generate a private key, certification, and pfx to a file? I never used a PowerShell before – CodeMaster12 Sep 21 '17 at 17:44
  • Thank you, I will mark this as a answer if I succeed – CodeMaster12 Sep 21 '17 at 17:46
  • see my update. Added a line that programmatically exports certificate to PFX file. When prompted, enter password to protect PFX. – Crypt32 Sep 21 '17 at 17:48
  • How do I specify valid from and valid to date? – CodeMaster12 Sep 21 '17 at 18:16
  • use `-NotBefore` and `-NotAfter` to specify cert validity. – Crypt32 Sep 21 '17 at 19:25
  • I am getting a error The string was not recognized as a valid DateTime, no matter what I do. This is what I have: Get-Date -Date "1/1/2020", I have tried in other various ways as well but I get the same error – CodeMaster12 Sep 21 '17 at 19:43
  • it depends on your regional settings. Some locales may use dots instead of slashes, or year in front (say, `2020/1/1`) or `1.1.2020` – Crypt32 Sep 21 '17 at 19:48
  • I am getting the same error no matter what, here is a image of my time and date format: http://prntscr.com/go29ey – CodeMaster12 Sep 21 '17 at 19:54
  • Here is what I got at the moment: http://prntscr.com/go2c3l – CodeMaster12 Sep 21 '17 at 19:59
  • wrap argument parameters in parantheses: `-NotBefore (Get-Date) -NotAfter (Get-Date -Date "1/1/2020")`. – Crypt32 Sep 21 '17 at 20:02
  • One last error in your piece of code that exports a certificate to a file: http://prntscr.com/go2gh0 – CodeMaster12 Sep 21 '17 at 20:09
  • see updated last line. – Crypt32 Sep 21 '17 at 20:14
  • It seems to be good but there is one more issue, it says its intended purpose is only for code signing, can you tell me how to make it for all purposes? – CodeMaster12 Sep 21 '17 at 20:21
  • Fixed it, its now for all purposes. Thank you, if this works it will be marked as a answer. My signtool is a bit broken for some reason. – CodeMaster12 Sep 21 '17 at 20:31
  • Why you need an "all purposes" certificate? – Crypt32 Sep 21 '17 at 20:32
  • Just to make sure everything is good, I am using this only for testing purposes. I am a professional high-level programmer, so I need everything available, especially during internal system development. Like I have said, I am new to certificates, so I need to make sure it will work. – CodeMaster12 Sep 21 '17 at 20:34
  • Thank you! I have used another signtool and it says the certificate is OK now! http://prntscr.com/go2yv2, you are a true expert at this. – CodeMaster12 Sep 21 '17 at 20:49
  • Update: It still says my driver is digitally unsigned for some reason, but the certificate is good to go now! – CodeMaster12 Sep 21 '17 at 20:58
  • He needs OpenSSL, not Windows tools: *"I have created a self signed test certificate for testing purposes using OpenSSL"*. – jww Sep 22 '17 at 00:23
  • Why he needs OpenSSL since he is using Windows? – Crypt32 Sep 22 '17 at 04:28