cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
New

Code Signing Certificate CSR questions

We've just bought a code signing certificate and now I'm about to create a CSR.

The documentation explains two scenarios: windows executables (https://uk.godaddy.com/help/windows-generate-csr-for-code-or-driver-signing-certificate-7282) and java (https://uk.godaddy.com/help/java-code-signing-generate-a-csr-4780) both of which assume you're running on Windows.

Question 1: 
I was under the impression that I would be able to use the same certificate to sign both windows exe files and Java JAR files. Is this a misunderstanding?

 

Question 2:

Both of the instructions above (Windows EXEs and Java JARs) note that it's important to create the CSR from the computer that will do the code signing. I'm confused here, why is that? I thought that you'd just get a signing cert/key in a PKCS12 file and you could use that on any computer you want. We will have to do the signing on a Mac (since we need to create a Mac installer and that only seems to be possible to do on a Mac) but there are no instructions on how to create the CSR on Mac. I'm hoping that this note about having to create the CSR on the signing computer is just wrong and that I can then use Linux (openssl) to create it even though the signing will be performed on a Mac computer eventually.

 

Question 3:
Are there any instructions on how to use Linux to generate a CSR for a code signing certificate that will be used to sign windows executables, Mac OSX dmg files and Java JAR files? Would something like this work: 

openssl req -new -keyout my-codesign.key -out my-codesign.req -config codesign.openssl.conf

Where my codesign.openssl.conf file looks like this:

# Code-signing certificate request

[ req ]
default_bits            = 4096                  # RSA key size
encrypt_key             = yes                   # Protect private key
default_md              = sha256                # MD to use
utf8                    = yes                   # Input is UTF-8
string_mask             = utf8only              # Emit UTF-8 strings
prompt                  = yes                   # Prompt for DN
distinguished_name      = codesign_dn           # DN template
req_extensions          = codesign_reqext       # Desired extensions

[ codesign_dn ]
countryName             = "1. Country Name (2 letters) (eg, US)       "
countryName_max         = 2
stateOrProvinceName     = "2. State or Province Name   (eg, region)   "
localityName            = "3. Locality Name            (eg, city)     "
organizationName        = "4. Organization Name        (eg, company)  "
organizationalUnitName  = "5. Organizational Unit Name (eg, section)  "
commonName              = "6. Common Name              (eg, full name)"
commonName_max          = 64

[ codesign_reqext ]
keyUsage                = critical,digitalSignature
extendedKeyUsage        = critical,codeSigning
subjectKeyIdentifier    = hash

(taken from http://pki-tutorial.readthedocs.io/en/latest/advanced/codesign.conf.html)

 

Could I send the my.req file from the above command to GoDaddy as a code signing certificate CSR and would that work for both Java JAR files as well as Windows EXE files?

 

1 REPLY 1
Moderator
Moderator

Re: Code Signing Certificate CSR questions


Hey @StFS;

 

@StFS wrote:

Question 1: 
I was under the impression that I would be able to use the same certificate to sign both windows exe files and Java JAR files. Is this a misunderstanding?

 

You should be able sign both Windows .exe and Java ,jar files. Just be aware that the process for signing both will differ. 

 

 

Question 2:

Both of the instructions above (Windows EXEs and Java JARs) note that it's important to create the CSR from the computer that will do the code signing. I'm confused here, why is that? I thought that you'd just get a signing cert/key in a PKCS12 file and you could use that on any computer you want. We will have to do the signing on a Mac (since we need to create a Mac installer and that only seems to be possible to do on a Mac) but there are no instructions on how to create the CSR on Mac. I'm hoping that this note about having to create the CSR on the signing computer is just wrong and that I can then use Linux (openssl) to create it even though the signing will be performed on a Mac computer eventually.

 

Our instructions assume for simplicity that when you generate the CSR, you're doing it from the same machine you're using to sign with because of the private key location. There are ways to do it from other machines. One method would be to take the file we give you, PEM, and your private key then create the pkcs12 file and move them to your Mac in order to sign. 

 

 

Question 3:
Are there any instructions on how to use Linux to generate a CSR for a code signing certificate that will be used to sign windows executables, Mac OSX dmg files and Java JAR files? Would something like this work: 

openssl req -new -keyout my-codesign.key -out my-codesign.req -config codesign.openssl.conf

Where my codesign.openssl.conf file looks like this:

# Code-signing certificate request

[ req ]
default_bits            = 4096                  # RSA key size
encrypt_key             = yes                   # Protect private key
default_md              = sha256                # MD to use
utf8                    = yes                   # Input is UTF-8
string_mask             = utf8only              # Emit UTF-8 strings
prompt                  = yes                   # Prompt for DN
distinguished_name      = codesign_dn           # DN template
req_extensions          = codesign_reqext       # Desired extensions

[ codesign_dn ]
countryName             = "1. Country Name (2 letters) (eg, US)       "
countryName_max         = 2
stateOrProvinceName     = "2. State or Province Name   (eg, region)   "
localityName            = "3. Locality Name            (eg, city)     "
organizationName        = "4. Organization Name        (eg, company)  "
organizationalUnitName  = "5. Organizational Unit Name (eg, section)  "
commonName              = "6. Common Name              (eg, full name)"
commonName_max          = 64

[ codesign_reqext ]
keyUsage                = critical,digitalSignature
extendedKeyUsage        = critical,codeSigning
subjectKeyIdentifier    = hash

(taken from http://pki-tutorial.readthedocs.io/en/latest/advanced/codesign.conf.html)

 

Could I send the my.req file from the above command to GoDaddy as a code signing certificate CSR and would that work for both Java JAR files as well as Windows EXE files?

 


 Ran this one by a member of our SSL team. The request above looks fine and should work for both Windows .exe and  Java .jar files

 

CG - GoDaddy | Community Moderator
24/7 support available at x.co/247support