A couple issues popped up while trying to accomplish this. The default code signing template in our Windows 2003 Standard CA didn't allow you to export the private key. I found a MS blog that gave instructions for creating a copy of the code signing template and allowing it to export private keys but when we did this we noticed that it only supported Windows 2003 Enterprise CA's. Rather than deploying another server I called MS support and they were able to help me manually create the certificate through the command line. Here are the steps we used:
1. Create a document called request.inf and place the following code in the file (filling it in with the appropriate info for your org)
Signature="$Windows NT$
Subject = "CN=server.yourdomain.com" ; must be the FQDN of domain controller
EncipherOnly = FALSE
Exportable = TRUE ; TRUE = Private key is exportable
KeyLength = 1024 ; Common key sizes: 512, 1024, 2048,
; 4096, 8192, 16384
KeySpec = 1 ; Key Exchange
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC
; Omit entire section if CA is an enterprise CA
OID= ; Code Signing
CertificateTemplate = codesigning ;Omit line if CA is a stand-alone CA
2. On your CA server open a command prompt and issue the following commands
certreq -new c:\request.inf c:\new.req
certreq -submit c:\new.req
3. You will be prompted to choose your CA and then to save the certificate. Once it is saved run the following command.
certreq -accept c:\codesigning.cer
You should now have a certificate with private key that you can use wherever you like.
Install the Cert locally on the CA, then open certmgr.msc, export the cert with private key to a P7B file. This can then be provided to your code monkeys to do with what they will.
Install the Cert locally on the CA, then open certmgr.msc, export the cert with private key to a P7B file. This can then be provided to your code monkeys to do with what they will.