Thursday, January 7, 2010

Infopath code signing cert and Windows 2003 Standard CA

A developer where I work recently came to me for help generating a code signing certificate he could use in an Infopath 2007 form that he could then publish in our MOSS 2007 environment. We don't have the enterprise version of MOSS 2007 or we could just publish the Infopath form directly onto the sites without users needing the Infopath client installed.

A couple issues popped up while trying to accomplish this. The default code signing template in our Windows 2003 Standard CA didn't allow you to export the private key. I found a MS blog that gave instructions for creating a copy of the code signing template and allowing it to export private keys but when we did this we noticed that it only supported Windows 2003 Enterprise CA's. Rather than deploying another server I called MS support and they were able to help me manually create the certificate through the command line. Here are the steps we used:

1. Create a document called request.inf and place the following code in the file (filling it in with the appropriate info for your org)

----------------------------------------

[Version]
Signature="$Windows NT$

[NewRequest]
Subject = "CN=server.yourdomain.com" ; must be the FQDN of domain controller
EncipherOnly = FALSE
Exportable = TRUE  ; TRUE = Private key is exportable
KeyLength = 1024    ; Common key sizes: 512, 1024, 2048,
 ;    4096, 8192, 16384
KeySpec = 1             ; Key Exchange
KeyUsage = 0xA0     ; Digital Signature, Key Encipherment
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC

; Omit entire section if CA is an enterprise CA
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.3 ; Code Signing

[RequestAttributes]
CertificateTemplate = codesigning ;Omit  line if CA is a stand-alone CA
SAN="dns=.yourdomain.com&dns=ldap.yourdomain.com"
------------------------------------------------------------------------------

2. On your CA server open a command prompt and issue the following commands
               certreq -new c:\request.inf c:\new.req
               certreq -submit c:\new.req
3. You will be prompted to choose your CA and then to save the certificate. Once it is saved run the following command.
               certreq -accept c:\codesigning.cer

You should now have a certificate with private key that you can use wherever you like.

Install the Cert locally on the CA, then open certmgr.msc, export the cert with private key to a P7B file. This can then be provided to your code monkeys to do with what they will.
               

3 comments:

Jack said...

I need assistance for generating a code signing certificate that I could use in an Infopath 2007 form and that could be then published in our MOSS 2007 environment.Thanks for sharing the information here it helped solving my problem.
digital signature autocad

P3 Connect said...

That's a brilliant solution to getting a CA for signing InfoPath forms! I wish I'd seen this before. I had been looking for instructions on how to create your own CA for awhile.

I've just bought a third-party CA from Thawte and have posted my instructions on how to import/export and sign a form in 2010 on my blog if anyone is interested.

www.office365oz.blogspot.com.au

ICS Cyber Security said...

Thanks for posting this detail. It helped me a lot and saved my lot of time and efforts. I have been working on this module from past many days and was facing some issues but now I think I can resolve them.
infopath signing