Changes in the procedure for issuing a certificate for signing the code for Certum

Perhaps some have read about the service provided by the Polish company Certum for open source developers: an inexpensive certificate for signing the code in this article (if not, read).

Unfortunately, some things in the world eventually become worse or more expensive (or both). Certum's free service turned into a paid one (the certificate started to cost € 14.00, and from February of this year € 28.00), plus the procedure for generating a pair of keys has changed since this year. That's what I want to write about.

I have been using Certum certificates for a long time (since 2010) to sign my applications, but this year, for some reason, I needed a new certificate (rather than updating the previous one). Without anticipating any trick, I paid 14 euros via PayPal, filled out a questionnaire and sent scans of the document (although this time there was a bit more nagging, but everything finally settled down), and activated the certificate via the web form on the website Certum ( via Chrome ). I was immediately embarrassed by the fact that there was no request to generate a pair of keys. And, of course, the key issued to me did not contain a private key.
')
I confess at once that I am far from information security technologies; before, the whole procedure went smoothly and the receipt of the .pfx certificate did not cause any questions (although I can’t remember exactly now how it was before). After contacting the support service, it turned out that the installation / creation of the certificate should be done only in Internet Explorer , and a smart card is surely needed through the standard Windows subsystem (a standard dialog with a smart card request is displayed).



That's the number! Never before have I personally encountered smart cards (apart from the cards used to enter the company). "Googling" gave me a bunch of articles with incomprehensible abbreviations; To be honest, I really didn’t want to understand it, but I had to do it a little bit. At first it turned out that there seemed to be virtual smart cards, moreover, “distorting”, from Microsoft, but for this to work, the TPM must be enabled on the computer (in BIOS). I didn’t have such settings on the BIOSTAR motherboard, probably because the secure boot wasn’t enabled (but I didn’t experiment, to avoid losing all the data. Maybe I was wrong, and this procedure is safe, but I am a supporter of the rule "works - do not touch!"). The search for solutions from the third party was also unsuccessful: the fact that, according to the creators, should have worked in Windows 7 (I did not find a new one), refused to work in Windows 10.

In the end, the problem was solved with the purchase of such a USB token from PIVKey (by the way, it cost me $ 9.52: used was purchased, from the Amazon warehouse).



I liked this token: I earned, as they say, from a “half-kick” (although after installing the mini-driver and management utility from the manufacturer’s website), I worked perfectly in the key generation procedure on the Certum website! By the way, this token has 30 slots for storing secret information (private keys and certificates) of 24 Kbytes in size, and a 6-digit PIN code.

However, the private key is not exported (which is probably correct), so to generate a key for the signature, you will need to use the standard Windows procedure:

• install certificate with public key, obtained from Certum
• insert a token into the USB port
• execute the following command: certutil -exportPFX -p [ your_assign_password ] my "[ serial_Term_Number ]" [ file_name ] .pfx
• enter the token pin-code (factory default "000000" you can change the attached utility from the manufacturer)

After that, the received certificate can be used to sign your programs through the Visual Studio IDE, or through command line utilities (for example, signtool.exe). Yes, you also need a USB token each time.

PS Perhaps, information security specialists will smile at my naivety while reading this text, but my post is not intended for them. I just want to make life a little bit easier and save time for open source programmers :)