How to attach a DigiCert Token certificate to exeutable

[Bart Kindt 5]

So I finally got a DigiCert certificate.

The hardware USB token is in the PC.

 

Now what??

I don't see any way to link my Windows program to this USB token in the IDE...

 

Okay, I now managed to export the Certificate to a file: It is a .cer file. It is not a text file.

But when I try to add a Certificate File in the IDE, it asks for a .pfx file (a Personal Information Exchange) file.

 

That looks to be something totally different.

 

Thanks, Bart

Edited December 1, 2023 by Bart Kindt
More information

[Lars Fosdal 1732]

According to some googling, there appears to be methods of converting a .cer file to a .pfx file.

[Kas Ob. 91]

6 hours ago, Bart Kindt said:

Now what??

I don't see any way to link my Windows program to this USB token in the IDE...

 

Okay, I now managed to export the Certificate to a file: It is a .cer file. It is not a text file.

But when I try to add a Certificate File in the IDE, it asks for a .pfx file (a Personal Information Exchange) file.

 

That looks to be something totally different.

First i suggest to make sure to understand the difference between formats so pfx and p12 are "almost" the same, but sure in 2023 should be the same, both are PKCS#12

https://en.wikipedia.org/wiki/PKCS_12

cer and der are more or less the same and they are PKCS#7

https://stackoverflow.com/questions/22743415/what-are-the-differences-between-pem-cer-and-der#22743616

https://en.wikipedia.org/wiki/PKCS_7

 

now after all that "may be" and "more and less", i highly recommend to use xca from https://hohnstaedt.de/xca/ this tool in my opinion is a must have to store and manage your certificates and private keys, it is portable and its DB is very secure, get familiar with it, and store your certificates there, but the most useful functionality is the ability to export what you have created or stored there, you have all the formats and many ways to export like protected with password or not, or with full chain or part of the chain ...

Very useful tool in case you don't have the time to search the net and use OpenSSL commands that is hard to remember, also easier and safer than storing your certificates in Windows Store (the certificate store), which might be useful in your case also, if you want an alternative to OpenSSL or xca, import using Windows Explorer double click then find it in certmgr (from run command), just remember that certmgr will open for current user, while running mmc (the console) then select "Add or Remove Snap-in" from there you can add Certificates which will allow to access Current User and Service Account and Computer Account, here Account used for Certificate Store, from there you can add/import and export any certificate (but always with private keys if the certificate was imported with non exportable key), also with less formats selection than XCA.

 

Hope that helps, and good luck !

[Angus Robertson 526]

ICS has a lot of tools for certificate manipulation, reading and writing different formats, so can convert between them, and can read and write to the Windows Store. 

 

The OverbyteIcsPemTool sample does all this, it has more features than the XCA tool.  A compiled version can be downloaded if you don't want to build it.  

 

Angus

 

[Kas Ob. 91]

22 minutes ago, Angus Robertson said:

The OverbyteIcsPemTool sample does all this, it has more features than the XCA tool.  A compiled version can be downloaded if you don't want to build it.  

That is pretty fucking neat ! and impressive !

 

The only thing is missing there is the ability to create CSR https://en.wikipedia.org/wiki/Certificate_signing_request or what i miss the most, the ability to create CSR from a certificate, this is very helpful when want extend your certificate with the same extensions and/or the same private key, very helpful with ACME and with code signing requests, not sure about the new modern model for code signing delivery though.

[Angus Robertson 526]

1 hour ago, Kas Ob. said:

ability to create CSR or what i miss the most, the ability to create CSR from a certificate

PemTool has both, two buttons, Create Request from Props and Create Request from Cert, the former uses properties from another tab, lots of them.

 

PemTool takes a while to understand, it is a development tool to test all the ICS certificate functions, and does not have a friendly GUI.   It only writes files, no database like XCA. 

 

There is a second sample OverbyteIcsX509CertsTst that orders Let's Encrypt certificates and includes an 'Own CA' allowing you to sign your own local certificates with a private CA.

 

Angus

 

[Angus Robertson 526]

Quote

So I finally got a DigiCert certificate. The hardware USB token is in the PC.

Is this a Code Signing certificate?  If so, you can not export the private key from the token, so no reason to export the certificate either.  

 

If not, why did Digicert supply it on a token?

 

Angus

 

[Bart Kindt 5]

3 hours ago, Angus Robertson said:

Is this a Code Signing certificate?  If so, you can not export the private key from the token, so no reason to export the certificate either.  

 

If not, why did Digicert supply it on a token?

 

Angus

 

Yes, it is a Code Signing certificate. I have to work my way through the other posts and software mentioned, but I also was thinking the same thing. The special software which I had to download (SafeNet Authentication Client, from Thales Group) to be able to manipulate the hardware token only has the option to "Install Certificate" which seems to be an "Import" not an export.

I have never done this in my live, and I would have expected that the IDE can be pointed to the actual hardware USB token to read the required Certificate data and to add this to the executable.

Why would I have to copy things to my local hard drive, why would I have to convert this file to yet another format, it does not many any sense! If it is copied onto my local drive, and the Hardware Token is not used at all, where is the security during final compilation??

 

Bart

[Vincent Parrett 657]

https://www.finalbuilder.com/resources/blogs/code-signing-with-usb-tokens

 

[Bart Kindt 5]

1 hour ago, Vincent Parrett said:

https://www.finalbuilder.com/resources/blogs/code-signing-with-usb-tokens

 

Good God. Well that explains a lot. 

In my case, the USB token is installed in my development laptop.

I do not have to use a 'remote USB',

So would I still have to use this VirtualHere software as mentioned in this link?

Somehow I need to link the Delphi IDE directly to the Token, and it expects .pfx file.

Not a .cer file. And the CE/EV  (Extended Validation) token is required to be installed during compilation. So the compiler can load the certificate.

I totally do not understand how this can be achieved in Delphi

 

I am an absolute beginner here, if somebody can show me the steps I have to take; And please *backwards*, starting with what I should enter in the Delphi IDE. Then following that, how the required file can be loaded, live, during compilcation, into the final executable, all while this requirement is met that the USB Token is in fact installed during the very compilcation process.

 

Thanks, Bart

[Vincent Parrett 657]

Just now, Bart Kindt said:

I do not have to use a 'remote USB',

So would I still have to use this VirtualHere software as mentioned in this link?

No, you only need to do that if the machine you are signing on is different to the one where the usb token is installed.

 

1 minute ago, Bart Kindt said:

Somehow I need to link the Delphi IDE directly to the Token, and it expects .pfx file.

pfx files are a thing of the past (except for self signed certificates), so forget about that bit. Do not expect the IDE to support code signing with tokens.

 

You need to understand how to call signtool.exe 

 

You could perhaps setup a post buld event for your project to do the signing - but bear in mind signing takes time so only add it to the release config.

 

Alternatively - (vendor plug) - use FinalBuilder to generate your release builds - in which case code signing is pretty easy.

 

 

[Angus Robertson 526]

Quote

pfx files are a thing of the past

I would dispute that statement, PFX or PKCS#12 are Microsoft's preferred format since they contain certificate, private key and intermediate certificates, so one file per host. 

 

Sure you can create PEM/CER bundles with a private key, but more than one certificate can confuse servers. 

 

But Apache does not support PFX, you have to use PEM, that is the main reason PFX is not often seen.

 

Angus

 

 

[Kas Ob. 91]

9 hours ago, Vincent Parrett said:

pfx files are a thing of the past (except for self signed certificates)

Me too like Angus, don't see this as thing from the past, on contrary i think it is the future and the only way forward with all new security measures the world need now.

 

PKCS#12/pfx is highly customizable format, securely design and very extendable, it can encapsulate PKCS#7 and PKCS#8 and most (usable part) of PKCS#5, as example PKCS#12 can hold a certificate/token to decrypt another PKCS#12, in my opinion this what should have been done with Code Signing Certificates, the issuer should have issued i hardware token for the client that passed their verification, then after that issued the certificate in PKCS#12 (as simple file) to be decrypted by that hardware key, that is way easier to use the encrypted certificate that can be handled in all your infrastructure safely, also there can be multiple token to decrypt the same certificate, also another important thing i see gaining necessity, the need to cross singing but more than one certificate, PKCS#12 allow that, also something like two people have to use their hardware security card to allow the singing, and all in standardized and vetted procedure.

[Vincent Parrett 657]

1 hour ago, Angus Robertson said:

I would dispute that statement, PFX or PKCS#12 are Microsoft's preferred format since they contain certificate, private key and intermediate certificates, so one file per host. 

In the context of code signing, where do you get a pfx these days?  the only certificates being issued are on tokens or HSM's, neither of which allow exporting the private key. We can debate the merits of the decisions taken with regards to the future of code signing but the reality is what we have in front of us right now... and that is what people are struggling with.

[Kas Ob. 91]

A question may me a little off topic

Did anyone tried https://www.nsoftware.com/pkiproxy ?

Quote

Hardware security modules (HSMs), file-based certificates (PFX files), ECDSA keys, and USB hardware tokens such as Yubikey or DigiCert tokens are all supported. 

 

[DelphiUdIT 132]

Why don't you use SIGNTOOL the free tool from Microsoft ? Look at: https://learn.microsoft.com/en-us/dotnet/framework/tools/signtool-exe

 

Edited December 2, 2023 by DelphiUdIT

[Angus Robertson 526]

Quote

In the context of code signing, where do you get a pfx these days?

You did not qualify your comment about PFX files only being useful for self signed certificates by mentioning code signing.  Not sure how useful self code signing would be. 

 

But you are correct, new code signing is all dongles, although my own Comodo PFX files still work fine with signtool:

 

signtool sign /p "xx" /f "c:\certificates\magenta-systems-certkey.pfx" /d "Copyright (c) 1998-2023 The OpenSSL Project" /as /fd sha256 /tr http://timestamp.sectigo.com /td sha256 "c:\svn-repos\signed-openssl\openssl-3.2.0-win32\libcrypto-3.dll"

 

That command only needs a minor change to make it useful a dongle certificate, assuming the drivers for the dongle are installed.

 

Angus

 

Edited December 2, 2023 by Angus Robertson

[David Champion 46]

Does anyone know if it is possible to convert the USB token to an ISO and then mount it on a build server ?

[Angus Robertson 526]

Quote

Does anyone know if it is possible to convert the USB token to an ISO and then mount it on a build server ?

No, because the HSM in the token has a program that takes data from the application, signs it with the private key in the HSM and returns a digest to the application as part of the signing process.  The whole point is the private key is not available outside the HSM so can not be copied.  

 

The HSM/token can be used remotely only if the data to be signed is passed to the PC/server with the HSM, and the digest returned to the originating PC.  

 

Angus

 

[Tom F 80]

It's not easy to figure out for newcomers, which I am. I struggled like you.  There are many different ways to use the key, so finding the right way for our simple need (no CI, no server, command line) was quite difficult for me.  Hopefully, this can help you:

Below are the batch file lines we use. I don't know how much of this applies to you. Paths, app exe filename and  ###  will of course be different. Tech Support at Sectigo provided great email support on the dongle/key I purchased from them.  (I split the single line below into 4 lines to avoid wordwrap on the forum. It's all one line

 

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" sign

/sha1 ############################

/tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "MyCompanyName, LLC"

"C:\Users\user1\Documents\Project1\bin\AppName.exe"

 

IF %ERRORLEVEL% NEQ 0 GOTO ERROR1

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" verify /pa "C:\Users\user1\Documents\Project1\bin\AppName.exe" 

The ### above is the thumbprint of the certificate fingerprint. It's found on the details tab as shown in the attached screen capture. (TBH, I can't recall where I found this screen, whether in the dongle app or a right-click on a certificate file or something.)



Something similar can be done in the INNO IDE and command line versions.
We have the dongle on a local machine.  We have to enter the token password once, the first time we run the above after booting that machine.
 

[Angus Robertson 526]

Not used the signcode /sha1 argument before, it is more common to use :

 

/a /s MY /n "Common name"   (this all replaces /f in my earlier example)

 

where /a automatically looks for a signing certificate, /s is the Windows store (MY is the name for Personal), and the Common Name is usually your company name, but whatever is shown on the General certificate dialog tab for 'Issued to', or CN= under Subject on the Details tab. 

 

Angus

 

[Bart Kindt 5]

1 hour ago, Angus Robertson said:

Not used the signcode /sha1 argument before, it is more common to use :

 

/a /s MY /n "Common name"   (this all replaces /f in my earlier example)

 

where /a automatically looks for a signing certificate, /s is the Windows store (MY is the name for Personal), and the Common Name is usually your company name, but whatever is shown on the General certificate dialog tab for 'Issued to', or CN= under Subject on the Details tab. 

 

Angus

 

What I don't understand is where the SignTool gets its access to the USB dongle to. From what I understand it must be installed for the signing to work.

So, it is installed. And the Background application SafeNet Authotication Client is also running.

So where in all the SignTool command line is the link to the actual USB dongle?

..........

 

Well, I will never know how it does it, but this command:

"signtool sign /a /fd SHA256 MyFile.exe"

simply worked... I had to enter the USB Token password, and that was all. Obviousely the signtool detects the presence of the Token, connects to it (God knows how) and retrieves the required data.

 

So last thing I now have to sort out is to program InnoSetup to also sign all executables inside the package, which seems to be possible.

Big thanks to all who replied, I learned a lot!

 

Bart, New Zealand

[Kas Ob. 91]

11 hours ago, Bart Kindt said:

What I don't understand is where the SignTool gets its access to the USB dongle to. From what I understand it must be installed for the signing to work.

So, it is installed. And the Background application SafeNet Authotication Client is also running.

So where in all the SignTool command line is the link to the actual USB dongle?

Windows has a specific infrastructure and interface to recognize standardized cryptographic service providers (CSP), it will initialize its own driver to communicate with it, notice that, USB specification has its own interface standard, meaning, an USB device can introduce itself to the host device as it designed to, (trying to simplify and yet it is sound bla bla bla, so sorry)

Let try again, a USB may be a keyboard and a soundcard and mp3 player at the same time in compliant with Windows default driver and also have thermostat ability but for this one you need the manufacturer driver, so what ever you USB hardware is or manufacturer was it might use the default Windows compliant driver with CSP interface !

 

USB (Universal Serial Bus) in fact is standard hardware communication protocol, and that it is, USB device can declare itself anything, and it can multiple devices with literally no limit to how many protocols or devices it can handle, impersonate, provide functionality to.

 

Fun fact: my android mobile is rooted, and i installed a Magisk module that allowed me to to boot my PC from the mobile using my Acronis ISO file, it booted beautifully !

Also you may have came across these 3G/4G USB modems where acted like read only (or readwrite) disk drive with the drivers for their custom modem, so plug them and an autorun will kick in the offer to install the modem driver if it is not present, if the driver is there it will run its modem UI.

 

So returning to the Microsoft CSP, a Windows compliant hardware token will be recognized and the driver will interact with it in standardized way, get the certificate(s) and manage the private key operation knowing it is there and unexportable and it is the device job to perform specific operation and get the result.

 

to read more https://learn.microsoft.com/en-us/windows/win32/seccrypto/csps-and-the-cryptography-process

Quote

These CSPs are independent modules. Ideally, CSPs are written to be independent of a particular application, so that any application will run with a variety of CSPs. In reality, however, some applications have specific requirements that require a customized CSP. This compares to the Windows GDI model. CSPs are analogous to graphics device drivers.

also this is more details on the design  https://learn.microsoft.com/en-us/windows/win32/seccrypto/cryptoapi-system-architecture

 

 

Hope that help and explain few things, and sorry for the English too.

[Angus Robertson 526]

Quote

sort out is to program InnoSetup to also sign all executables inside the package,

I have batch command files that handle all the signing, and then sign the final setup file, using InnoSetup pre and post compile steps.  Better to use CMD extension for Windows 11, BAT is deprecated. 

[PostCompile]
Name: "signsetup.bat"

[PreCompile]
Name: "compress.bat"

 

Angus

 

[Bart Kindt 5]

7 hours ago, Angus Robertson said:

I have batch command files that handle all the signing, and then sign the final setup file, using InnoSetup pre and post compile steps.  Better to use CMD extension for Windows 11, BAT is deprecated. 

[PostCompile]
Name: "signsetup.bat"

[PreCompile]
Name: "compress.bat"

 

Angus

 

That is not even required. I have now found Inno Setup does it all for you. We are getting way out of Delphi topic here, but this is what I now have in Inno Setup, and it does it all:

 

Tools>Configure Sign Tools:

signtool="C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\signtool" sign /a /fd SHA256 $f

 

[Setup]
SignTool=SignTool

 

[Files]
Source: "*.exe"; DestDir: "{userappdata}\SARTrack\exe"; Flags: recursesubdirs ignoreversion signonce
Source: "*"; Excludes: "*.exe"; DestDir: "{userappdata}\SARTrack\exe"; Flags: recursesubdirs ignoreversion

 

(where \SARTrack\exe is my destination dir)

 

This signs *all* executables, then it signs itself.