Self-signed certificate for Msi
Being a Computer Science student, I always try to find more about software and how things work.
While working on a project I came across the concept of Certification.
Intrigued by this, I wanted to make my own “Self-signed certificate”.
General Idea
Certificate are used for security as they authenticate a software or a website of it’s credibility and trustworthiness.
Any general user who has used internet knows that most of the website starts with-: https://
The ‘s’ in it stands for Secure, and your browser knows this because the website has a SSL certificate. SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details.{More Info}
What If we don’t have one?
Well if you visit a lot of websites and download a lot of software, you might already know what it looks like when a software isn’t ensured by a certificate.
For Web
For PC
You may trust the software and maybe fine to download it on your system, But if the software doesn’t have a digital signature. A.K.A Signed Certificate.
This may show up on your system while installing the MSI.
This applies to any other software which doesn’t have a certificate. As they could be malicious and our systems are designed so that they can warn us from such software.
Hence, a bit of caution is needed, only install those software which can be trusted by user.
Making a Self-signed certificate
Well, honestly, It’s really easy. Just that without proper information it could take hours. So here are 3 parts to make Self-Signed Certificate. These will be done on a Windows System. If you have any other OS like Linux or IOS. The steps will be the same.
Step 1) Install OpenSSL Step 2) Follow instruction to make a signed certificate Step 3) Attach it using Ksign software
Step 1: Install OpenSSL
For windows you need to download it from here. See the install file, Or follow this Video for easy install.
Step 2: Instruction to follow
Restart the cmd after each step!!
Step 1: Go the the folder you want to use for the certificate creation.
Step 2: Use this command “ openssl genrsa -des3 -passout pass:x -out server.pass.key 2048 “. {x: is the password of your choice}. This will make a key that will be used to create your certificate.
Step 3: Use this command “ openssl rsa -passin pass:x -in server.pass.key -out server.key “. {x: is the password of your choice}. This is the second phase of the same Key.
Step 4: Use this command “ openssl req -new -key server.key -out server.csr“. And fill the details. So that the certificate gets intertwined with the creator’s details.
Step 5: Use this command “ openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt“. This step will give you your certificate.
Step 6: Install the certificate on the system, Now any software that has this certificate. Your system will consider it as trusted Software.
Step 7: Use this command “ openssl pkcs12 -export -name servercert -in server.crt -inkey server.key -out myp12keystore.p12“. P12 file can be easily used for Signing the MSI/Exe file. This will make a PK12 file that will be used for signing the installer.
Assuming you have a MSI/Exe for this step, if you don’t have you can make one using NSIS.
Step 3: Download Ksign
Ksign is a free software which could be used to attach the certificate to the MSI/exe. installer file.
You can download it from here.
Just fill the details, add the the MSI/exe File and click on Sign, And you have successfully made a installer with a Self-Signed Certificate.
Extras
Self-Signed Certificates are not trusted by other machines as, What you have made has no public awareness and has no way to tell if it’s actually trust-able or not. Hence, Self-Signed certificate are used by companies within the company itself.
Otherwise you need to buy a Trusted certificate from an organization which sells such certificate.
Although, you can get a Somewhat Trusted Certificate for Free By CAcert.
You may continue to gain more knowledge by visiting this web page.