How to Sign IEAK Files Using Microsoft Certificate Server
ID: Q193038
|
The information in this article applies to:
-
Microsoft Internet Explorer Administration Kit versions 4.0, 4.01, 4.01a, and 4.01a SP1
SUMMARY
All cabinet (.cab) and executable (.exe) files that will be installed by
the Internet Explorer Setup program need to be signed before you run the
Setup program.
This article describes how to use the Microsoft Certificate Server,
included with the Microsoft Windows NT Option Pack, to sign the files.
MORE INFORMATION
To use Microsoft Certificate Server to sign IEAK files, perform the
following steps:
- If the Microsoft Certificate Server is not already installed, run the
Windows NT 4.0 Option Pack Setup program to install it.
- Use Certificate Server to create the public (certificate) and
private keys needed to sign the files by performing the following steps:
- Open http://<WebServer>/CertSrv/CertEnroll/default.htm in your
browser (where <WebServer> is the name of the Web server that
Certificate Server is installed on).
NOTE: You can use if
Certificate Server is installed on your local computer).
- Click "Request a Client Authentication Certificate," and then click
the Advanced button.
- Under the Key Spec section, select Signature.
- Under the Properties section, select the following:
Export Private Keys to File
Allow Keys to be Exported
Create a SPC file
- In the Usage list box, select Code Signing, and then click
OK.
- When you are prompted to save the private key as a file (.pvk), type a path and file name for the private key, and the click OK.
- Complete the Certificate Enrollment Form, and then click the Submit Request button.
NOTE: The name you provide in the Name field is what the IEAK wizard will display later when it lists the Trusted Publishers.
- When you are prompted, provide a password for the private key, and
then click OK.
- When the following message is displayed in the browser, click the
Download button:
Certificate Download
Your request has been successfully processed!
Please click the Download button to obtain your new certificate.
- When you are prompted, provide the path and file name for the
Software Publishing Certificate (.spc) file (also known as the
public key), and then click OK.
- When the dialog box appears informing you that "Your new certificate
has been successfully installed" and that you must install this
Certificate Authority's Root Certificate, click OK.
- Install the Certificate Authority's Certificate on your computer by doing the following:
- Open http://<WebServer>/certsrv/CertEnroll/cacerts (where
<WebServer> is the name of the Web server that Certificate
Server is
installed on).
NOTE: You can use http://localhost/certsrv/CertEnroll/cacerts.htm if
Certificate Server is installed on your local computer).
- Click "Certificate for <WebServer>.."
- When you are prompted with the "What would you like to do with this
file" message, select "Open this file from its current location,"
and
then click OK.
- In the New Site Certificate dialog box, accept the default settings
(all check boxes selected), and then click OK.
- When you are prompted with the "Do you want to ADD the following
certificate to the Root Store?" message, click Yes.
- To add the new Certificate Authority's Certificate to the list of
"Trusted Publishers" recognized by the IEAK wizard, perform the
following steps:
- Copy the following files from the Ieak\Reskit\Addons\Tools folder
into an empty folder:
Signcode.exe (signing utility)
Signer.dll (dependency file)
Chktrust.exe (verifies signatures and optionally adds to the list of
trusted publishers)
- Copy any available .exe or .cab file into the same folder.
- Copy the .pvk and .spc files created in step 2 into the same folder.
- At a command prompt, use the Signcode.exe utility to sign the .exe
or .cab file copied to the folder in step b. For example, if
Notepad.exe was copied to the folder, and the key names are
Private.pvk and Public.spc, use the following:
signcode -v private.pvk -spc public.spc notepad.exe
- When you are prompted, type the password you previously provided for
the private key.
Notes:
- You cannot use the asterisk (*) as a wildcard character in the file
name.
- A time stamp is not required (-t switch for signcode.exe).
- At a command prompt, use the Chktrust.exe utility to check your
signed file. For example, if a copy of Notepad.exe was signed, type
the following:
chktrust notepad.exe
- When you are prompted by "Do you want to select and run
'<FileName>'
signed on an unknown date/time and distributed by
<CertificateName>," select the "Always trust content from
<CertificateName>" check box, and then click Yes.
- Delete the signed file from the folder (so that it will not be
accidentally included when you sign the IEAK wizard files in the
next step).
- Run the IEAK wizard to generate the Internet Explorer setup files.
When
you are prompted with the list of Trusted Publishers, select the one
for
the Certificate Authority that you created previously.
- To use the Signcode.exe utility to sign all .exe and .cab files that
will be installed by the Internet Explorer Setup program, perform the
following steps:
IMPORTANT: Be sure to track which files you copy to the folder
containing Signcode.exe, so that you can return them to their original
folder after they have been signed. Also, be sure NOT to include your
.pvk or .spc files when you copy the signed files back to their
original
folder.
- Copy all unsigned .cab and .exe files into the folder containing
Signcode.exe, Signcode.dll, and the .pvk and .spc files.
Note: In addition to the files for any custom programs you specified
while running the IEAK wizard, the following files must be signed:
Branding.cab
Desktop.cab
Ie40cif.cab
IE4setup.exe
Folder<n>.cab
Chl<xxxx>.cab
For more information about which files need to be signed, go to the
IEAK help Index, double-click the "Signing Programs" topic, and then
view the "Signing your programs" subtopic.
- Sign all of the .cab and .exe files, and then copy them back into
their original folder.
NOTES:
- Corporate administrators may not want to
generate a digital
certificate to sign files, particularly on a (secure and local)
intranet site. In that situation, Internet Explorer's security settings
need to be set to allow unsigned files to be downloaded on the local
intranet zone. For additional information about downloading unsigned .cab files,
please see the following article in the Microsoft Knowledge Base:
Q192472 Automatic Configuration Settings in Profile Manager Don't Work
- The MakeCert utility included in the
Ieak\Reskit\Addons\Tools folder is
primarily used for testing purposes. In a production environment, a
valid certificate needs to be created using a full-fledged certificate
product such as Microsoft Certificate Server. For more information
about
using MakeCert, Cert2SPC, and Signcode, go to the IEAK help Index,
double-click the "Signing Programs" topic, and then view the "Using
Tools to Sign and Test Code" subtopic.
Additional query words:
Keywords : ieak4.01aSP1
Version :
Platform : WINDOWS
Issue type : kbhowto
Last Reviewed: July 12, 1999