How to Sign IEAK Files Using Microsoft Certificate Server

• Microsoft Internet Explorer Administration Kit versions 4.0, 4.01, 4.01a, and 4.01a SP1

SUMMARY

All cabinet (.cab) and executable (.exe) files that will be installed by the Internet Explorer Setup program need to be signed before you run the Setup program.

This article describes how to use the Microsoft Certificate Server, included with the Microsoft Windows NT Option Pack, to sign the files.

MORE INFORMATION

To use Microsoft Certificate Server to sign IEAK files, perform the following steps:

1. If the Microsoft Certificate Server is not already installed, run the Windows NT 4.0 Option Pack Setup program to install it.



2. Use Certificate Server to create the public (certificate) and private keys needed to sign the files by performing the following steps:
   
   
   1. Open http://<WebServer>/CertSrv/CertEnroll/default.htm in your browser (where <WebServer> is the name of the Web server that Certificate Server is installed on).
      
      NOTE: You can use if Certificate Server is installed on your local computer).
   
   
   
   2. Click "Request a Client Authentication Certificate," and then click the Advanced button.
   
   
   
   3. Under the Key Spec section, select Signature.
   
   
   
   4. Under the Properties section, select the following:

      Export Private Keys to File
      Allow Keys to be Exported
      Create a SPC file

   
   
   
   5. In the Usage list box, select Code Signing, and then click OK.
   
   
   
   6. When you are prompted to save the private key as a file (.pvk), type a path and file name for the private key, and the click OK.
   
   
   
   7. Complete the Certificate Enrollment Form, and then click the Submit Request button.
      
      NOTE: The name you provide in the Name field is what the IEAK wizard will display later when it lists the Trusted Publishers.
   
   
   
   8. When you are prompted, provide a password for the private key, and then click OK.
   
   
   
   9. When the following message is displayed in the browser, click the Download button:

      Certificate Download
      Your request has been successfully processed!
      Please click the Download button to obtain your new certificate.

   
   
   
   10. When you are prompted, provide the path and file name for the Software Publishing Certificate (.spc) file (also known as the public key), and then click OK.
   
   
   
   11. When the dialog box appears informing you that "Your new certificate has been successfully installed" and that you must install this Certificate Authority's Root Certificate, click OK.
   
   
   



3. Install the Certificate Authority's Certificate on your computer by doing the following:
   
   
   1. Open http://<WebServer>/certsrv/CertEnroll/cacerts (where <WebServer> is the name of the Web server that Certificate Server is installed on).
      
      NOTE: You can use http://localhost/certsrv/CertEnroll/cacerts.htm if Certificate Server is installed on your local computer).
   
   
   
   2. Click "Certificate for <WebServer>.."
   
   
   
   3. When you are prompted with the "What would you like to do with this file" message, select "Open this file from its current location," and then click OK.
   
   
   
   4. In the New Site Certificate dialog box, accept the default settings (all check boxes selected), and then click OK.
   
   
   
   5. When you are prompted with the "Do you want to ADD the following certificate to the Root Store?" message, click Yes.
   
   
   



4. To add the new Certificate Authority's Certificate to the list of "Trusted Publishers" recognized by the IEAK wizard, perform the following steps:
   
   
   1. Copy the following files from the Ieak\Reskit\Addons\Tools folder into an empty folder:

      Signcode.exe (signing utility)
      Signer.dll (dependency file)
      Chktrust.exe (verifies signatures and optionally adds to the list of trusted publishers)

   
   
   
   2. Copy any available .exe or .cab file into the same folder.
   
   
   
   3. Copy the .pvk and .spc files created in step 2 into the same folder.
   
   
   
   4. At a command prompt, use the Signcode.exe utility to sign the .exe or .cab file copied to the folder in step b. For example, if Notepad.exe was copied to the folder, and the key names are Private.pvk and Public.spc, use the following:

      signcode -v private.pvk -spc public.spc notepad.exe

   
   
   
   5. When you are prompted, type the password you previously provided for the private key.
      
      Notes:
      
      
      • You cannot use the asterisk (*) as a wildcard character in the file name.
      
      
      
      • A time stamp is not required (-t switch for signcode.exe).
      
      
      
   
   
   
   6. At a command prompt, use the Chktrust.exe utility to check your signed file. For example, if a copy of Notepad.exe was signed, type the following:

      chktrust notepad.exe

   
   
   
   7. When you are prompted by "Do you want to select and run '<FileName>' signed on an unknown date/time and distributed by <CertificateName>," select the "Always trust content from <CertificateName>" check box, and then click Yes.
   
   
   
   8. Delete the signed file from the folder (so that it will not be accidentally included when you sign the IEAK wizard files in the next step).
   
   
   



5. Run the IEAK wizard to generate the Internet Explorer setup files. When you are prompted with the list of Trusted Publishers, select the one for the Certificate Authority that you created previously.



6. To use the Signcode.exe utility to sign all .exe and .cab files that will be installed by the Internet Explorer Setup program, perform the following steps:
   
   IMPORTANT: Be sure to track which files you copy to the folder containing Signcode.exe, so that you can return them to their original folder after they have been signed. Also, be sure NOT to include your .pvk or .spc files when you copy the signed files back to their original folder.
   
   
   1. Copy all unsigned .cab and .exe files into the folder containing Signcode.exe, Signcode.dll, and the .pvk and .spc files.
      
      Note: In addition to the files for any custom programs you specified while running the IEAK wizard, the following files must be signed:

      Branding.cab
      Desktop.cab
      Ie40cif.cab
      IE4setup.exe
      Folder<n>.cab
      Chl<xxxx>.cab

      For more information about which files need to be signed, go to the IEAK help Index, double-click the "Signing Programs" topic, and then view the "Signing your programs" subtopic.
   
   
   
   2. Sign all of the .cab and .exe files, and then copy them back into their original folder.
   
   
   

• Corporate administrators may not want to generate a digital certificate to sign files, particularly on a (secure and local) intranet site. In that situation, Internet Explorer's security settings need to be set to allow unsigned files to be downloaded on the local intranet zone. For additional information about downloading unsigned .cab files, please see the following article in the Microsoft Knowledge Base:

  Q192472 Automatic Configuration Settings in Profile Manager Don't Work




• The MakeCert utility included in the Ieak\Reskit\Addons\Tools folder is primarily used for testing purposes. In a production environment, a valid certificate needs to be created using a full-fledged certificate product such as Microsoft Certificate Server. For more information about using MakeCert, Cert2SPC, and Signcode, go to the IEAK help Index, double-click the "Signing Programs" topic, and then view the "Using Tools to Sign and Test Code" subtopic.

Additional query words:

Keywords          : ieak4.01aSP1 
Version           : 
Platform          : WINDOWS 
Issue type        : kbhowto 

Last Reviewed: July 12, 1999