Close Window x

Frequently Asked Questions

Help Center Search

Request a Code Signing Certificate

Print this Article
Comment on this Article
Last Updated: March 18, 2009 2:27 PM

Code signing certificates are general purpose in nature and can be used to sign a variety of different code types. However, the manner in which you request the code signing certificate will dictate the ease at which you can use the certificate to sign code. The currently supported browsers for automatic CSR generation are Internet Explorer v6 and Internet Explorer v7. If you will be signing Windows code, you should use Internet Explorer for simplicity.The following is a general summary of the process.

Request a Code Signing Certificate

  1. Request the code signing certificate by clicking on the purchased code signing certificate credit in My Account. You should request the certificate on the machine you will be using to sign the code, including the correct login account on the machine. A private key will be created on the machine for the current user and will need to be associated with the code signing certificate after it is issued. The request process differs slightly, depending on the browser and/or operating system being used.
    1. Internet Explorer 6 (automatic CSR generation) - The private key will be stored in the certificate store and can also be stored in a PVK file (recommended).
    2. Internet Explorer 7 (automatic CSR generation) - The private key will be stored in the certificate store and can also be stored in a PVK file (recommended). The PVK file option will not be available if using Windows Vista or Windows 2008 Server.
    3. All browsers (manual CSR generation) - Manually generate a Certificate Signing Request (CSR) and paste into the code signing request page. If you plan on signing Java code, it is recommended to use keytool to generate the CSR.
      1. CSR generation for IE 6
      2. CSR generation for IE 7
      3. Java CSR generation using keytool
  • Respond to any requests for additional documentation. The certificate cannot issue until all of the required vetting of the company has been performed.
  • Download the issued certificate. Once the certificate has been issued, an email will be sent that contains a link which can be used to download the certificate and any needed intermediate certificates. The code signing certificate will be delivered as an SPC file in PKCS7 format.
  • Install the code signing certificate and export it into the desired format. In all cases, you should end up with an SPC file and a PKCS12 or PFX file. The PKCS12 or PFX file should contain the private key, code signing certificate and any required intermediate certificates. Since it will contain the private key, make sure to password protect the file.
    1. IE 6/7 with a private key in a PVK file
      1. Use pvkimprt.exe to combine PVK and SPC files into a PFX file containing the private key, code signing certificate and any required intermediate certificates.
        1. You can download the PVK Digital Certificate Files Importer from Microsoft's Web site.
        2. A command line example would be:
          pvkimprt -PFX mycert.spc mykey.pvk
        The Windows certificate export wizard will be launched when the command-line command is executed.
    2. IE 6/7 without private key in a PVK file:
      1. Import the SPC file into the Windows certificate store, by right clicking on the file in Windows Explorer and selecting "Install Certificate" item in the popup menu.
      2. View certificate details, to verify the private key corresponding to the code signing certificate is present.
      3. Select the code signing certificate and press the export button. The Windows certificate export wizard will be launched.