Code Signing Certificate / Driver Signing Certificate

After you request a code or driver signing certificate, we verify your:

• Organization’s name
• Address
• Telephone number (which we call before issuing your certificate)

Documents to provide

To provide us this information, we require at least one of the following pieces of documentation:

• Business license
• Sales & Use Tax certificate (neither the number or the FEIN alone are acceptable)
• “Doing Business As” (DBA) documentation
• Fictitious-name documentation
• Occupational Tax Certificate/License
• Non-profit organization tax exemption certificate
• Articles of Incorporation
• Utility bill, or bank or credit card statement that displays address and phone number
• A letter of attestation from an attorney or CPA

• Go to your product page.
• Select SSL Certificates and select Manage for the certificate you want to download.
• Under Download Certificate, select a Server type and then select Download Zip File.

• Go to your product page.
• Select SSL Certificates and select Manage for the certificate you want to download.
• Under Download Certificate, select a Server type and then select Download Zip File.

Move your certificate file

• Unzip the ZIP file you downloaded.
• Open the unzipped folder and locate the file ending in -SHA2.pem.
• (Optional) Rename the PEM file to something easier to type, for example mycert.pem.
• Move the PEM file to the place where you created your keystore.

Windows-only preparation:

If you’re using Windows, you must complete the following steps before you can install the certificate and sign your code.

• Run cmd as an administrator.
• Move to your JDK installation’s bin directory

Install the certificate

• Through your command line, navigate to the directory where you created your keystore. (Windows users should already be here.)
• Install your certificate:
  • keytool -importcert -file mycert.pem -keystore codesignstore
• Enter your keystore’s password.
• Type yes that you want to trust the certificate, and then press enter.

Sign your code:

jarsigner -verbose -keystore codesignstore -tsa http://tsa.starfieldtech.com/ your jar file.jar codesigncert

Windows users might need to use the full paths to their keystore (JKS) and JAR files.

• Enter your keystore’s password.
• Verify your code is signed.
• jarsigner -verify -verbose -certs your jar file.jar

If everything worked, you’ll see jar verified.

You should expect to see “This jar contains entries whose certificate chain is not validated.” The presence of this warning does not indicate that your certificate won’t work.

Important Note:: To create the PFX file, you must use the same machine you used to generate your CSR.

Download your certificate

• Go to your product page.
• Select SSL Certificates and select Manage for the certificate you want to download.
• Under Download Certificate, select a Server type and then select Download Zip File.
• Open the ZIP file and move the file that ends in SHA2.spc to an accessible location.

Install your certificate in MMC

In your Windows search feature, enter mmc, and then click it to launch the Microsoft Management Console application.

• Expand Certificates (Local Computer), Personal.
• Right-click Certificates, and then go to the following menus: All Tasks > Import.
• Click Next.
• Browse for the SPC file — to find it, you’ll need to change the file type to PKCS #7 Certificates (*.spc, *.p7b).
• Click Next.
• Select Place all certificates in the following store and ensure the value is Personal.
• Click Finish.

Create the PFX file

To create a PFX file (which you’ll use with SignTool or Visual Studio), you need to combine your certificate file and your private key in MMC.

• In MMC, right-click your certificate (it will have your Common Name value displayed in the Issued To column), and then click Export.
• Click Next.
• Select Yes, export the private key.
• Under Personal Information Exchange…, select Include all certificates in the certification path if possible.
• Enter and confirm a strong password to secure the certificate, and then click Next.
• Browse to a location to store the combined file, and then click Next.
• Click Finish.

The PFX file is now stored locally on your computer.

Our code signing certificates work with the following types of Windows-based files:

• EXE
• DLL
• OCX
• CAB

Note: For CAB files, space should be allocated for the digital signature by adding the following entry to your DDF file before creating the cab file: Set ReservePerCabinetSize=6144.

Use SignTool to sign your code

• Install SignTool using Microsoft’s information. This involves downloading and installing Microsoft Windows Software Development Kit (SDK).
• Launch cmd.
• Sign your file: SignTool sign /f path to your PFX file /p your PFX file password /tr http://tsa.starfieldtech.com /td SHA256 path to the code you want to sign

• Launch Visual Studio.
• In the Solutions Browser, right-click your SLN or VCXPROJ file, and then select Properties.
• In the menu on the left, click Driver Signing and then click General.
• Complete the fields, and then click OK:

Now when you build your driver, it will be signed using your driver signing certificate.

Note: For CAB files, space should be allocated for the digital signature by adding the following entry to your DDF file before creating the cab file: Set ReservePerCabinetSize=6144.

Use SignTool to sign your code

• Install SignTool using Microsoft’s information. This involves downloading and installing Microsoft Windows Software Development Kit (SDK).
• Launch cmd.
• Sign your file: SignTool sign /f path to your PFX file /p your PFX file password /tr http://tsa.starfieldtech.com /td SHA256 path to the code you want to sign