How can I sign an ActiveX control with a code signing certificate and be a verified publisher?

Question

I\'m trying to sign an ActiveX control with a code signing certificate issued by Thawte. I was able to successfully sign the control using signtool.exe.

When I look

Answer 1

The question actually contains the correct procedure-- do the signing using a PFX file that contains the root certificate, intermediate certificate, developer certificate, and private key. Also, use a timestamp server. My problem was that I had the wrong root certificate included in my PFX, so the certificate used to sign couldn't chain back to the root.

By request, here's the information about how to create the PFX file. The cert2spc and pvk2pfx that I use below are also in the platform SDK.

cert2spc certpath1.cer certpath2.cer certpath3.cer codesign.spc

Where the list of .cer files includes the root, intermediate, and code signing certificates, and codesign.spc is the output file. Then:

pvk2pfx -pvk privkey.pvk -spc codesign.spc

Running pvk2pfx in this manner starts a wizard that prompts for the private key passphrase, and the location of the output file, and the passphrase for the output file.

Finally, signtool does the actual code signing:

signtool sign /f my_certificates.pfx /p my_passphrase /t http://timestamp.verisign.com/scripts/timstamp.dll my_activex_control.ocx

In retrospect, I might have saved time by using signcode.exe aka the Code Signing wizard (which I think is part of the .NET SDK) which uses .spc and .pvk files directly.