A couple of people asked me how to get self-signed certificates recognized by Windows.
For example, when you check the digital signature of one of my programs (like ariad.exe), you’ll see this:
The digital signature is valid, but the root certificate used in the signature is not trusted. This is because this root certificate is not installed in the repository of trusted root certificates. I’ll show you how to achieve this, but understand that by installing a new root certificate, you automatically trust all signatures and subordinate certificates issued by this root certificate authority.
The first 2 methods I’ll present add the new root certificate to your own certificate repository (i.e. the one associated with your account). This means that under other user accounts, the new root certificate will not be trusted. The third method explains how to add the new root certificate to the computer’s repository, so that it is trusted by all users.
Say you’ve a root certificate, like one created using this method. Here’s how to install it in your account’s “Trusted Root Certificate Authorities” certificate store:
And from now on, all executables signed by this root certificate authority (or it’s subordinate authorities) are trusted:
As the root certificate we used in this example is good for all purposes, and because your certificate store also integrates with Internet Explorer, SSL certificates issued by this certificate authority will also be trusted by Internet Explorer.
If you don’t have the root certificate to install, you can also get it installed from the AuthentiCode signature like this:
And from here on, you follow the same steps as in the first method;
If you want to install certificates for all users, you’ll need to follow another method. But because this other method requires a certificate file, I’ll show you how to extract a certificate file from an AuthentiCode signature:
Follow the second method to view the root certificate, but instead of installing the certificate, look at the Details tab and export the certificate:
To install a root certificate for all users, you’ll need to start the Microsoft Management Console (mmc.exe) as an administrator:
And now you can import the root certificate following the same steps as in the first method:
View full post on Didier Stevens
Related Posts
- Obama, birth certificates and Rogue AV
You probably saw that whole "Obama birth certificate" thing yesterday.You're also aware this means hunting around for pictures of his birth certificate is going to result in Rogue AV files popping up.... - Fake Certificate in Malware – with Message
The malware authors every now and then send us virus researchers some messages. For example in the compiled binary itself, or as debug output. Now we found a Zbot Trojan variant which tries to evade d... - The Story of Fraudulent Certificates
The recent story of fraudulent certificates issued by Comodo last week (more detailed description here) illustrates number of very important points.
First of all, it illustrated the 'weakest link' pr... - Rogue SSL certificates issued by Comodo
SSL certificates are used to validate the identity of a Web site to users. Yesterday Comodo, a certificate vendor, announced that nine SSL certificates had been bought and issued for the following dom... - Rogue SSL certificates (“case comodogate”)
SSL certificates are used by websites to confirm their identity to end users. Certificate vendor Comodo has announced today that nine rogue certificates were issued through them. These certifi... - “Stolen” SSL certificates
According to the media the Certificate Authority Comodo has been hacked and those hackers could sign valid SSL certificates for any website they want to. As the web browsers trust the Comodo CA, no br... - Malware signed with fake Avira Certificate
While analyzing new malware samples we stumbled over a sample which contains a digital Avira signature. Something we need to check! Viewing the properties of the digital signature, Microsoft Windows s... - OpenSSH Legacy Certificate Information Disclosure Vulnerability, (Sat, Feb 5th)
If generating a legacy certificate using the -t option, a vulnerability could be exploited by attackers to gain knowledge of sensitive information. If legacy certificates have been issued using OpenSS... - Android Market’s Web Store: Convenient, With a Risk of Malware (PC World)
PC World - For Android phone users, the newfound convenience of installing apps remotely from the Android Market Website also opens up a security hole for malware.
Full story: Yahoo! News: Securit... - New Android Market web store could open backdoor for phone hackers
If you are follow the Google Android operating system scene, you will probably have heard about the new, web-based Android Market store which was launched a few days ago.
The Android Market website a...
