This article expands upon How to Sign an FDI Device Package with common questions we receive from our members.
TABLE OF CONTENTS
- Q: Where do I find Certificates on my computer?
- Q: I don't see my Code Signing Certificate when I open the FDI Package Signing Tool, is this a problem?
- Q: There is one or more Intermediate Certificates for my Code Signing Certificate, how are they added to my signature?
- Q: Do I need to include Intermediate Certificates in my signature?
- Q: Do I need to include a Secure Timeserver URL in my signature?
- Q: The FDI Package Signing Tool failed to sign my file with Signature verification overall result: ERROR. How do I fix this error?
- Q: Can the software signature be applied separately from the timestamp signature?
- Q: How do I sign using a SHA256 signing algorithm?
- Q: After applying a digital signature the RRTE and DPCTT report No code signing certificates were found ?
- Q: The Reference Runtime reports my package was valid with warnings: Additional Info: Could not determine XAdES-T certified time.
- Q: What does the error message Signing certificate must be of type DSA or RSA mean? What is a private key?
- Q: Where can I find a Certificate Authority to obtain my Code Signing Certificate?
- Q: Unable to sign FDI Package - Certificate not listed - missing private key
Q: Where do I find Certificates on my computer?
A: Microsoft installs a tool that will let you browse the certificates installed on the PC you are using. Go to Start > type mmc.exe in the search bar.
(1) Go to File > Add/Remove Snap-in...
(2) Select Certificates
(3) Click Add > then select Current User
(4) Click OK
Figure 1. MMC
Figure 2. MMC Certificate View for Current User
Find the certificate by expanding the tree, then right-click on a certificate to Open. The certificate path will be shown as below:
Figure 3. Viewing Code Signing Certificate properties in MMC
Q: I don't see my Code Signing Certificate when I open the FDI Package Signing Tool, is this a problem?
A: The FDI Signing Tool defaults to the Personal folder, therefore you may need to copy your company's Code Signing Certificate to your Personal folder.
Browse for the Code Signing Certificate by expanding the trees in MMC.exe:
Figure 4. Expanding the folder tree in MMC
Right-click on the Certificate to Copy it. Then open your Personal folder and Paste the certificate there.
Now when the FDI Signing Tool is launched, it will find the Code Signing Certificate.
Figure 5. FDI Package Signing Tool - Browse for Certificate Serial number
Q: There is one or more Intermediate Certificates for my Code Signing Certificate, how are they added to my signature?
A: You will need to create a text file with .PEM extension to capture the Intermediate Certificate information to pass correctly to the FDI Package Signing Tool.
Using the MMC.exe, expand the list of Intermediate Certificates (see Figure 4).
Next, right-click to Open the certificate. Go to the Details tab, then click on Copy to File...
Figure 6. Saving the Intermediate Certificates
Figure 7. Save as Base-64 format
Save the intermediate certificate with any file name in a known directory (i.e. Documents\Temp). Once all of the Intermediate Certificates have been extracted, open a text editor program.
Open the *.CER file in the text editor program (see Figure 8).
Figure 8. Raw Certificate in Text Editor
Go to File > Save As... and save this file with the .PEM extension.
If multiple Intermediate Certificates are needed, copy and paste the text from the other files to the bottom of the *.PEM text file. Include all of the text, including -----BEGIN CERTIFICATE----- and ------END CERTIFICATE-----
Save the *.PEM file in a known location.
Go to the FDI Package Signing Tool and browse for the *.PEM file you created (see Figure 9).
Figure 9. Finding the *.PEM file
Automatic Inclusion of Intermediate Certificates
Using the latest FDI Package Signing Tool [Release 2.0.0.6 or above, or FDI-IDE 1.5.0 or above] you will no longer need to specify a PEM file for Intermediate Certificates. The FDI Package Signing Tool was updated to locate the needed Intermediate Certificates that reside on your PC and include them in the signature. This greatly reduces potential errors in applying your signature with the wrong (or missing) Intermediate files.
Figure 10. FDI Package Signing Tool (v2.0.0.6) UI Update
Q: Do I need to include Intermediate Certificates in my signature?
A: Yes, this is required for product registration.
Q: Do I need to include a Secure Timeserver URL in my signature?
A: Yes, this is required for product registration. The CA that issued the code signing certificate will also provide a URL for an RFC3161 timestamp server. Include that URL when signing.
Q: The FDI Package Signing Tool failed to sign my file with Signature verification overall result: ERROR. How do I fix this error?
Figure 11. Error message
A: Microsoft offers a "Root Certificate Store" for all Windows users. If you do not keep this up-to-date, you may see this type of error message when attempting to sign a package. Please see Install Root Certificates for detailed instructions.
Q: Can the software signature be applied separately from the timestamp signature?
A: Yes, with the FDI Package Signing Tool [Release 1.0.0 or above, or FDI-IDE 1.4.2 or above]. The restriction of the timestamping is that it is performed during the certificate validity period, both steps don't need to be performed at the same time.
This update added a new fdiNotary command "timestamp" that will:
1) Not sign the package (i.e. no software signature applied)
2) Timestamp the final existing signature in the package with XADeS-T
3) Throw an error if the final existing signature already has a XADeS-T stamp
We have also added a checkbox to the GUI called "Timestamp ONLY" to trigger this command. This allows the initial signing to be done without specifying a time server, which will leave the signature unstamped, then at a later date, a second fdiNotary.exe call with the new timestamp command will add the timestamp.
Figure 12. FDI Package Signing Tool - Timestamp
Q: How do I sign using a SHA256 signing algorithm?
A: The FDI Package Signing Tool [Release 1.0.0 or above, or FDI-IDE 1.4.2 or above] includes an input to select the Signing Algorithm by typing "sha1" or "sha256" in the field shown below.
Figure 13: FDI Package Signing Tool - Algorithm
FDI Package Signing Tool Release 1.5.0 and above defaults to the SHA256 algorithm.
Q: After applying a digital signature the RRTE and DPCTT report No code signing certificates were found ?
A: Digital Certificates are assigned by trusted root certificate authorities. Before certificates assigned by any given authority can be verified, the root certificate store on your computer must be updated with a list of known trusted certificate authorities. Installing Root Certificates is an article on our support portal describing how to update the Microsoft Root Certificate Store on your PC.
You may need to update the FDI-IDE (which contains the FDI Signing Tool) to version 1.4.2 as well. We resolved a related bug for non-English versions of Windows where the "code signing" extension might not be detected, leading to this exact error message.
Q: The Reference Runtime reports my package was valid with warnings: Additional Info: Could not determine XAdES-T certified time.
A: This error is caused when the clock on the computer used to sign the package and the trusted timestamp server is off. This is NOT the clock on the PC that is running the RRTE. The RRTE requires that the timestamp as generated by the PC and the timestamp from the trusted timestamp server be within 60 seconds. Those timestamps are embedded in the digital signature. If you get this error, please check the clock time on the PC that is signing the package and re-sign the package. Future versions of the sign tool will alert the user if the time difference is too large.
Q: What does the error message Signing certificate must be of type DSA or RSA mean? What is a private key?
A: Digital Certificates used for signing your package must be DSA or RSA type, this includes Intermediate certificates. This error may be produced if the Intermediate Certificate is missing or is the wrong type. Please refer to the article How to Sign an FDI Device Package for tips for including the Intermediate Certificate in the Signing Tool configuration.
Second possible cause: Private Key is Missing
If you purchased your certificate on one computer but intends to sign the FDI Package on a different computer, it may be possible to export the certificate with private key and import to another.
e.g. https://www.digicert.com/kb/code-signing/exporting-code-signing-certificate.htm
(If the link above has expired, you can google "Export code signing certificate" to find many examples on how to do this.)
Simply importing the .CER/CRT file into windows will NOT import the private key. You need to properly export to a password protected PFX file.
If your private key is stored on a USB Token, then it is not possible to export. However, the token can be plugged into another computer and used to digitally sign. The certificate provider will provide instructions.
FieldComm Group highly recommends digital certificates stored on USB Tokens for enhanced security. (As of 2023, hardware USB Tokens are now required)
If you have a private key in a file (e.g. filename.key), you can use tools such as OpenSSL to create a PFX file that includes both the private key and certificate and import both into the local store.
DO NOT UNDER ANY CIRCUMSTANCES distribute your private key or include it in a support request ticket. The public certificate files can be shared, but the private key MUST be kept secure.
Q: Where can I find a Certificate Authority to obtain my Code Signing Certificate?
A: Code Signing or EV Code Signing certificates are necessary for FDI Package signing
Code Signing is the process of using an X.509 certificate to digitally sign a piece of code, software, or other executable in a way that ensures that the product has not been tampered with or otherwise compromised
Extended Validation or EV refers to the high level of validation the certificate must go through, and represents the highest level of assurance to customers
Code Signing Certificates should be purchased from a valid Certification Authority (CA)
Looking for a code signing certificates supporting "Microsoft Authenticode“
IMPORTANT:
Code signing certificate shall be RSA 2048 (or higher) and supports Microsoft Trust Bits for "Code Signing" and/or "Time Server". You could have one or two certificates depending if it allows for both Code Signing and Time Server. ECC is not supported.
- RFC 3161 trusted time stamp server address shall be provided by the CA
- Hardware USB Tokens will be required starting 2023to secure the private key
- More security
- *.PXF files are not the typical method
Search online for "certificate authority services" and "code signing certificate". Wikipedia includes a possible list of providers:
https://en.wikipedia.org/wiki/Certificate_authority#Providers
As a reference, you can consult this list to verify your Certificate Authority and signing certificate meet the minimum requirements for FDI signatures:
https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT
Q: Unable to sign FDI Package - Certificate not listed - missing private key
Refer to the solution article here.