This article expands upon How to Sign an FDI Device Package with common questions we receive from our members.
TABLE OF CONTENTS
- Q: Where do I find "Certificates" on my computer?
- Q: I don't see my Code Signing Certificate when I open the FDI Package Signing Tool, is this a problem?
- Q: There is one or more "Intermediate" Certificates for my Code Signing Certificate, how are they added to my signature?
- Q: Do I need to include Intermediate Certificates in my signature?
- Q: Do I need to include a Secure Timeserver URL in my signature?
- Q: The FDI Package Signing Tool failed to sign my file with "Signature verification overall result: ERROR". How do I fix this error?
- Q: Can the software signature be applied separately from the timestamp signature?
- Q: How do I sign using a SHA256 signing algorithm?
Q: Where do I find "Certificates" on my computer?
A: Microsoft installs a tool that will let you browse the certificates installed on the PC you are using. Go to Start > type mmc.exe in the search bar.
(1) Go to File > Add/Remove Snap-in...
(2) Select Certificates
(3) Click Add > then select Current User
(4) Click OK
Figure 1. MMC
Figure 2. MMC Certificate View for Current User
Find the certificate by expanding the tree, then right-click on a certificate to Open. The certificate path will be shown as below:
Figure 3. Viewing Code Signing Certificate properties in MMC
Q: I don't see my Code Signing Certificate when I open the FDI Package Signing Tool, is this a problem?
A: The FDI Signing Tool defaults to the Personal folder, therefore you may need to copy your company's Code Signing Certificate to your Personal folder.
Browse for the Code Signing Certificate by expanding the trees in MMC.exe:
Figure 4. Expanding the folder tree in MMC
Right-click on the Certificate to Copy it. Then open your Personal folder and Paste the certificate there.
Now when the FDI Signing Tool is launched, it will find the Code Signing Certificate.
Figure 5. FDI Package Signing Tool - Browse for Certificate Serial number
Q: There is one or more "Intermediate" Certificates for my Code Signing Certificate, how are they added to my signature?
A: You will need to create a text file with .PEM extention to capture the Intermediate Certificate information to pass correctly to the FDI Package Signing Tool.
Using the MMC.exe, expand the list of Intermediate Certificates (see Figure 4).
Next, right-click to Open the certificate. Go to the Details tab, then click on Copy to File...
Figure 6. Saving the Intermediate Certificates
Figure 7. Save as Base-64 format
Save the intermediate certificate with any file name in a known directory (i.e. Documents\Temp). Once all of the Intermediate Certificates have been extracted, open a text editor program.
Open the *.CER file in the text editor program (see Figure 8).
Figure 8. Raw Certificate in Text Editor
Go to File > Save As... and save this file with the .PEM extension.
If multiple Intermediate Certificates are needed, copy and paste the text from the other files to the bottom of the *.PEM text file. Include all of the text, including -----BEGIN CERTIFICATE----- and ------END CERTIFICATE-----
Save the *.PEM file in a known location.
Go to the FDI Package Signing Tool and browse for the *.PEM file you created (see Figure 9).
Figure 9. Finding the *.PEM file
Q: Do I need to include Intermediate Certificates in my signature?
A: It is recommended you always do this.
Q: Do I need to include a Secure Timeserver URL in my signature?
A: It is recommended you always do this.
Q: The FDI Package Signing Tool failed to sign my file with "Signature verification overall result: ERROR". How do I fix this error?
Figure 10. Error message
A: Microsoft offers a "Root Certificate Store" for all Windows users. If you do not keep this up-to-date, you may see this type of error message when attempting to sign a package. Please see Install Root Certificates for detailed instructions.
Q: Can the software signature be applied separately from the timestamp signature?
A: Yes, with the FDI Package Signing Tool [Release 1.0.0 or above, or FDI-IDE 1.4.2 or above]. The restriction of the timestamping is that it is performed during the certificate validity period, it is not necessary for both steps to be performed at the same time.
This update added a new fdiNotary command "timestamp" that will:
1) Not sign the package (i.e. no software signature applied)
2) Timestamp the final existing signature in the package with XADeS-T
3) Throw an error if the final existing signature already has a XADeS-T stamp
We have also added a checkbox to the GUI called "Timestamp ONLY" to trigger this command. This allows the initial signing to be done without specifying a time server, which will leave the signature unstamped, then at a later date, a second fdiNotary.exe call with the new timestamp command will add the timestamp.
Figure 11. FDI Package Signing Tool - Timestamp
Q: How do I sign using a SHA256 signing algorithm?
A: The FDI Package Signing Tool [Release 1.0.0 or above, or FDI-IDE 1.4.2 or above] includes an input to select the Signing Algorithm by typing "sha1" or "sha256" in the field shown below.
Figure 12: FDI Package Signing Tool - Algorithm