This article expands upon How to Sign an FDI Device Package with common questions we receive from our members. 



Q: Where do I find Certificates on my computer?

A: Microsoft installs a tool that will let you browse the certificates installed on the PC you are using. Go to Start > type mmc.exe in the search bar. 

(1) Go to File > Add/Remove Snap-in...

(2) Select Certificates

(3) Click  Add > then select Current User

(4) Click OK

Figure 1. MMC

Figure 2. MMC Certificate View for Current User

Find the certificate by expanding the tree, then right-click on a certificate to Open. The certificate path will be shown as below:

Figure 3. Viewing Code Signing Certificate properties in MMC

Q: I don't see my Code Signing Certificate when I open the FDI Package Signing Tool, is this a problem?

A: The FDI Signing Tool defaults to the Personal folder, therefore you may need to copy your company's Code Signing Certificate to your Personal folder.

Browse for the Code Signing Certificate by expanding the trees in MMC.exe:

Figure 4. Expanding the folder tree in MMC

Right-click on the Certificate to Copy it. Then open your Personal folder and Paste the certificate there. 

Now when the FDI Signing Tool is launched, it will find the Code Signing Certificate.

Figure 5. FDI Package Signing Tool - Browse for Certificate Serial number

Q: There is one or more Intermediate Certificates for my Code Signing Certificate, how are they added to my signature?

A: You will need to create a text file with .PEM extension to capture the Intermediate Certificate information to pass correctly to the FDI Package Signing Tool. 

Using the MMC.exe, expand the list of Intermediate Certificates (see Figure 4). 

Next, right-click to Open the certificate. Go to the Details tab, then click on Copy to File... 

Figure 6. Saving the Intermediate Certificates

Figure 7. Save as Base-64 format

Save the intermediate certificate with any file name in a known directory (i.e. Documents\Temp). Once all of the Intermediate Certificates have been extracted, open a text editor program. 

Open the *.CER file in the text editor program (see Figure 8).

Figure 8. Raw Certificate in Text Editor

Go to File > Save As... and save this file with the .PEM extension.  

If multiple Intermediate Certificates are needed, copy and paste the text from the other files to the bottom of the *.PEM text file. Include all of the text, including -----BEGIN CERTIFICATE----- and ------END CERTIFICATE-----

Save the *.PEM file in a known location. 

Go to the FDI Package Signing Tool and browse for the *.PEM file you created (see Figure 9). 

Figure 9. Finding the *.PEM file

Automatic Inclusion of Intermediate Certificates

Using the latest FDI Package Signing Tool [Release or above, or FDI-IDE 1.5.0 or above] you will no longer need to specify a PEM file for Intermediate Certificates. The FDI Package Signing Tool was updated to locate the needed Intermediate Certificates that reside on your PC and include them in the signature. This greatly reduces potential errors in applying your signature with the wrong (or missing) Intermediate files. 

Figure 10. FDI Package Signing Tool (v2.0.0.6) UI Update

Q: Do I need to include Intermediate Certificates in my signature?

A: Yes, this is required for product registration.

Q: Do I need to include a Secure Timeserver URL in my signature?

A: Yes, this is required for product registration.  The CA that issued the code signing certificate will also provide a URL for an RFC3161 timestamp server.    Include that URL when signing.

Q: The FDI Package Signing Tool failed to sign my file with Signature verification overall result: ERROR. How do I fix this error?

Figure 11. Error message

A: Microsoft offers a "Root Certificate Store" for all Windows users. If you do not keep this up-to-date, you may see this type of error message when attempting to sign a package. Please see Install Root Certificates for detailed instructions.

Q: Can the software signature be applied separately from the timestamp signature?

A: Yes, with the FDI Package Signing Tool [Release 1.0.0 or above, or FDI-IDE 1.4.2 or above]. The restriction of the timestamping is that it is performed during the certificate validity period, both steps don't need to be performed at the same time. 

This update added a new fdiNotary command "timestamp" that will:

  1) Not sign the package (i.e. no software signature applied)

  2) Timestamp the final existing signature in the package with XADeS-T

  3) Throw an error if the final existing signature already has a XADeS-T stamp

We have also added a checkbox to the GUI called "Timestamp ONLY" to trigger this command.  This allows the initial signing to be done without specifying a time server, which will leave the signature unstamped, then at a later date, a second fdiNotary.exe call with the new timestamp command will add the timestamp.

Figure 12. FDI Package Signing Tool - Timestamp

Q: How do I sign using a SHA256 signing algorithm?

A: The FDI Package Signing Tool [Release 1.0.0 or above, or FDI-IDE 1.4.2 or above] includes an input to select the Signing Algorithm by typing "sha1" or "sha256" in the field shown below.

Figure 13: FDI Package Signing Tool - Algorithm

Q: After applying a digital signature the RRTE and DPCTT report  No code signing certificates were found ?

A: Digital Certificates are assigned by trusted root certificate authorities.  Before certificates assigned by any given authority can be verified, the root certificate store on your computer must be updated with a list of known trusted certificate authorities.  Installing Root Certificates is an article on our support portal describing how to update the Microsoft Root Certificate Store on your PC.  

You may need to update the FDI-IDE (which contains the FDI Signing Tool) to version 1.4.2 as well.  We resolved a related bug for non-English versions of Windows where the "code signing" extension might not be detected, leading to this exact error message.

Q: The Reference Runtime reports my package was valid with warnings:  Additional Info:  Could not determine XAdES-T certified time.

A: This error is caused when the clock on the computer used to sign the package and the trusted timestamp server is off. This is NOT the clock on the PC that is running the RRTE.   The RRTE requires that the timestamp as generated by the PC and the timestamp from the trusted timestamp server be within 60 seconds.  Those timestamps are embedded in the digital signature.  If you get this error, please check the clock time on the PC that is signing the package and re-sign the package.  Future versions of the sign tool will alert the user if the time difference is too large.

Q: What does the error message Signing certificate must be of type DSA or RSA mean?

A: Digital Certificates used for signing your package must be DSA or RSA type, this includes Intermediate certificates.  This error may be produced if the Intermediate Certificate is missing or is the wrong type. Please refer to the article How to Sign an FDI Device Package for tips for including the Intermediate Certificate in the Signing Tool configuration.

Second possible cause: Private Key is Missing

Please confirm you have the private key for the certificate installed on the signing machine.  The private key may be on the machine itself or possibly on a USB Token.  If you have a USB Token, make sure you have the appropriate software drivers installed.  

You can confirm a private key is installed by using the Certificates plugin with the Microsoft Management Console.

Q: Where can I find a Certificate Authority to obtain my Code Signing Certificate?

A: Search online for "certificate authority services" and "code signing certificate". Wikipedia includes a possible list of providers:

As a reference, you can consult this list to verify your Certificate Authority and signing certificate meet the minimum requirements for FDI signatures:

Be sure to obtain a certificate that is SHA256 encryption, RSA or DSA Public Key Algorithm, and supports Microsoft Trust Bits for "Code Signing" and/or "Time Server". You could have one or two certificates depending if it allows for both Code Signing and Time Server.