====== Scenario 3.3: Issue Code-Signing Certificate ======
**Category:** [[.:start|Issue Certificates]] \\
**Complexity:** *** (Medium-High) \\
**Prerequisites:** CSR available, Code-Signing CA \\
**Estimated Time:** 10-15 minutes
----
===== Description =====
This scenario describes issuing a **code-signing certificate** for signing software. Code signing enables verification of the origin and integrity of executables, DLLs, scripts, and packages.
**Use cases:**
* Windows Authenticode (EXE, DLL, MSI)
* PowerShell scripts
* Java JAR files
* NuGet packages
* macOS code signing
* Firmware signing
----
===== Code Example (C#) =====
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
using var ctx = PqCryptoContext.Initialize();
var caCert = ctx.LoadCertificate("codesign-ca.crt.pem");
var caKey = ctx.LoadPrivateKey("codesign-ca.key.pem", "CaPassword!");
var csr = ctx.LoadCertificateRequest(File.ReadAllText("codesign.csr.pem"));
csr.VerifySignature();
// Issue code-signing certificate
var codesignCert = ctx.IssueCertificate(
csr,
issuerCert: caCert,
issuerKey: caKey,
serialNumber: ctx.GenerateSerialNumber(),
validDays: 730, // 2 years
extensions: new ExtBuilder()
.BasicConstraints(ca: false, critical: true)
// Key Usage: Only digitalSignature!
.KeyUsage(KeyUsageFlags.DigitalSignature, critical: true)
// Extended Key Usage: Code Signing
.ExtendedKeyUsage(ExtKeyUsage.CodeSigning)
.SubjectKeyIdentifier(csr.PublicKey)
.AuthorityKeyIdentifier(caCert)
// Timestamping URL for long-term validation
.AuthorityInfoAccess(
ocspUrl: "http://ocsp.example.com",
timestampUrl: "http://timestamp.example.com"
)
.Build()
);
codesignCert.ToPemFile("codesign.crt.pem");
----
===== Extended Key Usage Variants =====
^ OID ^ Name ^ Usage ^
| 1.3.6.1.5.5.7.3.3 | codeSigning | Standard code signing |
| 1.3.6.1.4.1.311.10.3.13 | lifetimeSigning | Windows Kernel-Mode |
| 1.2.840.113549.1.9.16.1.4 | firmwareSigning | Firmware (optional) |
----
===== Industry-Specific Requirements =====
^ Industry ^ Requirement ^ Specifics ^
| **Automotive** | UN R156 | Firmware updates, Secure Boot |
| **Healthcare** | DiGAV | Medical device software |
| **Industry 4.0** | IEC 62443 | PLC firmware |
| **Standard** | Microsoft Authenticode | Windows SmartScreen |
----
===== Windows Authenticode Signing =====
# With SignTool and PQ certificate
signtool sign /fd SHA256 /f codesign.pfx /p "Password" /tr http://timestamp.example.com /td SHA256 myapp.exe
# Verify signature
signtool verify /pa /v myapp.exe
----
===== Timestamp Servers =====
**Important:** Code signing without timestamp is invalid after certificate expiration! Always use a timestamp server.
^ Server ^ URL ^ Protocol ^
| DigiCert | http://timestamp.digicert.com | RFC 3161 |
| Sectigo | http://timestamp.sectigo.com | RFC 3161 |
| GlobalSign | http://timestamp.globalsign.com | RFC 3161 |
----
===== Related Scenarios =====
^ Relationship ^ Scenario ^ Description ^
| **Next Step** | [[en:int:pqcrypt:szenarien:signaturen:code_signieren|8.2 Sign Code]] | Use certificate |
| **Related** | [[en:int:pqcrypt:szenarien:signaturen:timestamp|8.3 Timestamp]] | Long-term validity |
| **Prerequisite** | [[en:int:pqcrypt:szenarien:pki:ca_hierarchie_aufbauen|1.3 CA Hierarchy]] | Code-Signing CA |
----
<< [[.:client_cert|<- 3.2 Client Certificate]] | [[.:start|^ Certificates Overview]] | [[.:smime_cert|3.4 S/MIME Certificate ->]] >>
{{tag>scenario certificate codesigning authenticode firmware}}
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//