Ok, this post is shameless plagiarism from this post. But I couldn’t risk losing sight of good content. Thanks (and apologies) go to David Barrett! Here we discuss how to create a code signing certificate using Active Directory certificate services.
Enable the Code Signing Certificate Template
- On the appropriate server (e.g. the CA root), open Certificate Services Manager.
- In the left pane, select Certificate Templates.
- Check for a Code Signing template – by default, this isn’t available. If it isn’t, add it:
- From Action menu, select New -> Certificate Template to Issue.
- Select Code Signing, then click OK.
Grant Permissions for User(s)
- From the Certificate Services Manager, right click Certificate Templates and select Manage.
- From the list of templates, right-click Code Signing and select Properties.
- Select the Security tab.
- Any users that should be allowed to create code signing certificates need to be granted Read and Enroll permissions, so add users and permissions as necessary.
- Apply changes.
Create a Code Signing Certificate
- On the development machine (logged in as a user who has been granted permissions to create a code signing certificate), open Microsoft Management Console.
- From File menu, select Add/Remove Snap-in…
- From Available snap-ins, select Certificates and then click Add.
- Select My user account, and then click Finish.
- OK out of the Add/Remove snap-in window.
- You will now see Certificates listed in the console view on the left. Right-click Personal, select All Tasks, then Request New Certificate.
- Click Next on the first screen (Before You Begin).
- Click Next on the Select Certificate Enrolment Policy screen (Active Directory Enrolment Policy will be applied).
- In the Request Certificates screen, tick Code Signing, and then click Enrol. A certificate will be created and placed in the user’s Personal store.