Our codesigning certificat from Symantec has been converted to a password protected pfx with complete certificate chain, public- and private-key
Signing with signtool (version 10.0.17763.0, x64) works when the certificate is manually imported to a build server (Windows Server 2012 R2) but not when it is pushed with a GPO from DC (Server 2012 R2)
In both scenarios:
-
The complete certificate chain is imported and all certificate
details on DC is identical to the certificate on the server -
Certificate general tab on the server claims that 'You have a private
key that corresponds to this certificate'
My signing command is this:
C:\Users\myUser>"C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\signtool.exe" sign /debug /v /a /sm /s Root /n "" /t http://timestamp.verisign.com/scripts/timstamp.dll MyApp.exe
Result when executed after manual import to server:
After EKU filter, 40 certs were left.
After expiry filter, 34 certs were left.
After Subject Name filter, 1 certs were left.
After Private Key filter, 1 certs were left.
Result when executed after GPO push to server:
After EKU filter, 40 certs were left.
After expiry filter, 34 certs were left.
After Subject Name filter, 1 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
What is the reason for After Private Key filter, 0 certs were left ?
Best Answer
My gpo for publishing certificates was setup with the certificate in: Computer Configuration, Policies, Windows Settings, Security Settings, Public Key Policies, Trusted Root certificates
To get it to work I also had to setup the same certificate in: Computer Configuration, Policies, Windows Settings, Security Settings, Public Key Policies, Trusted Publishers
I also had to enable Computer Configuration, Policies, Administrative Templates, Windows Components, Windows Update, Allow signed updates from an intranet Microsoft update service location