RE: Self-Signed Test Certificates and signing SHIMS for Add-Ins



Hi jojobar,

Thanks for your feedback.

Certificate is just a file which can pass the valid public key to the user.
The key point is that how can we be sure that the public key in the
certificate is the one from the correct owner. This is done by encrypting
the public and other information in the certificate with *issuer*'s private
key.(we can ensure this by using *issuer*'s public key to decrypt the
certificate, which should be OK). Then the problem lies in how can we trust
the *issuer*, so we will get a chain of certificate on our machine. In the
top, we will get a root certificate, which is signed(issued) by well-known
certificate issuer(certificate authority), such as VeriSign or Thawte. If
not, we can not be sure that this certificate chain can be trusted, and we
can not trust the public key in this certificate.(It may come from some
other bad person...)

Ok, enough background information. Let's back to your problem. There is no
definite definition for "test certificate", but we can get some information
from the tools generating "test certificate":
The MakeCert tool creates an X.509 certificate, signed by the test root key
or other specified key, that binds your name to the public part of the key
pair.

So we can see that for test certificate, it does not care about the
certificate chain, it uses some "test root key" to sign the public key in
the certificate. So it is not signed by a valid CA, and can not be trusted
by any client machine.(How can a client machine trusts a certificate signed
by a random key... :-) )

If you use makecert.exe to generate a *.cer file, you can double-click it,
then in the popup dialog, you will see the certificate path, and other
information.

For Word add-in side issue, I think this is because you uses a non-trusted
certificate(sure, because it is a test certificate). I suggest you go and
obtain a trusted certificate then do some test with it. For more
information regarding obtaining a valid certificate, you can get some
information in "Obtaining Certificates" section in the article below:
"Secure Sockets Layer: Protect Your E-Commerce Web Site with SSL and
Digital Certificates"
http://msdn.microsoft.com/msdnmag/issues/01/04/SSL/

Hope this helps

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.


.



Relevant Pages

  • Re: TLS-certificates and interoperability-issues sendmail / Exchange / postfix ..
    ... > to assert that certificate validation doesn't happen, ... this trusted public key store contains public keys of that the ... signed by the CA. this digital certificate is returned to the "key ...
    (comp.security.unix)
  • Re: What is a Certificate?
    ... what exactly is a certificate? ... > I've read that it is a private key / public key pair. ... register public keys of something called "certification authorities" ... An example is the SSL domain name digital certificate scenario. ...
    (comp.security.misc)
  • Re: Public Encryption Key
    ... encrypt the message with the recipient's public key (or ... the two can be combined by: first do a digital signature of the ... certificate, certifying the validity of the assertion (ex: ...
    (comp.security.misc)
  • Re: Public Encryption Key
    ... encrypt the message with the recipient's public key (or ... the two can be combined by: first do a digital signature of the ... certificate, certifying the validity of the assertion (ex: ...
    (sci.crypt)
  • Re: Is symmetric key distribution equivalent to symmetric key generation?
    ... > channel through which you can request the public key. ... That person might provide a certificate signed by some ... then (trusting the digital certificate) using the ... for transaction scenar, the individual created a transaction, ...
    (sci.crypt)