Perform the following steps to sign the ActiveX programs
that PKI Services provides and make them available to PKI Services
users.
Before you begin
- You need to have a tool such as Microsoft Visual
Studio that builds an installer program.
- You need a code signing certificate with an Extended Key Usage
of Code Signing and its private key. If you don't have one, you can
request one from PKI Services using the 2-year Authenticode template.
Follow the instructions for requesting a server certificate in Steps for requesting a new certificate. Then export the certificate and its private
key to a PKCS #12 file and download it to the Windows platform. In step 2.a, Microsoft Sign Tool will use the certificate
to sign PKIXEnroll.dll and PKICEnroll.dll.
Procedure
- Create directories on the PKI Services
server for the .exe and .msi programs that you will build in step 2.a. Create one directory for Windows XP and earlier versions
of Windows, and one for Windows Vista and later versions
of Windows.
_______________________________________________________
- Sign each of the ActiveX programs. Perform
the following steps twice, once for PKIXEnroll.dll and
once for PKICEnroll.dll.
- Use Microsoft Sign
Tool (signtool.exe) to sign the ActiveX program (PKIXEnroll.dll or PKICEnroll.dll)
with the code signing certificate. You can download Microsoft Sign Tool at http://msdn.microsoft.com/en-us/library/aa387764(VS.85).aspx.
- Build the installer programs. You'll need to use a tool
such as Microsoft Visual
Studio. For Windows XP and
below, use PKIXEnrollDeploy for the project name, and the outputs
for the installer program are:
- setup.exe
- PKIXEnrollDeploy.msi
For Windows Vista and
above, use PKICEnrollDeploy as the project name, and the outputs for
the installer program are:- setup.exe
- PKICEnrollDeploy.msi
For detailed instructions, see Steps for building the installer programs using Microsoft Visual Studio.
- Use Microsoft Sign
Tool and the code signing certificate that you used in step 2.a to sign the installer programs.
_______________________________________________________
- Upload the signed installer programs
to the directories you created on the PKI Services server in step 1.
Note: Be sure
you upload the programs in binary, so that the files are not altered
during the transfer.
_______________________________________________________
- Update the HTTP configuration files.
- Update httpd.conf. Change the following
statements to specify the directories you created in step 1.
Pass /PKIServ/PKIXEnroll/* /usr/lpp/pkiserv/ActiveX/PKIXEnroll/*
Pass /PKIServ/PKICEnroll/* /usr/lpp/pkiserv/ActiveX/PKICEnroll/*
- Update httpd2.conf. Change the
following statements to specify the directories you created in step 1.
Pass /PKIServ/PKIXEnroll/* /usr/lpp/pkiserv/ActiveX/PKIXEnroll/*
Pass /PKIServ/PKICEnroll/* /usr/lpp/pkiserv/ActiveX/PKICEnroll/*
_______________________________________________________
Results
When you are done, you have signed the ActiveX programs
provided by PKI Services, and made them available to PKI Services
users