search

i-RIC / prepost-gui-installer

0 stars 1 forks source link

Set information about distributor of iRIC installer #1

Open kskinoue0612 opened 7 years ago

kskinoue0612 commented 7 years ago

Currently, iRIC installer do not contain informatin about distributor, so warning dialog with "不明な発行元" is shown by the following procedure, set information about distributor.

  1. Using OpenSSL, from certificate file (.cer) and secret key file (.key), create PKCS12 file (*.pfx). Refer to: https://rms-digicert.ne.jp/howto/basis/openssl-get-pxf.html

  2. Using SignTool.exe, that is bundled to visual studio, add signature to installer.exe, using the *.pfx file you've created. Refer to: https://msdn.microsoft.com/library/windows/desktop/aa388170.aspx  

Leon-Zhang commented 7 years ago

https://rms-digicert.ne.jp/howto/basis/openssl-get-pxf.html says, it will generate csr and key file, so is it not cer file but csr file? and following information is required, could you provide them?

国名 (Country Name)
- 法人の登記国名コードを記載します。日本の場合はJPです。
都道府県名 (State or Province Name)
- 法人の登記簿謄本に記載された都道府県名をローマ字で記載します。
法人所在地 (Locality Name)
- 法人の登記簿謄本に記載された都市名をローマ字で記載します。
法人名 (Organization Name)
- 法人名を英文で記載します。Whoisの登録情報と合致させてください。
部署名 (Organizational Unit Name)
- 部署名を英文で記載します。空欄でもかまいません。
コモンネーム (Common Name)
- サーバー証明書の対象となるホスト名です。SSL Plusでは www.digicert.ne.jp のように記載してください。
ワイルドカードの場合は *.digicert.ne.jp のように記載します。
上記のような記載方法で、SSL PlusとWildCard Plus どちらの場合でも、/ と https://digicert.ne.jp/ の両方で利用できます。

Thanks.

kskinoue0612 commented 7 years ago

https://rms-digicert.ne.jp/howto/basis/openssl-get-pxf.html says "csr" in "OpenSSLでのCSR作成手順", and says "{common_name}.cer" in "OpenSSLを使って .pfxファイルを作成する方法". So, it seems a typo of this web page. :-) "csr" seems to be correct.

And, in this case, we should use CSR file that was created by a Certificate Authority, not by ourselves. iRIC already have *.csr file that was certificated by GeoTrust and used at https://i-ric.org/, so I think we should use that.

I'll get .csr, .key, and send them to you privately.

Before you get them, you can create .key, .csr by yourself using openssl for testing. In that case, you can input any arbitrary information as you like! :-)

kskinoue0612 commented 7 years ago

I'm sorry, the comment above seems to be wrong. There is not typo on the web site.

.csr is "Certificate Signing Request", and if we send it to Certificate Authority, we get .cer ("Certificate File"). They are different files. And, we need .cer to create .pfx.

Anyway, I'll get .key, .csr, and send them to you. Please wait for a while.

kskinoue0612 commented 7 years ago

I got private key (.key) and Certificate file (.cer) for i-ric.org Web site, tried to sign with those, but in vain. I've studied more about signing on software, and knew that to sign software, we can not use certificate for website, but need special certificate for code signing.

You can know the prices here:

http://www.nda.co.jp/memo/codesigning/index.html

Leon-Zhang commented 7 years ago

Ok, so what to do next? buy a certificate first?

kazutake commented 7 years ago

You don't need to do anything. Because this matter is "a better task", not "a must".
I would like to direct you after consult with RIC and other iRIC member. So please do other task until then.