1. where are certificates stored

1.1 on the smartphone

Device Certificates are stored under the {HKLM|HKCU}\Comm\Security\SystemCertificates key in subkeys named {store name}\Certificates\{SHA-1 hex thumbprint}, in a value named Blob

at device initialization, certificates are imported into the registry from \windows\sysroots.p7b or from *.provxml files.

some certificates are stored initially in the registry: HKLM\Security\WTLS\Certificates

valid store names are:

Privileged Execution Trust Authorities
Unprivileged Execution Trust Authorities
priv + unpriv are used for codesigning certificates
used for signed .CAB certificates
used for website certificates

1.2 on your pc

under these registry keys: in subkeys {store name}\Certificates\{sha-1 hex thumbprint}, in a value named Blob

under these directories:

1.3 in files

2. how are certificates encoded

2.1 in xml transport

as a base64 encoded asn.1 encoded certificate.

to convert a .cer file to base64:
openssl base64 -in certificate.cer

to calculate the sha1 hash of a .cer file:
openssl sha1 certificate.cer

	<characteristic type="CertificateStore">
		<characteristic type="Privileged Execution Trust Authorities">
			<characteristic type="...sha1_hex...">
				<parm name="EncodedCertificate" value="...base64..."/>
				<parm name="Role" value="0"/>

2.2 in .cer file

.cer files are the asn.1 x509 encoded certificate, to inspect:
openssl x509 -in certificate.cer -inform DER -text

2.3 in .pvk file

  • a 6 dword header, the last field == filesize - 6*sizeof(DWORD)
  • followed by a PUBLICKEYSTRUC { bType=7(PRIVATEKEYBLOB), bVersion=2, reserved=0, aiKeyAlg=0x2400(CALG_RSA_SIGN) }
  • followed by a RSAPUBKEY struct { magic='RSA2', bitlen=1024, pubexp=0x10001 }, followed by the public modulus
  • followed by the private key data: p, q, (d%(p-1)), (d%(q-1)), 1/q ( mod p ), d
  • the modulus and 'd' ( the private exponent ) are size bitlen/8, the other privkey values are size bitlen/16

    2.4 in .pfx file

    openssl pkcs12 -info -in certificate.pfx

    2.5 viewing asn.1 data

    openssl asn1parse -inform DER -i -dump -in certificate.ext

    2.6 viewing .spc or .p7b data

    openssl pkcs7 -print_certs -inform DER -in certificate.spc

    2.7 layout of registry blobs

    the registry blobs consist of several records of this format:
    +0DWORD propid
    +4DWORD unknown
    +8DWORD dwSize
    +12BYTE data[dwSize]
    property is usually one of the following:
    00000003 CERT_SHA1_HASH_PROP_ID                    sha1 of certificate ( == the registry keyname )
    00000004 CERT_MD5_HASH_PROP_ID                     md5 of certificate
    00000014 CERT_KEY_IDENTIFIER_PROP_ID               sha1 of SubjectPublicKeyInfo : SEQ[SEQ[rsa], key]
    00000018 CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID   md5 of pubkey of signer
    00000019 CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID  md5 of pubkey of this certificate
    00000020 CERT_CERT_PROP_ID                         the certificate
    00008000 CERT_FIRST_USER_PROP_ID                   the SPC role

    3. how are certificates imported

    certificates can be entered into a phone in several ways:

    4. how to create certificates

    (old information)

    5. how to list certificates on your system

    6. how to sign code with a certificate

    (old information)

    7. how to verify a signature


  • Signing and Checking Code with Authenticode
  • Digital Code Signing Step-by-Step Guide
    below is the most recent information (feb 2008) on codesigning

    codesigning using makecert ( a tool from microsoft )

    where is makecert.exe?

    on my laptop there are several copies of makecert.exe, in the following places:
    2003-03-24 23:03       39936 c:/Program Files/Microsoft Visual Studio 8/Common7/Tools/Bin/makecert.exe
    2005-09-23 06:56       39936 c:/Program Files/Microsoft Visual Studio 8/SDK/v2.0/Bin/makecert.exe
    2005-09-23 08:17       32528 c:/Program Files/Microsoft Visual Studio 8/SmartDevices/SDK/SDKTools/makecert.exe
    2006-11-02 00:17       39424 c:/WinDDK/6000/bin/SelfSign/makecert.exe
    and pvk2pfx can be found here:
    2005-03-24 18:31       14336 c:/Program Files/Microsoft Visual Studio 8/Common7/Tools/Bin/pvk2pfx.exe
    2006-11-01 23:43       18944 c:/WinDDK/6000/bin/SelfSign/pvk2pfx.exe
    signtool can be found here:
    2005-04-14 17:12       69120 c:/Program Files/Microsoft Visual Studio 8/Common7/Tools/Bin/signtool.exe
    2005-09-23 06:56       75776 c:/Program Files/Microsoft Visual Studio 8/SDK/v2.0/Bin/signtool.exe
    2006-11-01 23:43      102912 c:/WinDDK/6000/bin/catalog/signtool.exe
    2006-11-01 23:43      102912 c:/WinDDK/6000/bin/SelfSign/signtool.exe

    create a selfsigned certificate authority certificate

    makecert -b 01/02/2004 -n "CN=my CA" -r -sv CA-my.pvk CA-my.cer

    create a certificate signed with the above CA certificate

    makecert -b 01/02/2004 -n "CN=my code signing key 2008 02 26" -iv CA-my.pvk -ic CA-my.cer -sv codesign-my.pvk codesign-my.cer

    convert it to a .pfx file

    pvk2pfx.exe  -pvk codesign-my.pvk -spc codesign-my.cer -pfx codesign-my.pfx

    upload it to your device

    prapi -c codesign-my.cer

    signing a binary

    signtool sign -f codesign-my.pfx itsutils.dll

    using openssl

    alternatively it is also possible to create a CA and certificate using openssl.