Root certificate trust problem after creating an Azure Trusted Signing certificate profile and signing an exe

Question

Greetings Community:

I'm a relative novice in the trusted signing game and have encountered a problem. Below is what I've done so far, what's working, and what's failing. I hope someone with more experience can help point me in the right direction for the final step!

Steps I've taken so far:

1. I successfully completed the steps in the Quickstart: Set up Trusted Signing doc including the Prerequisites, identify validation, and eventually creating the certificate profile.
2. I then created and linked the certificate profile to a Key Vault in order to eventually download a *.pfx file for the certificate to use with SignTool. In the Key Vault area, I used the "Self-signed certificate" option for the "Type of Certificate Authority (CA)", thinking this would use some "Microsoft Root Authority" certificate as the root. I suspect that this may be the problem, but I'll get all of the details down here for completion.
3. All of that worked except that after signing an executable, I still see the "Publisher: Unknown" (on Windows 10) and "Publisher: Unknown publisher" (on Windows 11) when attempting to run the executable.
4. When I right-click on the executable, visit the "Digital Signatures" tab, select the signature, and click the "Details" button it says: "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."
5. I then completed Windows updates on a Windows 10 machine (using this to test for older machines) just in case the root certificate had expired on my system, but this didn't change the behavior.
6. More specifically, when I look in the "Microsoft Management Console" under "Trusted Root Certification Authorities >> Certificates" I see several "Microsoft Root" certificates, some of which are expired (Microsoft Root Authority, Microsoft Root Certificate Authority) and others which are NOT expired (Microsoft Root Certificate Authority 2010, Microsoft Root Certificate Authority 2011, Microsoft RSA Root Certificate Authority 2017, and Microsoft Time Stamp Root Certificate Authority 2014)

Questions:

1. Any suggestions on how to get the certificate to be trusted all the way down the chain so that the Publisher is "known"?
2. Do I need to use a third party CA such as DigiCert or GlobalSign and then use the "Certificate issed by an integrated CA" option for the "Type of Certificate Authority (CA)"?

Many thanks for any help with this! It all seemed a bit more arduous than it should have been, but having gotten through it, I think I'm near the finish line... hopefully :)

Answer 1

Azure trusted signing is self sufficient for any type of file signing exe, msi and all provided in Microsoft documentation. Even ClickOnce signing can be achieved with sign tool. Azure trusted signing is very cost effective compared to Digicert.

I implemented both ClickOnce Signing and exe,msi, dll signing in my project and all working fine.

Answer 2

After setting up certificate profile, please follow this guide to sign with Trusted Signing: https://learn.microsoft.com/en-us/azure/trusted-signing/how-to-signing-integrations We don't pull certs from AKV.

Answer 3

Please follow the guide on how to sign with Trusted Signing and you should be all set. Trusted Signing certificates are default trusted on supported Windows versions with latest security updates, so there's no need for additional EV/OV certs or anything you need to extra to trust the CA.