I want to allow the user on a Windows 7 PC only to run programs which are certificated by me (I used openSSL to create a self-made pem/cer resp. pfx file) I sign the files with Microsoft SignTool.exe. This works like a charm, all my exe files show that they are certificated.
I found out there is a way using AppLocker, but every time I try to use AppLocker he gives the following error:
"The publisher information cannot be extracted from the specified file: [FILENAME] Reason: The object identifier does not represent a valid object. (Exception from HRESULT: 0x800710D8)"
I created the certificate with this HowTo: https://www.howtoforge.de/anleitung/howto-selbstsigniertes-ssl-zertifikat-erstellen/ Did I miss something?
The second way I read about is to use the Software Restriction Policies (SRP). When I try to use a signed exe file he gives me an error:
Die Erweiterung für die Basiseinschränkung eines Zertifikates wurde nicht eingehalten (The extension of the basic limitations of a certificate has not been respected.)
When I use the created .cer file it seems to work, but I can run all programs anyways.
So in the end my question is: What is the best method in Windows to allow the user run only certificated programs (certificated by me)
Thank you very much, Spider
Ok, found the solution. When you install a certificate in Windows by doubleclicking the file you install the certificate as local user. AppLocker works with an "computer account".
Start > Run > MMC.msc > File > Add/Remove Snap-in… > choose "Certificates" > click Add > select ‘Computer account‘ and then insert the keys.
This way AppLocker identify the certificates as trustfull.