Using Your Code Signing Certificate

This webpage provides instructions on using an SSL.com OV or EV code signing certificate with Microsoft’s SignTool and SSL.com’s SSL Manager.

These instructions assume that your code signing certificate has been installed, or that you have it on a hardware token. For cloud-based code signing using the eSigner platform, please refer to the overview page and this enrollment guide.

Remember that for hardware-based OV and EV code signing certificates the private key only exists on the YubiKey FIPS USB token that was sent to you and that the token must be attached to the computer that is being used to sign the application. Windows users with YubiKey FIPS tokens should also download and install the YubiKey Smart Card Minidriver before using their token.

OV and EV code signing certificates should not be installed manually on your computer, which may cause configuration issues. Certificates shipped on YubiKeys from SSL.com can be used with no additional installation beyond installing the YubiKey Smart Card Minidriver and connecting the token to your computer. Certificates ordered via remote attestation should be downloaded and installed on the device containing the private key (e.g. YubiKey FIPS or other supported hardware), not your computer’s certificate store.
If you are planning to sign Windows 10 drivers with an EV code signing certificate, you will need to register with the Windows Hardware Developer Program.
For instructions on using your OV/IV or EV code signing certificate with Java, please refer to our Java Code Signing Guide.

Signing an Executable with SignTool

Install Windows SDK and SignTool

SignTool is included with Windows 10 SDK. After installation, SignTool will be located under:

C:\Program Files (x86)\Windows Kits\10\bin\<SDK VERSION>\x64\signtool.exe

Start Powershell

Start a Powershell command window by searching for “Powershell” in the Start menu and clicking on the desktop application.

Powershell is a command line interface to Windows’ core services. You can use it to execute SignTool and sign your code.

For EV code signing, attach your USB token to your computer (if you haven’t done so already). If using eSigner, install eSigner Cloud Key Adapter

Remember that the private key only exists on the USB token that was sent to you and that the token must be attached to computer that is being used to sign the application. This step should be skipped if you are using an OV code signing certificate.

Sign Executable

You can sign an executable by issuing the following command in the Powershell window. If using eSigner cloud signing with signtool.exe, be sure to install eSigner CKA

.\signtool.exe sign /fd sha256 /a "C:\path\to\MyExecutable.exe"
  • The /fd option selects the digest algorithm to be used when signing. Windows 10 SDK, HLK, WDK, and ADK builds 20236 and above require this option to be set when signing. SHA256 is recommended over SHA1 for security.
  • The /a option instructs SignTool to automatically find an appropriate code signing certificate for your executable.
  • If you are using an EV code signing certificate you will be prompted for your USB token’s PIN. If you need help finding your PIN, please refer to this how-to.Enter PIN
Note: If you are signing code files that will be included in an installer (such as a Windows MSI file), you will need to sign these files before building the installer, then sign the installer file itself.

Selecting a Signing Certificate

Specify Subject Name

If you have more than one code signing USB tokens or certificates installed, you can specify the certificate you want to use by including its Subject Name via the /n option.

You can find your EV CS certificate’s Subject Name using Microsoft’s certificate management tool certmgr. Open the tool from the Start menu and look for your EV CS certificate in the “Personal” folder, under “Certificates”, as shown in the image below. The Subject Name is the “Issued To” field in certmgr.

In the above image the certificate’s Subject Name is example. You can specify this value in SignTool with the following command.

.\signtool.exe sign /fd sha256 /n "example" "C:\path\to\MyExecutable.exe"

Specify SHA1 Hash

If you have multiple certificates with the same Subject Name, you can also use the SHA1 hash (or “thumbprint”) of a certificate to select it for signing. Replace THUMBPRINT in the command below with the actual SHA1 hash your certificate. You can find this value by viewing the certificate details in certmgr and looking for the Thumbprint field (be sure and remove any space characters from the thumbprint before using it in your command).

.\signtool.exe sign /fd sha256 /sha1 THUMBPRINT "C:\path\to\MyExecutable.exe"

Use a PKCS#12/PFX File

If you have a code signing certificate and private key in a PKCS#12 file (also known as a PFX or P12 file), you can specify the file and its password on the command line:

.\signtool.exe sign /fd sha256 /f "C:\path\to\MyCertificate.pfx" /p password "C:\path\to\MyExecutable.exe"

Timestamping

Timestamping your code will allow it to be trusted after your code signing certificate expires. If you want to add a timestamp in the signed binary file, you can do so using SignTool’s /tr option, which should be followed by setting the timestamp digest algorithm with /td. The command in the snippet below includes a timestamp from SSL.com‘s timestamp service while signing an executable.

.\signtool.exe sign /fd sha256 /tr http://ts.ssl.com /td sha256 /a "C:\path\to\MyExecutable.exe"
Note: Be sure to use SignTool’s /tr option (specify URL of RFC 3161 time stamp server), not /t (URL of time stamp server), which is incompatible with SSL.com’s timestamp server.
Note: The /td option must follow the /tr option. If the time stamp digest algorithm is specified before the time stamp server, the default SHA-1 algorithm will be used. Windows 10 SDK, HLK, WDK, and ADK builds 20236 and above require use of /tr when timestamping. SHA256 is recommended over SHA1 for security.
Note: By default, SSL.com supports timestamps from ECDSA keys.

If you encounter this error: The timestamp certificate does not meet a minimum public key length requirement, you should contact your software vendor to permit timestamps from ECDSA keys.

If there is no way for your software vendor to allow for the normal endpoint to be used, you can use this legacy endpoint http://ts.ssl.com/legacy to get a timestamp from an RSA Timestamping Unit.

Other Options

Other important SignTool options are:

  • /d: Add a description of the signed code. For example, /d "test code".
  • /du: Add a URL with an expanded description of the signed code. For example, /du https://your_website.tld/project/description.

Using all of the above options (but omitting /a, /sha1, or /f because we are specifying the certificate’s Subject Name with /n, our command line looks like:

signtool.exe sign /n "example" /fd sha256 /tr http://ts.ssl.com /td sha256 /d "test code" /du https://your_website.tld/project/description "C:\path\to\MyExecutable.exe"

Verify Signature

Use this command to verify your signed code (note that the /pa option must be present in the command):

.\signtool.exe verify /pa "C:\path\to\MyExecutable.exe"

If your file has been signed successfully, you should see output like this:

File: C:\path\to\MyExecutable.exe
Index  Algorithm  Timestamp
========================================
0      sha256     RFC3161

Successfully verified: C:\path\to\MyExecutable.exe

You can also verify that a file has been signed by right-clicking its icon and selecting Properties from the menu, then selecting the Digital Signatures tab. View details about a signature by selecting it and clicking the Details button.

Digital Signatures

Here we can see that the file contains a valid digital signature, created by SSL Corp on June 28, 2020.

Digital Signature Details

Signing an Executable with SSL Manager

If you prefer a more graphics-based approach you can use SSL.com‘s in-house software, SSL Manager, to sign your files. Many customers prefer to use SSL Manager because it offers the additional benefit of having easy access to all your certificates in one unified interface. For instructions on downloading and installing SSL Manager, please refer to our installation guide.

To sign an executable, start by selecting Code Signing > Sign & Timestamp Code Package from SSL Manager’s menu.

Sign & Timestamp Code Package

In the code signing form, you may select the executable and the code signing certificate (either from a file or a certificate store) and one of the available timestamp servers. When you are done, click the Sign button to sign your code. If you are loading a certificate from a PFX file, you will have to enter the file’s password. If you are using an EV code signing certificate, you will be prompted for your USB token’s PIN.

Besides code signing, SSL Manager offers many powerful features. For more details, please refer to SSL Manager’s documentation, especially the Code Signing menu.

Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page.

Subscribe To SSL.com’s Newsletter

Don’t miss new articles and updates from SSL.com

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.