#### Cart

English
X

Select Language

We hope you will find the Google translation service helpful, but we don’t promise that Google’s translation will be accurate or complete. You should not rely on Google’s translation. English is the official language of our site.

English
X

Select Language

We hope you will find the Google translation service helpful, but we don’t promise that Google’s translation will be accurate or complete. You should not rely on Google’s translation. English is the official language of our site.

# Using Your Code Signing Certificate

This how-to will walk you through using your SSL.com OV or EV code signing certificate with Microsoft's SignTool and SSL.com's SSL Manager.
These instructions assume that your OV code signing certificate has been installed, or that you have an EV certificate on a hardware token. Remember that for EV code signing certificates the private key only exists on the YubiKey FIPS USB token that was sent to you and that the token must be attached to the computer that is being used to sign the application.

EV code signing certificates should not be installed manually on your computer, which may cause configuration issues. Certificates shipped on YubiKeys from SSL.com can be used with no additional installation beyond connecting the token to your computer. Certificates ordered via remote attestation should be downloaded and installed on the device containing the private key (e.g. YubiKey FIPS or other supported hardware), not your computer’s certificate store.
For instructions on using your OV/IV or EV code signing certificate with Java, please refer to our Java Code Signing Guide.

## Signing an Executable with SignTool

### Install Windows SDK and SignTool

SignTool is included with Windows 10 SDK. After installation, SignTool will be located under:
C:\Program Files (x86)\Windows Kits\10\bin\<SDK VERSION>\x64\signtool.exe

### Start Powershell

Start a Powershell command window by searching for “Powershell” in the Start menu and clicking on the desktop application. Powershell is a command line interface to Windows’ core services. You can use it to execute SignTool and sign your code.

### For EV code signing, attach your USB token to your computer (if you haven’t done so already).

Remember that the private key only exists on the USB token that was sent to you and that the token must be attached to computer that is being used to sign the application. This step should be skipped if you are using an OV code signing certificate.

### Sign Executable

You can sign an executable by issuing the following command in the Powershell window. If you are using an EV code signing certificate you will be prompted for your USB token’s PIN.
.\signtool.exe sign /a "C:\path\to\MyExecutable.exe"
The /a option instructs SignTool to automatically find an appropriate code signing certificate for your executable.
Note: If you are using an EV code signing certificate you will be prompted for your USB token’s PIN. If you need help finding your PIN, please refer to this how-to.

If you have more than one code signing USB tokens or certificates installed, you can specify the certificate you want to use by including its Subject Name via the /n option. You can find your EV CS certificate’s Subject Name using Microsoft’s certificate management tool certmgr. Open the tool from the Start menu and look for your EV CS certificate in the “Personal” folder, under “Certificates”, as shown in the image below. The Subject Name is the “Issued To” field in certmgr. In the above image the certificate’s Subject Name is example. You can specify this value in SignTool with the following command.
.\signtool.exe sign /n "example" "C:\path\to\MyExecutable.exe"
If you want to add a timestamp in the signed binary file, you can do so using SignTool’s /tr option. The command in the snippet below includes a timestamp from SSL.com‘s timestamp service, while signing an executable.
.\signtool.exe sign /tr http://ts.ssl.com  /a "C:\path\to\MyExecutable.exe"
Note: Be sure to use SignTool’s /tr option (specify URL of RFC 3161 time stamp server), not /t (URL of time stamp server), which is incompatible with SSL.com’s timestamp server.
Other important SignTool options are:
• /fd:  Specify file digest algorithm (the default is SHA-1). To specify SHA-256, use /fd sha256.
• /td:  Specify time server digest algorithm (the default is SHA-1). To specify SHA-256, use /td sha256.
Note: The /td option must follow the /tr option. If the time stamp digest algorithm is specified before the time stamp server, the default SHA-1 algorithm will be used.
• /d: Add a description of the signed code. For example, /d "test code".
• /du: Add a URL with an expanded description of the signed code. For example, /du https://your_website.tld/project/description.
Using all of the above options (but omitting /a because we are specifying the certificate’s Subject Name with /n, our command line looks like:
signtool.exe sign /n "example" /fd sha256 /tr http://ts.ssl.com /td sha256 /d "test code" /du https://your_website.tld/project/description "C:\path\to\MyExecutable.exe"
SignTool includes other signing options, such as working directly with PFX files rather than installed certificates, and a variety of features besides code signing. If you are interested in the tool, please take a look at Microsoft’s official documentation.