Using Certificates and Signtool

Obtain a Software Publisher Certificate

Your Certificate Authority will supply one of the following:

  1. a Personal Information Exchange (.pfx) file
  2. a Software Publisher Certificate (.spc), and a Private Key (.pvk) file
  3. a CER-encoded X.509 Certificate (.cer), and a Private Key (.pvk) file

For the second and third case, these file must be converted to a Personal Information Exchange (.pfx), using the Pvk2Pfx.exe tool.

Convert SPC or CER to Personal Information Exchange (.pfx)

Syntax for .spc conversion:

pvk2pfx -pvk filename.pvk -pi password -spc filename.spc -pfx output.pfx

The syntax is identical for .cer conversion:

pvk2pfx -pvk filename.pvk -pi password -spc filename.cer -pfx output.pfx

Sign the Executable

Signtool.exe can be used to sign executables (.exe) and Dynamic Link Libraries (.DLL).

Basic Signature

signtool.exe sign /v /f filename.pvk /p password executable

Signature With Timestamp

signtool.exe sign /v /f filename.pvk /p password /t timeurl executable

Where timeurl is the URL of your Certificate Authority’s timestamp server (e.g. for VeriSign)

Signature Verification

signtool verify /pa executable

/pa indicates that the “Default Authenticode” verification policy is used. Omitting the switch will cause the verification to fail, which does not necessarily mean that a given file isn’t Authenticode signed.


About Jeff Fitzsimons

Jeff Fitzsimons is a software engineer in the California Bay Area. Technical specialties include C++, Win32, and multithreading. Personal interests include rock climbing, cycling, motorcycles, and photography.
This entry was posted in Cryptography, Technology. Bookmark the permalink.

One Response to Using Certificates and Signtool

  1. Edwin says:

    I know it’s an old post, but it really helped me thank you.

    The post is clear & concise.. The help pages from the code-signing companies themselves had all the info, but are written in a way that had me chasing my tail all day.

Leave a Reply

Your email address will not be published. Required fields are marked *