Signing .exe with .cer file (what is my certificate's name that signtool.exe is asking for?)

PolGraphic picture PolGraphic · Nov 9, 2013 · Viewed 16.4k times · Source

I have bought a certificate for my program.

The website from which I bought it, sent me an .cer file (43-some-really-long-name-9962812767788.cer). No additional files were sent, but I'm almost 100% sure that I don't need anything more.

When I click on that .cer file, there are information like:

  • for: (my data)
  • by: Certum Code Signing CA
  • expires: 2014-10-24

All that info seems to be fine.

I have my .exe file, that I want to sign with it (so when e.g. user will run it as administrator on Windows, he will be able to see the certificate info).

I found that I can use signtool.exe for it, but it always returns an error that no certificate that meets all criteria was found.

So, how to sign my program (add .cer to my .exe) using only .cer file (and all files that I can generate from that .cer file)?

I have no experience in certificates, .cer and all certificates terminology, so please take that into account while answering (I'm a simple man... ;)


So far I have installed (I think I did it in right way) .cer at the Trusted Root Certification Authorities store on your computer account, according to MSDN blog:

  1. Start->Run ->MMC
  2. File -> Add/ Remove Sanp in…
  3. From the “Add or Remove Snap-ins” window select “Certificates” and click at “Add >”. Select “Computer Account” and then click at “Next”.
  4. Select “Local Computer” and click at “Finish”.
  5. Open “Trusted Root Certification Authorities” store at the left pane and click at “Certificates”, shown in Figure 7. Then right click at the right window pane and select “All Task -> Import”.
  6. Import the above .cer file that you created and install it.

I indeed see my cer at the MMC now: enter image description here

Still, I don't know how to use signtool.exe in proper way. The command:

Signtool sign /v 
/t http://timestamp.verisign.com/scripts/timstamp.dll 
/n CER_NAME_HERE FileToSign.exe

Fails, because I don't know what is the "CER_NAME_HERE" for my certificate.

Answer

MoonStom picture MoonStom · Apr 25, 2016

Keeping the certificate in the certificate store is the right approach. The idea of using the .pfx file directly simply invite for the key to be stolen. I'm certain that the same people who provided this sort of answer also keep the password that protects the private key exposed in some batch file for convenience. Regardless, I urge everyone to use the cert stores, that's why they were created in the first place.

You just need to import the .pfx with the private key into the Personal store. Mark the private key as non-exportable for added security. Then you can call the signtool.exe with the /n switch and the value of the Issued To field. The password is no longer required. If you used a machine scope rather than a user scope, you'll have to include the /sm switch as well.

signtool.exe sign /a /n "<Issued_To>" /t "<TimeStamp_Server>" <File_Name>