Signing .exe with .cer file (what is my certificate's name that signtool.exe is asking for?)

windows certificate sign cer
PolGraphic picture PolGraphic · Nov 9, 2013 · Viewed 16.4k times · Source

I have bought a certificate for my program.

The website from which I bought it, sent me an .cer file (43-some-really-long-name-9962812767788.cer). No additional files were sent, but I'm almost 100% sure that I don't need anything more.

When I click on that .cer file, there are information like:

  • for: (my data)
  • by: Certum Code Signing CA
  • expires: 2014-10-24

All that info seems to be fine.

I have my .exe file, that I want to sign with it (so when e.g. user will run it as administrator on Windows, he will be able to see the certificate info).

I found that I can use signtool.exe for it, but it always returns an error that no certificate that meets all criteria was found.

So, how to sign my program (add .cer to my .exe) using only .cer file (and all files that I can generate from that .cer file)?

I have no experience in certificates, .cer and all certificates terminology, so please take that into account while answering (I'm a simple man... ;)

So far I have installed (I think I did it in right way) .cer at the Trusted Root Certification Authorities store on your computer account, according to MSDN blog:

  1. Start->Run ->MMC
  2. File -> Add/ Remove Sanp in…
  3. From the “Add or Remove Snap-ins” window select “Certificates” and click at “Add >”. Select “Computer Account” and then click at “Next”.
  4. Select “Local Computer” and click at “Finish”.
  5. Open “Trusted Root Certification Authorities” store at the left pane and click at “Certificates”, shown in Figure 7. Then right click at the right window pane and select “All Task -> Import”.
  6. Import the above .cer file that you created and install it.

I indeed see my cer at the MMC now: enter image description here

Still, I don't know how to use signtool.exe in proper way. The command:

Signtool sign /v 
/t http://timestamp.verisign.com/scripts/timstamp.dll 
/n CER_NAME_HERE FileToSign.exe

Fails, because I don't know what is the "CER_NAME_HERE" for my certificate.

Answer

MoonStom picture MoonStom · Apr 25, 2016

Keeping the certificate in the certificate store is the right approach. The idea of using the .pfx file directly simply invite for the key to be stolen. I'm certain that the same people who provided this sort of answer also keep the password that protects the private key exposed in some batch file for convenience. Regardless, I urge everyone to use the cert stores, that's why they were created in the first place.

You just need to import the .pfx with the private key into the Personal store. Mark the private key as non-exportable for added security. Then you can call the signtool.exe with the /n switch and the value of the Issued To field. The password is no longer required. If you used a machine scope rather than a user scope, you'll have to include the /sm switch as well.

signtool.exe sign /a /n "<Issued_To>" /t "<TimeStamp_Server>" <File_Name>

Related questions

Signing a Windows EXE file

I have an EXE file that I should like to sign so that Windows will not warn the end user about an application from an "unknown publisher". I am not a Windows developer. The application in question is a screensaver …

Read More
Signing Windows application on Linux-based distros

I have prepared an application and website where the customer can set several options for this application before he downloads it. Settings are stored in binary format on the end of the file (appended), then the edited file is sent …

Read More
How to create .pfx file from certificate and private key?

I need .pfx file to install https on website on IIS. I have two separate files: certificate (.cer or pem) and private key (.crt) but IIS accepts only .pfx files. I obviously installed certificate and it is available in certificate …

Read More