Search code examples
windowscertificatedigital-signaturecode-signing

Windows: How to sign exe using certificate issued by Certum?

My goal is to sign an unsigned executable file on Windows using a certificate. From my general knowledge I know that I need a public and a private key pair for a digital signature. I have also installed the Windows SDK, which provides signtool.exe and makecert.exe.

I have already obtained a certificate online, comprising a CER, a PEM, and a CRT file.

My question now is how I have to use these tools and the certificate files in order to sign an executable. According to here, the CRT file is the private key. From what I've learned so far, the CER and the PEM file are basically the same but with different encodings. What are the they for? Are they the public key? And how do I sign my executable?

EDIT: I've tried installing the CRT file to a certificate store and then signing using that certificate:

"C:\Program Files (x86)\Windows Kits\8.1\bin\x64\signtool.exe" sign /debug /fd SHA256 /a /n "<Issued_To>" /t http://timestamp.comodoca.com/authenticode <Filename>

Here <Issued_To> was replaced with the data from the certificate and <Filename> is the name of the file I wanted to sign. The output I get from signtool is the following:

The following certificates were considered:
    ...

    Issued to: ...
    Issued by: Certum Code Signing CA SHA2
    Expires:   Thu Oct 12 14:37:04 2017
    SHA1 hash: BA081A67D3F2DDDC9268121DCBA04F43D6CD37FB

    ...

After EKU filter, 1 certs were left.
After expiry filter, 1 certs were left.
After Subject Name filter, 1 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.
Solution

  • This solved my question: http://www.anse.de/programming/code-signing-for-open-source-executable

    I exported the certificate as a PK2 file using Firefox. Then I installed this certificate in the "Personal" certificate store on Windows. Afterwards I could use the aforementioned command to sign my executable:

    signtool sign /fd SHA256 /a /n "<Issued_To>" /t http://timestamp.comodoca.com/authenticode <Filename>

    Here <Issued_To> matches the value in the certificate and <Filename> is the name of the file to be signed. Afterwards the executable file is signed.