Signing .exe with .cer file (what is my certificate's name that signtool.exe is asking for?)

Question

I have bought a certificate for my program.

The website from which I bought it, sent me an .cer file (43-some-really-long-name-9962812767788.cer). No additional files were sent, but I'm almost 100% sure that I don't need anything more.

When I click on that .cer file, there are information like:

• for: (my data)
• by: Certum Code Signing CA
• expires: 2014-10-24

All that info seems to be fine.

I have my .exe file, that I want to sign with it (so when e.g. user will run it as administrator on Windows, he will be able to see the certificate info).

I found that I can use signtool.exe for it, but it always returns an error that no certificate that meets all criteria was found.

So, how to sign my program (add .cer to my .exe) using only .cer file (and all files that I can generate from that .cer file)?

I have no experience in certificates, .cer and all certificates terminology, so please take that into account while answering (I'm a simple man... ;)

---

So far I have installed (I think I did it in right way) .cer at the Trusted Root Certification Authorities store on your computer account, according to MSDN blog:

1. Start->Run ->MMC
2. File -> Add/ Remove Sanp in…
3. From the “Add or Remove Snap-ins” window select “Certificates” and click at “Add >”. Select “Computer Account” and then click at “Next”.
4. Select “Local Computer” and click at “Finish”.
5. Open “Trusted Root Certification Authorities” store at the left pane and click at “Certificates”, shown in Figure 7. Then right click at the right window pane and select “All Task -> Import”.
6. Import the above .cer file that you created and install it.

I indeed see my cer at the MMC now:

Still, I don't know how to use signtool.exe in proper way. The command:

Signtool sign /v 
/t http://timestamp.verisign.com/scripts/timstamp.dll 
/n CER_NAME_HERE FileToSign.exe

Fails, because I don't know what is the "CER_NAME_HERE" for my certificate.

Answer 1

From your sample, you're not actually specifying the certificate file.

Firstly, you need to create a pfx file containing the certificate and any signing CA certificates, which you then pass with the /f option:

signtool.exe sign /f "blah.pfx" /t http://timestamp.comodoca.com/authenticode "filetosign.exe"

The /n option is only used to select a specific certificate from the certificate store.

Answer 2

Keeping the certificate in the certificate store is the right approach. The idea of using the .pfx file directly simply invite for the key to be stolen. I'm certain that the same people who provided this sort of answer also keep the password that protects the private key exposed in some batch file for convenience. Regardless, I urge everyone to use the cert stores, that's why they were created in the first place.

You just need to import the .pfx with the private key into the Personal store. Mark the private key as non-exportable for added security. Then you can call the signtool.exe with the /n switch and the value of the Issued To field. The password is no longer required. If you used a machine scope rather than a user scope, you'll have to include the /sm switch as well.

signtool.exe sign /a /n "<Issued_To>" /t "<TimeStamp_Server>" <File_Name>

Answer 3

Didn't see a clear concise answer, so I will add this.

For Certum, when you go to request your certificates, there is an install option. Use that to install on your computer. Then, you can go to your browser's certificate store, select the certificate from there, and then choose export. From there, you can select to export the private key which will be in pfx format.

Hope this helps somebody, ~techdude.

Answer 4

I had the same problem and fixed it by using p12 instead of pfx file type. I created the p12 file using Firefox Certificate Manager with Comodo's user.crt. The command line was:

signtool sign /f "C:\Test.p12" /p password1 /t http://timestamp.comodoca.com/authenticode /v "C:\Test.msi"