JOIN OUR AFFILIATE NETWORK

Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Sign with Signtool (.pfx file or .pvk and .spc files)

To sign a Microsoft .CAB .EXE .DLL component, use the instructions here under.

Converting pvk/spc files to a PKCS#12 (.pfx) file

If you have pvk and spc files, first convert them to PFX format (using the pvk2pfx.exe command, available in the Windows SDK) like this:
pvk2pfx -pvk yourfile.pvk -pi password -spc your.spc -pfx yourfile.pfx -f

Generation of a certificate .pfx(PKCS#12)

You used Keybot to generate the private key and the CSR

Go to the status page of your certificate and click on the "Generate PFX/PEM" button. In the new window, enter your private key and the password chosen during the order process. Also choose a password to protect the PFX file and click "Confirm". You can find more information on this link: Generate your developer certificate with Keybot

You used the manual method to generate the CSR

You can use OpenSSL to generate a .pfx file. To do this, from the status page of your certificate, click on "View Certificate". In the new window, click on "View the certificate in P7B format" and then click on the download link provided.

Once you have your private key and the P7B file, you can generate a PFX file using OpenSSL. If you have a Linux distribution available, OpenSSL is usually already installed. If you are on a Windows platform, you can install OpenSSL using this page: Install OpenSSL on a Windows machine

Finally, to generate your pfx file, please use our documentation : Generate a PFX file with OpenSSL

Signing with Signtool

Then sign with signtool and your .pfx file:

C:\Program Files\Microsoft Platform SDK\Bin> signtool.exe sign /f yourFile.pfx /p password /v /tr http://timestamp.digicert.com?alg=sha256 /td SHA256 /fd SHA256 "FILE_TO_SIGN" 
sign is the signature instruction. The /f and /p arguments respectively allow specifying the pfx file and its password.

The /v arguments enables the verbose output.

The /fd argument allows you to choose the signing algorithm. SHA1 is the default.

/as allows adding a signature and select it as the default.

The /tr and /td arguments are respectively dedicated to the RFC 3161 and its hash algorithm. The provided server is DigiCert's.

For Globalsign certificates, you can use the following server: http://timestamp.globalsign.com/?signature=sha2 .

Use case: use with Visual Studio

On Microsoft Windows if you are using the Visual Studio development tool, you can use the following command line in the Post-Build event of your project:

C:\Program Files (x86)\Microsoft SDKs\Windows\<sdk version>\Bin\signtool.exe" sign /f yourfile.pfx /p password  /v /tr http://timestamp.digicert.com?alg=sha256 /td SHA256 /fd SHA256  $(TargetDir)$(TargetFileName)"

Check a signature

To check a signature:

C:\Program Files\Microsoft Platform SDK\Bin> signtool.exe verify /v /a c:\signfiles\the_file_to_be_signed

Signtool wizard mode

You can also use signtool with the wizard (only with signtool v6.0 or lower). To do this, start it with :
C:\Program Files\Microsoft Platform SDK\Bin> signtool signwizard
See Microsoft official documentation

Double executable signing

It is also possible to sign your binaries using SHA1 and SHA2 to guarantee a maximal compatibility. However it can only work for binaries (.exe) and not for .msi installers. To do so, simply execute the two following commands:

signtool sign /t http://timestamp.digicert.com?alg=sha1 /f "c:\path\to\your\file.pfx" /p password "c:\PATH_TO_EXECUTABLE.exe"


signtool sign /tr http://timestamp.digicert.com?alg=sha256 /td sha256 /fd sha256 /f "c:\path\to\your\file.pfx" /p password "c:\PATH_TO_EXECUTABLE.exe"
The first command is used to sign the file using SHA1, the second one, SHA2. The SHA2 signature is set as default. The timestamping server for the SHA1 signature is using Microsoft's format. The example is valid for DigiCert certificates.

For Globalsign certificates, you can use the following servers:
Microsoft format : http://timestamp.globalsign.com/scripts/timstamp.dll
RFC 3161 : http://timestamp.globalsign.com/?signature=sha2

Import a PVK and a SPC in Windows system

  • Microsoft documentation to convert a PVK and SPC (windows XP) into a PFX and import it into the certificate store of your windows system Installing SPC Information in the Personal Certificate Store
     Pvk2Pfx -pvk mypvkfile.pvk -pi mypvkpassword -spc myspcfile.spc -pfx mypfxfile.pfx -po 
  • Import the PFX file in the windows system.

External links