JOIN OUR AFFILIATE NETWORK

Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Sign with Signtool (.pfx file or .pvk and .spc files)

To sign a Microsoft .CAB .EXE .DLL component, use the instructions here under.

Converting pvk/spc files to a PKCS#12 (.pfx) file

f you have pvk or spc format files, first convert them into PFX (with pvk2pfx.exe command available in the Windows SDK) like that:
pvk2pfx -pvk yourfile.pvk -pi password -spc your.spc -pfx yourfile.pfx -f

Signing with Signtool

Then sign with signtool and your .pfx file:

C:\Program Files\Microsoft Platform SDK\Bin> signtool.exe sign /f yourFile.pfx /p password /v /tr http://timestamp.digicert.com?alg=sha256 /td SHA256 /fd SHA256 "FILE_TO_SIGN" 
sign is the signature instruction. The /f and /p arguments respectively allow specifying the pfx file and its password.

The /v arguments enables the verbose output.

The /fd argument allows you to choose the signing algorithm. SHA1 is the default.

/as allows adding a signature and select it as the default.

The /tr and /td arguments are respectively dedicated to the RFC 3161 and its hash algorithm. The provided server is DigiCert's.

For Globalsign certificates, you can use the following server: http://timestamp.globalsign.com/?signature=sha2 .

Check a signature

To check a signature:

C:\Program Files\Microsoft Platform SDK\Bin> signtool.exe verify /v /a c:\signfiles\the_file_to_be_signed

Signtool wizard mode

You can also use signtool with the assistant (only with signtool v6.0 and lower versions). To do so, launch signtool with:
C:\Program Files\Microsoft Platform SDK\Bin> signtool signwizard
See Microsoft official documentation

Double executable signing

It is also possible to sign your binaries using SHA1 and SHA2 to guarantee a maximal compatibility. However it can only work for binaries (.exe) and not for .msi installers. To do so, simply execute the two following commands:

signtool sign /t http://timestamp.digicert.com?alg=sha1 /f "c:\path\to\your\file.pfx" /p password "c:\PATH_TO_EXECUTABLE.exe"


signtool sign /tr http://timestamp.digicert.com?alg=sha256 /td sha256 /fd sha256 /f "c:\path\to\your\file.pfx" /p password "c:\PATH_TO_EXECUTABLE.exe"
The first command is used to sign the file using SHA1, the second one, SHA2. The SHA2 signature is set as default. The timestamping server for the SHA1 signature is using Microsoft's format. The example is valid for DigiCert certificates.

For Globalsign certificates, you can use the following servers:
Microsoft format : http://timestamp.globalsign.com/scripts/timstamp.dll
RFC 3161 : http://timestamp.globalsign.com/?signature=sha2

Import a PVK and a SPC in Windows system

  • Microsoft documentation to convert a PVK and SPC (windows XP) into a PFX and import it in your Windows keystore: Installing SPC Information in the Personal Certificate Store
     Pvk2Pfx -pvk mypvkfile.pvk -pi mypvkpassword -spc myspcfile.spc -pfx mypfxfile.pfx -po 
  • Import the PFX file in the windows system.

External links