windowscertificatesigncer

Signing .exe with .cer file (what is my certificate's name that signtool.exe is asking for?)

I have bought a certificate for my program.

The website from which I bought it, sent me an .cer file (43-some-really-long-name-9962812767788.cer). No additional files were sent, but I'm almost 100% sure that I don't need anything more.

When I click on that .cer file, there are information like:

All that info seems to be fine.

I have my .exe file, that I want to sign with it (so when e.g. user will run it as administrator on Windows, he will be able to see the certificate info).

I found that I can use signtool.exe for it, but it always returns an error that no certificate that meets all criteria was found.

So, how to sign my program (add .cer to my .exe) using only .cer file (and all files that I can generate from that .cer file)?

I have no experience in certificates, .cer and all certificates terminology, so please take that into account while answering (I'm a simple man... ;)

So far I have installed (I think I did it in right way) .cer at the Trusted Root Certification Authorities store on your computer account, according to MSDN blog:

  1. Start->Run ->MMC
  2. File -> Add/ Remove Sanp in…
  3. From the “Add or Remove Snap-ins” window select “Certificates” and click at “Add >”. Select “Computer Account” and then click at “Next”.
  4. Select “Local Computer” and click at “Finish”.
  5. Open “Trusted Root Certification Authorities” store at the left pane and click at “Certificates”, shown in Figure 7. Then right click at the right window pane and select “All Task -> Import”.
  6. Import the above .cer file that you created and install it.

I indeed see my cer at the MMC now: enter image description here

Still, I don't know how to use signtool.exe in proper way. The command:

Signtool sign /v 
/t http://timestamp.verisign.com/scripts/timstamp.dll 
/n CER_NAME_HERE FileToSign.exe

Fails, because I don't know what is the "CER_NAME_HERE" for my certificate.

Solution

  • From your sample, you're not actually specifying the certificate file.

    Firstly, you need to create a pfx file containing the certificate and any signing CA certificates, which you then pass with the /f option:

    signtool.exe sign /f "blah.pfx" /t http://timestamp.comodoca.com/authenticode "filetosign.exe"

    The /n option is only used to select a specific certificate from the certificate store.