How do I create a self-signed certificate for code signing on Windows

Question

How do I create a self-signed certificate for code signing using tools from the Windows SDK

User · Accepted Answer

Updated Answer

If you are using the following Windows versions or later: Windows Server 2012, Windows Server 2012 R2, or Windows 8.1 then MakeCert is now deprecated, and Microsoft recommends using the PowerShell Cmdlet New-SelfSignedCertificate.

If you're using an older version such as Windows 7, you'll need to stick with MakeCert or another solution. Some people suggest the Public Key Infrastructure Powershell (PSPKI) Module.

Original Answer

While you can create a self-signed code-signing certificate (SPC - Software Publisher Certificate) in one go, I prefer to do the following:

Creating a self-signed certificate authority (CA)

makecert -r -pe -n "CN=My CA" -ss CA -sr CurrentUser ^
         -a sha256 -cy authority -sky signature -sv MyCA.pvk MyCA.cer

(^ = allow batch command-line to wrap line)

This creates a self-signed (-r) certificate, with an exportable private key (-pe). It's named "My CA", and should be put in the CA store for the current user. We're using the SHA-256 algorithm. The key is meant for signing (-sky).

The private key should be stored in the MyCA.pvk file, and the certificate in the MyCA.cer file.

Importing the CA certificate

Because there's no point in having a CA certificate if you don't trust it, you'll need to import it into the Windows certificate store. You can use the Certificates MMC snapin, but from the command line:

certutil -user -addstore Root MyCA.cer

Creating a code-signing certificate (SPC)

makecert -pe -n "CN=My SPC" -a sha256 -cy end ^
         -sky signature ^
         -ic MyCA.cer -iv MyCA.pvk ^
         -sv MySPC.pvk MySPC.cer

It is pretty much the same as above, but we're providing an issuer key and certificate (the -ic and -iv switches).

We'll also want to convert the certificate and key into a PFX file:

pvk2pfx -pvk MySPC.pvk -spc MySPC.cer -pfx MySPC.pfx

If you want to protect the PFX file, add the -po switch, otherwise PVK2PFX creates a PFX file with no passphrase.

Using the certificate for signing code

signtool sign /v /f MySPC.pfx ^
              /t http://timestamp.url MyExecutable.exe

(See why timestamps may matter)

If you import the PFX file into the certificate store (you can use PVKIMPRT or the MMC snapin), you can sign code as follows:

signtool sign /v /n "Me" /s SPC ^
              /t http://timestamp.url MyExecutable.exe

Some possible timestamp URLs for signtool /t are:

http://timestamp.verisign.com/scripts/timstamp.dll
http://timestamp.globalsign.com/scripts/timstamp.dll
http://timestamp.comodoca.com/authenticode

Full Microsoft documentation

Downloads

For those who are not .NET developers, you will need a copy of the Windows SDK and .NET framework. A current link is available here: SDK & .NET (which installs makecert in C:\Program Files\Microsoft SDKs\Windows\v7.1). Your mileage may vary.

MakeCert is available from the Visual Studio Command Prompt. Visual Studio 2015 does have it, and it can be launched from the Start Menu in Windows 7 under "Developer Command Prompt for VS 2015" or "VS2015 x64 Native Tools Command Prompt" (probably all of them in the same folder).

User · Answer

As stated in the answer  in order to use a non deprecated way to sign your own script  one should use New-SelfSignedCertificate    Generate the key      New-SelfSignedCertificate -DnsName email yourdomain com -Type CodeSigning -CertStoreLocation cert  CurrentUser My    Export the certificate without the private key      Export-Certificate -Cert  Get-ChildItem Cert  CurrentUser My -CodeSigningCert  0  -FilePath code signing crt   The  0  will make this work for cases when you have more than one certificate    Obviously make the index match the certificate you want to use    or use a way to filtrate  by thumprint or issuer     Import it as Trusted Publisher     Import-Certificate -FilePath   code signing crt -Cert Cert  CurrentUser TrustedPublisher    Import it as a Root certificate authority      Import-Certificate -FilePath   code signing crt -Cert Cert  CurrentUser Root    Sign the script  assuming here it s named script ps1  fix the path accordingly       Set-AuthenticodeSignature   script ps1 -Certificate  Get-ChildItem Cert  CurrentUser My -CodeSigningCert    Obviously once you have setup the key  you can simply sign any other scripts with it  You can get more detailed information and some troubleshooting help in this article

User · Answer

It s fairly easy using the New-SelfSignedCertificate command in Powershell  Open powershell and run these 3 commands      1  Create certificate        cert   New-SelfSignedCertificate -DnsName www yourwebsite com   -Type CodeSigning -CertStoreLocation Cert  CurrentUser My      2  set the password for it     CertPassword   ConvertTo-SecureString   -String  my passowrd  -Force    AsPlainText      3  Export it      Export-PfxCertificate -Cert  cert  CurrentUser My    cert Thumbprint     -FilePath  d  selfsigncert pfx  -Password  CertPassword   Your certificate selfsigncert pfx will be located   D      Optional step  You would also require to add certificate password to system environment variables  do so by entering below in cmd  setx CSC KEY PASSWORD  my password

User · Answer

As of PowerShell 4 0  Windows 8 1 Server 2012 R2  it is possible to make a certificate in Windows without makecert exe  The commands you need are New-SelfSignedCertificate and Export-PfxCertificate  Instructions are in Creating Self Signed Certificates with PowerShell

User · Answer

As of PowerShell 4 0  Windows 8 1 Server 2012 R2  it is possible to make a certificate in Windows without makecert exe  The commands you need are New-SelfSignedCertificate and Export-PfxCertificate  Instructions are in Creating Self Signed Certificates with PowerShell

User · Answer

It s fairly easy using the New-SelfSignedCertificate command in Powershell  Open powershell and run these 3 commands      1  Create certificate        cert   New-SelfSignedCertificate -DnsName www yourwebsite com   -Type CodeSigning -CertStoreLocation Cert  CurrentUser My      2  set the password for it     CertPassword   ConvertTo-SecureString   -String  my passowrd  -Force    AsPlainText      3  Export it      Export-PfxCertificate -Cert  cert  CurrentUser My    cert Thumbprint     -FilePath  d  selfsigncert pfx  -Password  CertPassword   Your certificate selfsigncert pfx will be located   D      Optional step  You would also require to add certificate password to system environment variables  do so by entering below in cmd  setx CSC KEY PASSWORD  my password

User · Answer

Roger s answer was very helpful   I had a little trouble using it  though  and kept getting the red  Windows can t verify the publisher of this driver software  error dialog  The key was to install the test root certificate with  certutil -addstore Root Demo CA cer   which Roger s answer didn t quite cover   Here is a batch file that worked for me  with my  inf file  not included   It shows how to do it all from start to finish  with no GUI tools at all  except for a few password prompts    REM Demo of signing a printer driver with a self-signed test certificate  REM Run as administrator  else devcon won t be able to try installing the driver  REM Use a single  x  as the password for all certificates for simplicity   PATH  PATH   c  Program Files Microsoft SDKs Windows v7 1 Bin   c  Program Files Microsoft SDKs Windows v7 0 Bin  c  WinDDK 7600 16385 1 bin selfsign c  WinDDK 7600 16385 1 Tools devcon amd64  makecert -r -pe -n  CN Demo CA  -ss CA -sr CurrentUser      -a sha256 -cy authority -sky signature      -sv Demo CA pvk Demo CA cer  makecert -pe -n  CN Demo SPC  -a sha256 -cy end      -sky signature      -ic Demo CA cer -iv Demo CA pvk      -sv Demo SPC pvk Demo SPC cer  pvk2pfx -pvk Demo SPC pvk -spc Demo SPC cer      -pfx Demo SPC pfx      -po x  inf2cat  drv driver  os XP X86 Vista X64 Vista X86 7 X64 7 X86  v  signtool sign  d  description   du  www yoyodyne com        f Demo SPC pfx       p x       v driver demoprinter cat  certutil -addstore Root Demo CA cer  rem Needs administrator  If this command works  the driver is properly signed  devcon install driver demoprinter inf LPTENUM Yoyodyne IndustriesDemoPrinter F84F  rem Now uninstall the test driver and certificate  devcon remove driver demoprinter inf LPTENUM Yoyodyne IndustriesDemoPrinter F84F  certutil -delstore Root Demo CA

User · Answer

Roger s answer was very helpful   I had a little trouble using it  though  and kept getting the red  Windows can t verify the publisher of this driver software  error dialog  The key was to install the test root certificate with  certutil -addstore Root Demo CA cer   which Roger s answer didn t quite cover   Here is a batch file that worked for me  with my  inf file  not included   It shows how to do it all from start to finish  with no GUI tools at all  except for a few password prompts    REM Demo of signing a printer driver with a self-signed test certificate  REM Run as administrator  else devcon won t be able to try installing the driver  REM Use a single  x  as the password for all certificates for simplicity   PATH  PATH   c  Program Files Microsoft SDKs Windows v7 1 Bin   c  Program Files Microsoft SDKs Windows v7 0 Bin  c  WinDDK 7600 16385 1 bin selfsign c  WinDDK 7600 16385 1 Tools devcon amd64  makecert -r -pe -n  CN Demo CA  -ss CA -sr CurrentUser      -a sha256 -cy authority -sky signature      -sv Demo CA pvk Demo CA cer  makecert -pe -n  CN Demo SPC  -a sha256 -cy end      -sky signature      -ic Demo CA cer -iv Demo CA pvk      -sv Demo SPC pvk Demo SPC cer  pvk2pfx -pvk Demo SPC pvk -spc Demo SPC cer      -pfx Demo SPC pfx      -po x  inf2cat  drv driver  os XP X86 Vista X64 Vista X86 7 X64 7 X86  v  signtool sign  d  description   du  www yoyodyne com        f Demo SPC pfx       p x       v driver demoprinter cat  certutil -addstore Root Demo CA cer  rem Needs administrator  If this command works  the driver is properly signed  devcon install driver demoprinter inf LPTENUM Yoyodyne IndustriesDemoPrinter F84F  rem Now uninstall the test driver and certificate  devcon remove driver demoprinter inf LPTENUM Yoyodyne IndustriesDemoPrinter F84F  certutil -delstore Root Demo CA

User · Answer

As stated in the answer  in order to use a non deprecated way to sign your own script  one should use New-SelfSignedCertificate    Generate the key      New-SelfSignedCertificate -DnsName email yourdomain com -Type CodeSigning -CertStoreLocation cert  CurrentUser My    Export the certificate without the private key      Export-Certificate -Cert  Get-ChildItem Cert  CurrentUser My -CodeSigningCert  0  -FilePath code signing crt   The  0  will make this work for cases when you have more than one certificate    Obviously make the index match the certificate you want to use    or use a way to filtrate  by thumprint or issuer     Import it as Trusted Publisher     Import-Certificate -FilePath   code signing crt -Cert Cert  CurrentUser TrustedPublisher    Import it as a Root certificate authority      Import-Certificate -FilePath   code signing crt -Cert Cert  CurrentUser Root    Sign the script  assuming here it s named script ps1  fix the path accordingly       Set-AuthenticodeSignature   script ps1 -Certificate  Get-ChildItem Cert  CurrentUser My -CodeSigningCert    Obviously once you have setup the key  you can simply sign any other scripts with it  You can get more detailed information and some troubleshooting help in this article

[security] How do I create a self-signed certificate for code signing on Windows?

Updated Answer

Original Answer

Creating a self-signed certificate authority (CA)

Importing the CA certificate

Creating a code-signing certificate (SPC)

Using the certificate for signing code

Full Microsoft documentation

Downloads

Examples related to security

Examples related to code-signing