Manual code signing certificate request procedure

Executables signed with a reputable code signing certificate get better SmartScreen treatment. A signed executable proves that it hasn’t been tampered with by anyone who does not have the signature key.

To sign your code, you’ll need to generate a private key and public certificate. The public certificate will need to be signed by a certificate provider to validate your organization.

This process uses OpenSSL and Windows.

Generate the private key and certificate signing request using the following command.

openssl req -utf8 -nodes -newkey rsa:2048 -keyout NAME.key -out NAME.csr

Enter your details. Submit the csr file to your certificate provider, ordering a code signing certificate. Organization Validation is the cheapest option, goes around EUR 100 for a year’s validity. Go through the validation process.

When ready, you’ll get a collection link in the mail. This will download a file, which might be called CollectCCC, or something else, depending on your provider. This file contains your public certificate, signed by the certificate provider. Rename the collected certificate to name.p7s.

Open the p7s file in the Windows certificate manager. Right click your certificate, and export it to the base64 format. Save as name.cer.

Issue the following command to combine the signed name.cer certificate with your private key name.key.

openssl pkcs12 -export -out NAME.pfx -inkey NAME.key -in NAME.cer

This creates a name.pfx file, which you can install directly on the computer where you want to sign your executables.

To sign an executable, run signtool, as follows. Set the timestamp provider appropriately. Both exe as well as dll can be signed.

"C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin\signtool.exe" sign /sha1 YOUR_CERTIFICATE_FINGERPRINT /t "helloworld.exe"

Right click your executable, and check Properties, to verify.