288

How do I create a self-signed certificate for code signing using tools from the Windows SDK?

Roger Lipscombe
  • 89,048
  • 55
  • 235
  • 380

7 Answers7

410

Updated Answer

If you are using the following Windows versions or later: Windows Server 2012, Windows Server 2012 R2, or Windows 8.1 then MakeCert is now deprecated, and Microsoft recommends using the PowerShell Cmdlet New-SelfSignedCertificate.

If you're using an older version such as Windows 7, you'll need to stick with MakeCert or another solution. Some people suggest the Public Key Infrastructure Powershell (PSPKI) Module.

Original Answer

While you can create a self-signed code-signing certificate (SPC - Software Publisher Certificate) in one go, I prefer to do the following:

Creating a self-signed certificate authority (CA)

makecert -r -pe -n "CN=My CA" -ss CA -sr CurrentUser ^
         -a sha256 -cy authority -sky signature -sv MyCA.pvk MyCA.cer

(^ = allow batch command-line to wrap line)

This creates a self-signed (-r) certificate, with an exportable private key (-pe). It's named "My CA", and should be put in the CA store for the current user. We're using the SHA-256 algorithm. The key is meant for signing (-sky).

The private key should be stored in the MyCA.pvk file, and the certificate in the MyCA.cer file.

Importing the CA certificate

Because there's no point in having a CA certificate if you don't trust it, you'll need to import it into the Windows certificate store. You can use the Certificates MMC snapin, but from the command line:

certutil -user -addstore Root MyCA.cer

Creating a code-signing certificate (SPC)

makecert -pe -n "CN=My SPC" -a sha256 -cy end ^
         -sky signature ^
         -ic MyCA.cer -iv MyCA.pvk ^
         -sv MySPC.pvk MySPC.cer

It is pretty much the same as above, but we're providing an issuer key and certificate (the -ic and -iv switches).

We'll also want to convert the certificate and key into a PFX file:

pvk2pfx -pvk MySPC.pvk -spc MySPC.cer -pfx MySPC.pfx

If you are using a password please use the below

pvk2pfx -pvk MySPC.pvk -spc MySPC.cer -pfx MySPC.pfx -po fess

If you want to protect the PFX file, add the -po switch, otherwise PVK2PFX creates a PFX file with no passphrase.

Using the certificate for signing code

signtool sign /v /f MySPC.pfx ^
              /t http://timestamp.url MyExecutable.exe

(See why timestamps may matter)

If you import the PFX file into the certificate store (you can use PVKIMPRT or the MMC snapin), you can sign code as follows:

signtool sign /v /n "Me" /s SPC ^
              /t http://timestamp.url MyExecutable.exe

Some possible timestamp URLs for signtool /t are:

  • http://timestamp.verisign.com/scripts/timstamp.dll
  • http://timestamp.globalsign.com/scripts/timstamp.dll
  • http://timestamp.comodoca.com/authenticode
  • http://timestamp.digicert.com

Full Microsoft documentation

Downloads

For those who are not .NET developers, you will need a copy of the Windows SDK and .NET framework. A current link is available here: [SDK & .NET][5] (which installs makecert in `C:\Program Files\Microsoft SDKs\Windows\v7.1`). Your mileage may vary.

MakeCert is available from the Visual Studio Command Prompt. Visual Studio 2015 does have it, and it can be launched from the Start Menu in Windows 7 under "Developer Command Prompt for VS 2015" or "VS2015 x64 Native Tools Command Prompt" (probably all of them in the same folder).

shamp00
  • 11,106
  • 4
  • 38
  • 81
Roger Lipscombe
  • 89,048
  • 55
  • 235
  • 380
  • Is there any way to populate the certificate's email address field using this method? Right click exe>properties>digital signatures shows email as "not available" after signing. – cronoklee May 17 '12 at 10:52
  • If you get "too many parameters" errors then you check you didn't edit out one of the hyphens accidentally. Failing that - retype the hyphens - don't copy paste. – fiat Aug 14 '12 at 00:08
  • 9
    @cronoklee To populate the email field of the certificate, simply add `E=your@email`. Eg: `makecert -pe -n "CN=My SPC,E=email@domain" ........` – Rob W Feb 02 '13 at 11:41
  • 1
    Don't you need the Extended Use key flag `-eku 1.3.6.1.5.5.7.3.3` so the cert can be used for code signing (I know powershell fails to sign scripts if it is missing it) – Scott Chamberlain Feb 20 '13 at 23:02
  • Yes. `Set-AuthenticodeSignature` is much more picky about which certificates it will accept. It also *requires* separate CA and SPC certificates. – Roger Lipscombe Feb 21 '13 at 12:24
  • @Scott and Roger: Either of you know why Set-AuthenticodeSignature won't work with a self-signed (or issuer signed for that matter) certificate with 'All applications' and ' All purposes' in Certificate MMC? – Mike Cheel Jul 13 '13 at 05:24
  • @MikeCheel As to "why" only Microsoft can say. You may be better off asking on their forums for an answer. – Scott Chamberlain Jul 13 '13 at 05:26
  • It's not necessary to get the Windows SDK to get these files. They are quite small and self contained so they can be downloaded individually. – Niels Brinch Aug 01 '13 at 22:25
  • I noticed you commented that your example is good for "test/internal purposes" is this method acceptable for distribution? (Allowing enough people to click "run anyway" so windows can learn to trust your certificate?) – Adam Phelps Mar 10 '14 at 07:58
  • 1
    @AdamPhelps, Windows won't "learn" to trust your certificate. Your users need to install the CA certificate in the Root store. This is, generally speaking, a bad idea (because root CA certificates can be used for nefarious purposes). It _can_ make sense in an enterprise scenario, though. – Roger Lipscombe Mar 10 '14 at 08:11
  • @RogerLipscombe Thanks for the help. I read [this bit](http://blogs.msdn.com/b/ie/archive/2011/03/22/smartscreen-174-application-reputation-building-reputation.aspx) from Microsoft about Smartscreen and code signing. I understood it to apply to self-signed code as well. So to clarify, this is only for Authenticode CAs? – Adam Phelps Mar 10 '14 at 09:30
  • I think there's a typo, and that you may have switched the /n and /s flags in the last example. The first line should probably read: `signtool sign /v /s Me /n SPC /d http://www.me.me ^`, right? – Oskar Lindberg Oct 29 '14 at 17:35
  • @OskarLindberg I guess that it's correct and not switched. The /n is used for the subject name and the /s is used for the store name according to the documentation – Bernardo Ramos Jul 24 '16 at 06:17
  • It's in the answer: "MakeCert is available from the Visual Studio Command Prompt" – Roger Lipscombe Nov 28 '16 at 18:54
  • I tried this method to avoid my .exe to be recognized as "This file might be dangerous" by antivirus software, but it didn't help. Should I use a paid CA provider instead? Any experience about this? – Basj Jul 29 '17 at 14:02
  • Hi @RogerLipscombe, I used this process to sign an XLL. All seems to be fine for the certificates, but Excel still won't accept the Add-In. I wrote a description here https://stackoverflow.com/questions/47547387/self-signed-code-signing-certificate-for-excel-add-in. Would you mind taking a look and seeing if you could spot something wrong? I'd be very grateful! – MarkNS Nov 29 '17 at 07:41
  • Looks like the [Windows 8 version](https://learn.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=winserver2012-ps) of New-SelfSignedCertificate does not allow a `-Type` parameter. I cannot generate a code signing certificate with this :/ – Cardinal System Jan 25 '19 at 00:23
  • I tried on Windows10. All commands still work except for the signing using the pfx. I got `SignTool Error: No certificates were found that met all the given criteria.` – jaques-sam Feb 27 '20 at 09:05
  • I'm having big problems with the new and recommended `New-SelfSignedCertificate` with which I'm trying to clone an existing expired certificate using `-CloneCert`. It is documented to use the same key algorithm as the original certificate, instead it resets the algorithm to rsa1 from rsa256. – GSerg Nov 30 '20 at 16:16
104

As stated in the answer, in order to use a non deprecated way to sign your own script, one should use New-SelfSignedCertificate.

  1. Generate the key:
New-SelfSignedCertificate -DnsName email@yourdomain.com -Type CodeSigning -CertStoreLocation cert:\CurrentUser\My
  1. Export the certificate without the private key:
Export-Certificate -Cert (Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)[0] -FilePath code_signing.crt

The [0] will make this work for cases when you have more than one certificate... Obviously make the index match the certificate you want to use... or use a way to filtrate (by thumprint or issuer).

  1. Import it as Trusted Publisher
Import-Certificate -FilePath .\code_signing.crt -Cert Cert:\CurrentUser\TrustedPublisher
  1. Import it as a Root certificate authority.
Import-Certificate -FilePath .\code_signing.crt -Cert Cert:\CurrentUser\Root
  1. Sign the script (assuming here it's named script.ps1, fix the path accordingly).
Set-AuthenticodeSignature .\script.ps1 -Certificate (Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)

Obviously once you have setup the key, you can simply sign any other scripts with it.
You can get more detailed information and some troubleshooting help in this article.

hyperblah5
  • 18
  • 1
  • 3
chaami
  • 1,306
  • 1
  • 9
  • 10
  • 1
    Brilliant except for `script.ps1` which comes out of nowhere even though it must be self-evident to everyone but me. Darn thing. I get the error `File script.ps1 was not found` and that's that. –  Dec 04 '19 at 04:49
  • 1
    @Lara thanks for the feedback I have added some contextual info to make it easier even when trying on low caffeine ;-) – chaami Dec 05 '19 at 13:27
  • @chammi, the quick reply is much appreciated. Though, for some reason, all I see now is empty gray rectangles. All the code is gone from the 'code' blocks. Just the gray background is shown. –  Dec 06 '19 at 19:53
  • 1
    @Lara thanks for signaling, I hadn't payed close attention while editing, It seems StackOverflow is now more picky about the syntax of the blocks and now requires a new line before the beginning of the code. – chaami Dec 07 '19 at 23:33
  • I was able to use this answer to sign a .exe that was compiled from python code. and windows SIGNTOOL shows verified, but when I share other users still get a windows defender pop up, any ideas? – Tyger Guzman May 12 '20 at 17:31
  • @Tyger, have you tried to give the other users the .crt and asked them to add it as trusted publisher as explained in step 3 ? – chaami May 25 '20 at 13:12
  • last command should also have a proper index : **Set-AuthenticodeSignature ... -Certificate (Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)[1]** – Spongebob Comrade Apr 30 '22 at 00:56
39

It's fairly easy using the New-SelfSignedCertificate command in Powershell. Open powershell and run these 3 commands.

  1. Create certificate:

    $cert = New-SelfSignedCertificate -DnsName www.yourwebsite.com -Type CodeSigning -CertStoreLocation Cert:\CurrentUser\My

  2. Set the password for it:

    $CertPassword = ConvertTo-SecureString -String "my_passowrd" -Force -AsPlainText

  3. Export it:

    Export-PfxCertificate -Cert "cert:\CurrentUser\My\$($cert.Thumbprint)" -FilePath "d:\selfsigncert.pfx" -Password $CertPassword

Your certificate selfsigncert.pfx will be located @ D:/

Optional step: You would also require to add certificate password to system environment variables. do so by entering below in cmd:

setx CSC_KEY_PASSWORD "my_password"
double-beep
  • 5,031
  • 17
  • 33
  • 41
GorvGoyl
  • 42,508
  • 29
  • 229
  • 225
  • JerryGoyal do you know how to convert a self signed certificate into a CA Root Trusted Certificate? – Mr Heelis Nov 29 '17 at 09:59
  • 4
    There was a typo in the last script. I should be `Export-PfxCertificate -Cert "cert:\CurrentUser\My\$($cert.Thumbprint)" -FilePath "d:\selfsigncert.pfx" -Password $CertPassword` – Arvind Sedha May 17 '22 at 07:28
22

Roger's answer was very helpful.

I had a little trouble using it, though, and kept getting the red "Windows can't verify the publisher of this driver software" error dialog. The key was to install the test root certificate with

certutil -addstore Root Demo_CA.cer

which Roger's answer didn't quite cover.

Here is a batch file that worked for me (with my .inf file, not included). It shows how to do it all from start to finish, with no GUI tools at all (except for a few password prompts).

REM Demo of signing a printer driver with a self-signed test certificate.
REM Run as administrator (else devcon won't be able to try installing the driver)
REM Use a single 'x' as the password for all certificates for simplicity.

PATH %PATH%;"c:\Program Files\Microsoft SDKs\Windows\v7.1\Bin";"c:\Program Files\Microsoft SDKs\Windows\v7.0\Bin";c:\WinDDK\7600.16385.1\bin\selfsign;c:\WinDDK\7600.16385.1\Tools\devcon\amd64

makecert -r -pe -n "CN=Demo_CA" -ss CA -sr CurrentUser ^
   -a sha256 -cy authority -sky signature ^
   -sv Demo_CA.pvk Demo_CA.cer

makecert -pe -n "CN=Demo_SPC" -a sha256 -cy end ^
   -sky signature ^
   -ic Demo_CA.cer -iv Demo_CA.pvk ^
   -sv Demo_SPC.pvk Demo_SPC.cer

pvk2pfx -pvk Demo_SPC.pvk -spc Demo_SPC.cer ^
   -pfx Demo_SPC.pfx ^
   -po x

inf2cat /drv:driver /os:XP_X86,Vista_X64,Vista_X86,7_X64,7_X86 /v

signtool sign /d "description" /du "www.yoyodyne.com" ^
   /f Demo_SPC.pfx ^
   /p x ^
   /v driver\demoprinter.cat

certutil -addstore Root Demo_CA.cer

rem Needs administrator. If this command works, the driver is properly signed.
devcon install driver\demoprinter.inf LPTENUM\Yoyodyne_IndustriesDemoPrinter_F84F

rem Now uninstall the test driver and certificate.
devcon remove driver\demoprinter.inf LPTENUM\Yoyodyne_IndustriesDemoPrinter_F84F

certutil -delstore Root Demo_CA
Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Dan Kegel
  • 559
  • 5
  • 11
  • 4
    If you want to use this for signing drivers, you need to import the CA certificate into the machine store. My example imports it into the user store, which is fine for most software, for test/internal purposes. – Roger Lipscombe Oct 05 '13 at 08:25
14

As of PowerShell 4.0 (Windows 8.1/Server 2012 R2) it is possible to make a certificate in Windows without makecert.exe.

The commands you need are New-SelfSignedCertificate and Export-PfxCertificate.

Instructions are in Creating Self Signed Certificates with PowerShell.

zett42
  • 25,437
  • 3
  • 35
  • 72
Yishai
  • 90,445
  • 31
  • 189
  • 263
  • 3
    It's worth mentioning that, even if you install the WMF update to get PowerShell 4.0 on Windows 7, you won't have access to this command. It seems to be Win8 or Server 2012 or later. – Daniel Yankowsky Apr 19 '16 at 21:48
2

You can generate one in Visual Studio 2019, in the project properties. In the Driver Signing section, the Test Certificate field has a drop-down. Generating a test certificate is one of the options. The certificate will be in a file with the 'cer' extension typically in the same output directory as your executable or driver.

trindflo
  • 311
  • 3
  • 12
0

This post will only answer the "how to sign an EXE file if you have the crtificate" part:

To sign the exe file, I used MS "signtool.exe". For this you will need to download the bloated MS Windows SDK which has a whooping 1GB. FORTUNATELY, you don't have to install it. Just open the ISO and extract "Windows SDK Signing Tools-x86_en-us.msi". It has a merely 400 KB.

Then I built this tiny script file:

prompt $
echo off
cls

copy "my.exe" "my.bak.exe"

"c:\Program Files (x86)\Windows Kits\10\bin\10.0.22000.0\x64\signtool.exe" sign /fd SHA256 /f MyCertificate.pfx /p MyPassword My.exe

pause

Details

__

dkellner
  • 8,726
  • 2
  • 49
  • 47
Gabriel
  • 20,797
  • 27
  • 159
  • 293