Problem Signing with SafeNet EV Certificate

I had an interesting case that I want to share in the event anyone else experiences this problem.  In this case a Symantec certificate stored on a SafeNet USB dongle was being used to sign a Windows Store app in Visual Studio.  The signing was failing.  Visual Studio reported: “SignTool Error:  An unexpected internal error has occurred”.  These guidelines were followed and everything seemed in order:

During packaging, Visual Studio validates the specified certificate in the following ways:

· Verifies the presence of the Basic Constraints extension and its value, which must be either Subject Type=End Entity or unspecified.

· Verifies the value of the Enhanced Key Usage property, which must contain Code Signing and may also contain Lifetime Signing. Any other EKUs are prohibited.

· Verifies the value of the KeyUsage (KU) property, which must be either Unset or DigitalSignature.

· Verifies the existence of a private key exists.

· Verifies whether the certificate is active, hasn’t expired, and hasn't been revoked.


I used Process Monitor (Procmon) to determine the command line that was being used and then using the command line SignTool.exe to issue the same command, saw that it was returning this:  Error: SignerSign() failed." (-1073741275/0xc0000225)

SafeNet had the solution for this problem.  Using the SafeNet Client Authentication tools it was found that there were ‘Orphan Objects’ on the device.  Removing these resulted in being able to use this device to sign the application successfully!


Let me know if this helps you out!

Comments (4)

  1. BRAIN FORCE App Center says:

    Nice job puting this issue online.

    For those looking for the correct SignTool command to sign using the EV certificate on SafeNet token (thanks to Jeff)

    C:Program Files (x86)Windows Kits8.0binx86signtool.exe" sign /fd sha256 /sha1 XXXXXXXXXTHUMBPRINTXXXXXXXXXXX /v /debug  "C:UsersDeveloperDocumentsvisual studio 2012ProjectsApp3AppPackagesApp3_1.0.0.1_AnyCPU_Debug_TestApp3_1.0.0.1_AnyCPU_Debug.appx”

  2. This might be an issue with the way SafeNet gets registered.  See this StackOverflow answer:…/using-ev-certificate-with-clickonce.

    Quoting from that answer:

    "I had the exact same problem a few days ago and the Digicert after-sales service has been able to to solve it. Try to check the value of this register key (in regedit):

    HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Cryptography/Providers/SafeNEt Smart Card Key Storage Provider/Aliases

    The value should be "eToken Base Cryptographic Provider" and not "eToken Base Cryctographic Provider" ('p' instead of 'c')."

  3. Csaba Kerekes says:

    I can also confirm that the solution found by Michael worked for me too.

  4. Eric Liu says:

    This works for me, thank you !

Skip to main content