Steps to sign a file using Signtool.exe

You may have a situation where you need to sign a file which may be an

a. .exe

b. .cab

c. .cat

d. .ocx

e. .dll

f. .stl

Using the CryptoAPI “signtool.exe”, the files can be digitally signed. Digitally signing a file essentially involves two steps.

1. Obtaining a code signing certificate that has an associated RSA private key for signing. The certificate could be issued to a user or computer or company or any other entity.

2. Running “signtool.exe” on the file and use that certificate for signing.

To test how this Works, we can use the MakeCert utility that comes in with the Windows SDK or the Platform SDK installer. Makecert utility generates X.509 certificates for testing purposes only. It creates a public and private key pair for digital signatures and stores it in a certificate file. For more information on Makecert see the MSDN link

Say we use the following command to create a certificate file.

makecert.exe -r -pe -ss MY -sky exchange -n CN=MyPrivateCert CodeSign.cer

The parameters are explained in Figure 1 below.


Figure 1: Meaning of parameters passed with makecert.exe

Once you créate the .cer file,you need to add it to the "Trusted Root Certification Authorities" store of Local Computer in MMC certificates snap-in for establishing the trust,if the code is verifying the certificate chain on the verification side. If the certificate is issued by a commercial CA such as VeriSign or Thawte, this step is not needed.

To install the certificate at the "Trusted Root Certification Authorities" store see the section below saying “How to install a certificate at the Trusted Root Certification Authorities store on your computer account"

To sign the file, say an EXE use the command

Signtool sign /v /s MY /n MyPrivateCert /t FileToSign.exe

If this succeeds then it will give as output

Number of files successfully Signed: 1

Number of warnings: 0

Number of errors: 0

The parameters are explained in Figure 2 below.


Figure 2: Meaning of parameters passed with Signtool.exe

If you import a code signing certificate to a PFX file, you can use the following command to sign a file.

Signtool sign /f <PFX file name> /p <Password> FileToSign.exe

where /p specifies the password to use when opening the PFX file.

How to get a code signing certificate from Microsoft Certificate Services

If you have a server operating system such as Windows Server 2008 or 2003 you can install IIS and Microsoft Certificate Services component.

To install Microsoft Certificate Services component go to Control Panel->Add or Remove Programs->Add/Remove Window Components and select “Certificate Services”.

Once “Certificate Services” are installed you can browse to the enrolment page as shown in Figure 3 on the server with the URL http://Win2kServer/certsrv, where “Win2kServer” is the machine name.


Figure 3: The Certificate Enrolment page on the server.

· Click on the "Request a certificate" link.

· Click on the "advanced certificate request" link.

· Click on "Create and submit a request to this CA".

· In Advanced Certificate Request fill out fields such as the "Name", Type of certificate needed which should be a “Code Signing certificate”.

· Select "Mark key as exportable" as shown in Figure 4 below.


Figure 4: The Advanced Certificate Request page.

Clicking on the “Submit >” button at the bottom of the “Advanced Certificate Request” page creates the certificate but you need to issue the certificate from the Certificate Authority snap-in from MMC as shown in Figure 5 below.


Figure 5: The Certificate Authority snap-in from MMC. You need to issue the certificate under pending request.

Once the certificate is issued you can again browse to the enrolment page on the server and click at “View the status of a pending certificate request”. Select the certificate and install the certificate.

Once installed you can view this certificate under the Personal store from the Certificate snap-in at MMC. You can also import the certificate to a PFX file with the private key and type and confirm a password.

How to install a certificate at the Trusted Root Certification Authorities store on your computer account

To add the certificate, go to Start->Run ->MMC <Enter>.

When the console window comes up, select File -> Add/ Remove Sanp in…

From the “Add or Remove Snap-ins” window select “Certificates” and click at “Add >”. Select “Computer Account” and then click at “Next”.

Select “Local Computer” and click at “Finish”.


Figure 6: MMC console showing how to add the “Certificates” snap-ins for the Local computer.

Open “Trusted Root Certification Authorities” store at the left pane and click at “Certificates”, shown in Figure 7. Then right click at the right window pane and select “All Task -> Import”.

Import the above CodeSign.cer file that you created and install it.


Figure 7: Certificate snap-in showing the “Trusted Root Certification Authorities -> Certificates” store.


Shamik Misra

Windows SDK

Comments (2)
  1. bob says:

    How do you remove a certificate with signtool.exe ?

  2. ViViD says:

    @bob If you want to remove a certificate from the signed file, you can't do it with sign tool. Use delcert.exe tool (

Comments are closed.

Skip to main content