Here's an example how to create a new certificate, how to sign a file with the private key and finally, I show how to verify the signed file and why this fails.
First we start out by creating the certificate. This is done with the makecert.exe command-line tool. The following command creates a certificate named "RogTestCert" and adds it to certificate store called "RogCertStore". The -r option tells makecert to create a self-signed certificate. -pe marks the generated private key as exportable, which allows the private key to be included in the certificate.
>makecert.exe -r -pe -ss RogCertStore -n "CN=RogTestCert" RogTestCert.cer
You can now view the new certificate using the Certificate Manager.
To sign a file we use signtool.exe. We specify that we want to use the certificate named "RogTestCert" in the "RogCertStore" certificate store:
>signtool.exe sign /s RogCertStore /n RogTestCert myfile.exe
Successfully signed: myfile.exe
The file is now signed. If you right-click the file and choose Properties, you will notice that a new tab called "Digital signatures" has appeared.
Finally, we try to verify the myfile.exe's signature, which should result in an error, since RogTestCert is not a trusted root certificate:
>signtool.exe" verify myfile.exe
SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
SignTool Error: File not valid: myfile.exe
Number of errors: 1