Thursday, 19 March 2009

How to create a self-signed certificate and sign a .exe file

Here's an example how to create a new certificate, how to sign a file with the private key and finally, I show how to verify the signed file and why this fails.

First we start out by creating the certificate. This is done with the makecert.exe command-line tool. The following command creates a certificate named "RogTestCert" and adds it to certificate store called "RogCertStore". The -r option tells makecert to create a self-signed certificate. -pe marks the generated private key as exportable, which allows the private key to be included in the certificate.

>makecert.exe -r -pe -ss RogCertStore -n "CN=RogTestCert" RogTestCert.cer

You can now view the new certificate using the Certificate Manager.

To sign a file we use signtool.exe. We specify that we want to use the certificate named "RogTestCert" in the "RogCertStore" certificate store:

>signtool.exe sign /s RogCertStore /n RogTestCert myfile.exe
Successfully signed: myfile.exe

The file is now signed. If you right-click the file and choose Properties, you will notice that a new tab called "Digital signatures" has appeared.

Finally, we try to verify the myfile.exe's signature, which should result in an error, since RogTestCert is not a trusted root certificate:

>signtool.exe" verify myfile.exe
SignTool Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
SignTool Error: File not valid: myfile.exe

Number of errors: 1


  1. I am getting the failure that you describe. But how to fix it?

    I installed the certificate in Trusted Root Certification Authorities Certificate Store, and it still does not work.

    I did:
    certmgr.exe /add hello_world.cer /s /r localMachine root

  2. this is not a failure. a root certificate needs to be created. the entire trust chain cannot be verified using self signed certificates