Windows code-signing in 5 minutes or less

Note: this might be unsafe - only use this as a quick reference if you know what you’re doing.

Create the self-signed certificate #

Config #

Save this into ssl.cfg or similar.


distinguished_name = req_distinguished_name
req_extensions = default_req_extensions

# empty


basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, nonRepudiation
extendedKeyUsage = critical, codeSigning, msCodeInd, msCodeCom

Make the certificate and private key #

ssl.cfg refers to the file created above. Adjust the subject as necessary.

openssl req -x509 -newkey rsa -keyout testkey.pem -nodes -days 3650 -sha256 -config ssl.cfg -subj "//CN=Demo code-signing certificate" -out testcert.pem

You can get OpenSSL in either Git for Windows or Cmder.

Create a PFX and import it into your personal certificate store #

openssl pkcs12 -export -inkey testkey.pem -in testcert.pem -out testpfx.pfx -nodes -passout pass:

Open mmc.exe, add the Certificates snap-in and select My user account, then right-click on the Personal trust store and Import.

Import the certificate into the system’s trust store #

User-specific #

In the previously opened window, right-click on Trusted Root Certification Authorities and import the certificate (and not the PFX which includes the private key).

Computer-specific #

Remove the user-specific certificates snap-in and add a Computer account certificates snap-in, then do as outlined above to import the certificate.

Sign some code #

"C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\signtool.exe" sign mybinary.exe

You can get signtool from Microsoft’s Windows 7 SDK.


Now read this

Using a GnuPG smart card, Yubikey/NitroKey for SSH on Mac

Install GnuPG and a decent PIN entry program # $ brew install gnupg2 pinentry-mac Configure GnuPG # We’ll need to tell GnuPG to use the new PIN entry program as well as enable SSH support for its agent. In ~/.gnupg/gpg-agent.conf:... Continue →