Creating Self-signed Certificate

There are lot of providers of code signing certificates out there. But they all share same problem - they are not cheap. Certificate will cost you in range of 400 € (that is per year). Why pay that money when we can make our own free self-signed certificate? Yes, Windows will not recognize it as trusted, but it still can be used for file integrity purposes.

Illustration

In order for this to work, prerequisite is having Microsoft Windows SDK installed (here is Windows Vista and Windows 7 link). All our work will be done in “C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin” (for Windows 7 or something similar for Vista).

First we need to create certificate with private key:

makecert.exe -pe -n "CN=Example;E=example@example.com" -sv example.pvk -a sha1 -r -eku 1.3.6.1.5.5.7.3.3 example.cer
Succeeded

Window will pop-up and ask for password. You can leave it empty - we can delete private key after we finish. Notice that we are creating code signing only certificate here (-eku 1.3.6.1.5.5.7.3.3). If you wish certificate for all purposes, just omit that argument. Notice that CN and E parameters are ones that you would want to change.

Since with certificate alone we cannot do anything, we need to go through hoops in order to get pfx (PKCS #12) file:

cert2spc.exe example.cer example.spc
Succeeded
pvk2pfx.exe -pvk example.pvk -spc example.spc -pfx example.pfx

Illustration

PFX file can be imported. Just double-click it to get to Certificate import wizard and continue clicking until it is done.

This whole game caused our certificate to get imported to current user’s personal certification store. We can now safely delete all intermediate files (four of them: .pvk .cer .spc .pfx) since everything we need is in our user account. Smart idea would be to make backup of example.pfx before deleting (e.g. just in case Windows need reinstall) or we can just export it from certificate store at later time.

Code signing itself is lot easier. Just one command is needed:

signtool.exe sign /s "My" /n "Example" /v "test.exe"
The following certificate was selected:
Issued to: Example
Issued by: Example
Expires:   1.1.2040. 0:59:59
SHA1 hash: 740F9468A344BF7BB4DC338C2870BD73BB8797C3
Attempting to sign: test.exe
Successfully signed: test.exe
Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

Take care that this “Example” is same one you used after CN= (a.k.a. common name) in first command.

There it is, you have signed your executable.