These notes were made in 2013. They may now be outdated.

create a certificate request with openssl

req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

Enter Distinguished Name information:

  • Country: Code The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered.
  • State/Province: Name of state or province where your organization is located
  • Locality: Name of the city in which your organization is registered/located
  • Organization: Name The full legal name of your organization.
  • Organizational Unit: Optional.
  • Common Name: The full legal name of your organization.
  • Email Address: Your email address.

Move CSR.csr and privateKey.key to your desktop.

Send the CSR to godaddy, wait two weeks until they ask you for some company related certification.

You get the certificate as a .pem or a .spc. Save these files and the private key, these are important. keep them safe.

The key generated with openssl is in the wrong format. Convert it into the proper format using the pvk program http://www.drh-consultancy.demon.co.uk/pvk.html

pvk.exe -in privateKey.key -topvk -nocrypt -strong -out private.pvk

now use pvk2pfx to convert

pvk2pfx.exe -pvk private.pvk -spc spcfile.spc -pfx certificate.pfx

Signing your application

Now you can use this certificate with signtool

signtool sign /f certificate.pfx /t http://tsa.starfieldtech.com /d "project name" /du http://yourcompany.example.com/ code.exe