Signing applications for windows

These notes were made in 2013. They may now be outdated.

create a certificate request with openssl

req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

Enter Distinguished Name information:

Move CSR.csr and privateKey.key to your desktop.

Send the CSR to godaddy, wait two weeks until they ask you for some company related certification.

You get the certificate as a .pem or a .spc. Save these files and the private key, these are important. keep them safe.

The key generated with openssl is in the wrong format. Convert it into the proper format using the pvk program http://www.drh-consultancy.demon.co.uk/pvk.html

pvk.exe -in privateKey.key -topvk -nocrypt -strong -out private.pvk

now use pvk2pfx to convert

pvk2pfx.exe -pvk private.pvk -spc spcfile.spc -pfx certificate.pfx

Signing your application

Now you can use this certificate with signtool

signtool sign /f certificate.pfx /t http://tsa.starfieldtech.com /d "project name" /du http://yourcompany.example.com/ code.exe