Sign Windows Programs with SignTool

Microsoft is changing the process for signing your kernel-mode driver packages
Starting in 2021, Microsoft will be the sole provider of production kernel-mode code signatures. You will need to start following Microsoft's updated instructions to sign any new kernel-mode driver packages going forward. To learn more, see our knowledge base article—Microsoft sunsetting support for cross-signed root certificates with kernel-mode signing capabilities.

Prepare Your Standard Code Signing Certificate

If you purchased a Microsoft Authenticode, code signing certificate and also want to use it to sign Windows drivers, there's some good news and bad news for you. First, the bad news: your current code signing certificate won't work for that. Now, the good news: you can reissue your Authenticode, code signing certificate to get a Driver Signing, code signing certificate.

Reissue Your Code Signing Certificate

  1. In your CertCentral account, in the left main menu, go to Certificate > Orders.

  2. On the Manage Your Code Signing – Order # page, under Reissue Actions, click the Re-Key Your Certificate link.

  3. On the Orders page, click the order number link for the Code Signing certificate you want to reissue.

  4. On the Order details page, in the Certificate Actions dropdown, select Reissue Certificate.

  5. Add Your CSR

    Upload or paste your CSR in the Add Your CSR box.

    The Sun Java Platform is the only platform that requires a CSR with your request; for all other platforms, submitting a CSR is optional.

  6. Signature Hash

    In the dropdown, select a signature hash for the certificate: SHA-256.

  7. Server Platform

    Select Microsoft Kernel-Mode Code.

  8. Reason for Reissue

    Specify the reason for the certificate reissue.

  9. Click Request Reissue.

    If an approval for CS certificate reissue is required, the CS verified contact for the organization is sent an email informing them that they need to approve the certificate reissue request. Once we receive their approval, we'll reissue your Code Signing certificate.

  10. We will send a copy of the reissued CS certificate via email.

    The subject line of the email is Reissue Your DigiCert Code Signing Certificate (Order #). The email contains a link that lets you reissue and install your Code Signing Certificate.

    You can also download a copy of the reissued certificate from your CertCentral account on the CS certificate's Order details page.

Install Your Kernel-Mode Code Signing Certificate

After you purchase a standard code signing certificate, DigiCert validates your information and sends you an email that contains a link to install your kernel-mode certificate.

  1. On the computer you want to install the certificate on, open the installation link from your DigiCert email in Microsoft Internet Explorer*—subject line: Reissue Your DigiCert Code Signing Certificate (Order #).

    When you open the link, the certificate is installed to the current user's personal certificate store for Windows and can be used by the WDK tools for signing drivers.

    Browser Note*: Currently, only Microsoft Internet Explorer still supports CSR generation needed for code signing certificate installation. If company policy requires the use of Firefox, you can use Firefox ESR or a portable copy of Firefox. For more information, see our knowledge base article Keygen support to be dropped with Firefox 69.

  2. Next, download the DigiCert Code Signing Cross-Certificate.

Download the Code Signing Cross-Certificate

Before you can use SignTool to sign applications, you must download the DigiCert Code Signing Cross-Certificate on the computer where you installed your Code Signing Certificate. You will need to specify this certificate in SignTool.

Click here to download the DigiCert Code Signing Cross-Certificate.

Prepare to Sign Code by Installing the Windows SDK

In order to use SignTool.exe to sign your application, you need to either install Microsoft Visual Studio 2005 (or later), or on the machine where you will be signing code, download and install one of the following versions of Microsoft Windows SDK:

If you have the Windows SDK 6.0 or lower on Windows Vista, you can use the SignTool Digital Signature Wizard GUI interface. All new versions of the Windows SDK (7 and newer) require you to use the command line instructions below.

Internet Explorer for Windows

When you use Internet Explorer on a Windows machine to install your code signing certificate, the certificate will be accessible in the Windows Certificate Store.

If you have multiple Code Signing certificates in your Windows Certificate Store, the commands in this instruction will sign your application with "the best" one, which may not be the correct one. You can use the next SignTool command to sign your program with a specific certificate or use another options in the SignTool documentation.

If you only have one Code Signing certificate on your machine, follow the instructions below.

Sign Code with a SHA256 Certificate/Digest Algorithm/Timestamp

When using SHA256 for signing, make sure to use the latest version of signtool (6.3 or later) to avoid errors.

  1. In the Windows command prompt, enter the command below.

    signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a "c:\path\to\file.exe"

  2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

    c:\Code>signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a Setup.exe
    Done Adding Additional Store
    Successfully signed and timestamped: Setup.exe

Firefox (or Another Browser) or Operating System

If you installed your Code Signing Certificate in Firefox (or another browser) or another operating system such as Mac OS X, do the following:

  1. Export the certificate as a .PKCS#12 (.pfx or .p12) file.

  2. Sign Code with a SHA256 Certificate/Digest Algorithm/Timestamp

    Once you have the code signing certificate saved as a PKCS#12 on your Windows operating system, you are ready to sign code.

    When using SHA256 for signing, make sure to use the latest version of signtool (6.3 or later) to avoid errors.

    1. Enter the following command:

      signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f "c:\path\to\mycert.pfx" /p pfxpassword "c:\path\to\file.exe"

    2. If the process was successful, you will see the following response, indicating that the program has been signed and timestamped:

      c:\Code>signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f mycert.pfx /p test Setup.exe
      Done Adding Additional Store
      Successfully signed and timestamped: Setup.exe

Verify the digital signature

You can verify that your application is now signed by right clicking on it and clicking Properties. On the Digital Signatures tab (if it exists), you can view the signing certificate and timestamp.

Additional Information

In this example, use the thumbprint value of your Code Signing Certificate. To use the thumbprint, remove all spaces from the thumbprint value; if you do not remove the spaces, it won't work. You can also use our DigiCert Utility to get the thumbprint.

Sign Code with a SHA256 Certificate/Digest Algorithm/Timestamp

Enter the following command:

signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /sha1 [thumbprint] file.exe


For more information on the different signtool.exe options, see Microsoft's SignTool Documentation.

Get code signing certificates for just $474/year

Buy Now