Authenticode: Signing a File

1. Creating Public/Private Keys. To create both the public and private keys you will use the MakeCert tool, which can be accessed via the SDK command prompt through your start. Open the command prompt by going to Microsoft .NET Framework SDK v2.0 and selecting the SDK Command Prompt under the Start Menu. This will open a command window in the SDK directory.

After you have opened the command prompt type makecert –sv private_key_name.pvk –ss storename –r –n “CN=your name” public_key_name.cer to create both a public and private key.

The command is explain in detail for better understanding.

  • makecert
  • sv private.pvk. The –sv flag will create a private key named private.pvk if it does not exist.
  • ss myNewStore Specifies the subject's certificate store name that stores the output certificate. If the store does not exist it will be created.
  • n “CN=your name” will set the issuer and the subject fields with that value
  • r public.cer will create a self signed certificate called public.cer. If this option is not used the certificate will be signed by the default test root certificate.

This command is one of the basic commands that use the default values when creating keys. There are numerous flags that can be used to change or add data to the keys, which you can read about on your own.

You will be prompted to create a private key password and confirm it.

After creating the private key password you will be prompted for it again.

You should get a “Succeeded” message from MakeCert if the keys were created successfully.

If you receive an error message the problem is probably due to an incorrect private key password. Reenter the MakeCert command and you will be prompted for the private key password again. Reenter the password to complete the key creation process.

2. Creating a SPC File. This will wrap multiple x.509 certificates into a public key certificate standard (pkcs) #7. This program is for test purposes only. A valid SPC must be obtained from a CA. To create a SPC file using your certificate enter cert2spc public.cer spc.spc. The SPC file will be used to sign a file.

3. Signing a File. To sign a file you will use the SignTool, which can be accomplished by the command prompt and Digital Signature Wizard GUI. This tutorial will use the GUI, which will allow you to see the steps required to sign a file. To run the SignTool GUI use signtool signwizard.

You will be presented with the Digital Signature Wizard’s welcome screen. To continue with the wizard click Next. You will then be presented with the File Selection screen, which will allow you to select the file you wish to sign. You can only sign .exe, .dll, or .ocx files with Authenticode.

You can download the good.dll to sign. However, all you have to do is choose an executable off your machine to sign.

Click the Browse button and navigate to the location of the file you wish to sign and select it. After choosing a file to sign click the Next button to continue with the wizard.

After selecting the file to sign you must chose the certificate to attach to the signature. This file will be the .spc file that was created using your public key. To select the .spc file click Select from File then navigate to the location of the .spc file and select it.

After selecting the certificate to be attached to the signature click Next.

Now you must select the private key you want to use to sign the file. To do this select Browse and navigate to the location of your private key and select it.

After selecting the private key select Next where you will be prompted for the private key’s password. Without this you will not be able to complete the signing process.

The next step is to select the hash algorithm you want to use to create the file signature. SHA1 is the default option and is acceptable to keep. The SHA1 hash algorithm produces a 160-bit (20 byte) message digest, which will slow implementation but is stronger against a brute force attack. The MD5 produces a small message digest at 128-bit (16 byte) that makes for a fast implementation but is weaker again brute force attacks.

You have the option to include additional certificates in the signature, which is common practice when you obtain a certificate from a CA. However, in this tutorial you created a self signed certificate so there are no other certificates that need to be included with the signature, which is why the default settings were kept. Modifications to the additional certificate settings depend on your specific requirements when signing a file. Click Next to continue.

It is a best practice to include information about the data you are signing and a Web site where a person can find additional information pertaining to the signature. You can enter this information or just continue to the next step by clicking Next.

A time stamp should always be included with every signed file, which indicates to the public when the file was signed and its existence. To sign a file you need to provide the URL of a timestamping service. You can use Verisign’s service at After you have entered the timestamp URL click Next to continue.

You now can verify the options you will use to create the signature. If there is anything that you missed or want to double you have the opportunity to do it here. When you are satisfied click Next to complete the signing process.

You will be prompted for your private key’s password as the final step in completing the signing wizard. After you provide the password click Next to generate the signature for the selected file.

The final step is to make your public key available to the public along with the file you signed.