Skip to main content
Perform the following tasks to create the Microsoft SignTool Code Signing certificate:

Log in to the CryptoHub

Perform the following steps to log in to the CryptoHub and go to the Certificate Management menu:
1
Open the CryptoHub web dashboard in a browser.
2
Log in under dual-control by using the administrator identities.
3
From the Service Management page, go to the Administrative Services tab.
4
Select PKI Management> Certificate Management.

Create a certificate container

Perform the following steps to create a new X.509 certificate container:
1
Select [ Add CA ] at the bottom of the page or right-click anywhere in the window and select Add CA.
2
In the pop-up menu, specify the following information for the certificate container:
  • Name: Microsoft SignTool
  • Host: None
  • Type: X.509
  • Owner Group: In the drop-down, select the Microsoft SignTool role.
3
Select [ OK ].

Generate a root CA certificate

Before generating the Code Signing certificate for Microsoft SignTool, you must first perform the following steps to generate a root CA certificate:
1
Right-click the X.509 certificate container you created and select Add Certificate > New Certificate.
2
In the Subject DN tab of the certificate creation wizard, select the Classic preset in the drop-down menu and specify Root as the Common Name for the certificate.
3
In the Basic Info tab, you can leave the default values set.
4
In the V3 Extensions tab, select the Certificate Authority Profile in the drop-down list.
5
Select [ OK ] to finish creating the root CA certificate.

Issue a certificate

Perform the following steps to issue a Code Signing certificate for Microsoft SignTool:
1
Right-click the root CA certificate and select Add Certificate > New Certificate.
2
In the Subject DN tab of the certificate creation wizard, select the Classic preset in the drop-down menu and specify MS SignTool as the Common Name for the certificate.
3
In the Basic Info tab, you can leave the default values set.
4
In the V3 Extensions tab, select the Code Signing Certificate profile in the drop-down list.
5
Select [ OK ] to finish creating the Microsoft SignTool Code Signing certificate.

Create an approval group

Perform the following steps to create an approval group for PKI signing:
1
From the Service Management page, select the Administrative Services tab.
2
Select PKI Management > PKI Signing Approvals.
3
Select [ Add Approval Group ] at the bottom of the page or right-click anywhere in the window and select Add Approval Group.
4
Specify Microsoft SignTool as the Name for the approval group and select [ OK ].
5
Right-click the newly created approval group and select Permission.
6
In the first drop-down list, select the role automatically created for the Microsoft SignTool service you deployed, and select [ Add ].
7
In the Permission drop-down menu for the Microsoft SignTool role, select the Use permission.
8
Select [ Save ].

Add an issuance policy

Perform the following steps to add an issuance policy to the MS SignTool Code Signing certificate:
1
From the Service Management page, select the Administrative Services tab.
2
Select PKI Management > Certificate Management.
3
Expand the view for the Microsoft SignTool certificate container by selecting the plus (+) icons to show both the Root and MS SignTool certificates.
4
Right-click the MS SignTool certificate and select Issuance Policy > Add.
5
In the Basic Info tab, set:
  1. Approvals: 0
    • A later step configures Anonymous signing after adding the issuance policy, so don’t worry about the following displayed warning message: Zero approval policy requires Anonymous Signing security usage.
  2. Allowed hashes: SHA-256
6
In the X.509 tab, set the Default approval group to Microsoft SignTool.
7
In the Object Signing tab, select the Allow object signing checkbox.
8
Select [ OK ] to apply the issuance policy to the Microsoft SignTool certificate.
9
Right-click the MS SignTool certificate and select Change Security Usage.
10
In the Security Usage drop-down menu, select Anonymous Signing.
11
Select [ OK ] to apply the change.

Assign a name

Perform the following steps to assign the MS SignTool private key a name:
1
From the Service Management page, go to the Administrative Services tab.
2
Select Key Management > Key Database.
3
In the Keys section, you should see the MS SignTool key pair. Right-click the MS SignTool key pair and select Edit.
4
Enter MS SignTool in the Name field and select [ OK ] to save the changes.

Grant permissions

Perform the following steps to grant Microsoft SignTool role permissions to use the private key:
1
Enter MS SignTool in the Name field and select [ OK ] to save the changes.
2
Select Key Management > Key Database.
3
In the Keys section, right-click the MS SignTool key pair and select Permission.
4
In the drop-down menu, select the Microsoft SignTool role and select [ Add ].
5
Select the Permission drop-down option for the Microsoft SignTool role and grant the Use permission.
6
Select [ Save ].

Export the certificates

Perform the following steps to export the Microsoft SignTool and root CA certificates:
1
From the Service Management page, go to the Administrative Services tab.
2
Select PKI Management > Certificate Management.
3
Expand the view for the Microsoft SignTool certificate container by selecting the plus (+) icons twice to show both the Root and MS SignTool certificates.
4
Right-click the Root certificate and select Export > Certificate(s).
5
Change the encoding to PEM and select [ Browse ].
6
Choose a file name for web transfer and select [ OK ].
7
Select [ OK ] to initiate the export and download the file when prompted by your browser.
8
Right-click the MS SignTool certificate and select Export > Certificate(s).
9
Change the encoding to PEM and select [ Browse ].
10
Choose a file name for web transfer and select [ OK ].
11
Select [ OK ] to initiate the export and download the file when prompted by your browser.
You must copy the Microsoft SignTool and root CA certificates to the Windows machine where you deployed the integration.