> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create a code-signing certificate

> Issue or import a code-signing certificate on the Vectera Plus for use with Microsoft SignTool.

This section describes the following methods for issuing or importing a code-signing certificate on the Vectera Plus:

1. Issue a code-signing certificate by using a CA on the Vectera Plus.
2. Import an existing code-signing certificate as a PKCS #12 file onto the Vectera Plus.

Microsoft Signtool can subsequently use the code-signing certificate to sign files by using the private key stored on the Vectera Plus.

Select the appropriate method and follow the instructions:

## Issue a code-signing certificate

This section uses FXCLI to create a new Certificate Authority (CA) on the Vectera Plus. A later section uses the new CA to issue a code signing certificate.

<Steps>
  <Step>
    Run the **fxcli-hsm** program.
  </Step>

  <Step>
    Connect to the Admin TLS port on the HSM by using the **connect tcp** command.

    <Note>
      Before connecting, you must configure the TLS certificates in FXCLI by using the `tls` commands. For additional details, see the FXCLI HSM technical reference on the Futurex Portal.
    </Note>
  </Step>

  <Step>
    Log in with both default Admin identities. When prompted, enter the username and password. Run the following command twice (once for Admin1 and once for Admin2):

    ```shell title="FXCLI" expandable lines wrap theme={null}
      login user
    ```
  </Step>

  <Step>
    Run the following command to generate a new key in the next available key slot on the Vectera Plus. Use this key in the next task to create a self-signed CA.

    ```shell title="FXCLI" expandable lines wrap theme={null}
      generate --algo RSA --bits 2048 --usage mak --name SigntoolCaKeyPair --slot next
    ```
  </Step>

  <Step>
    Run the following command to create a CA certificate using the key that was generated on the HSM in the previous step:

    ```shell title="FXCLI" expandable lines wrap theme={null}
      x509 sign --private-slot SigntoolCaKeyPair --key-usage DigitalSignature --key-usage KeyCertSign --ca true --dn 'O=Futurex\CN=Signtool CA' --out C:\Integration-Testing-Sandbox\SigntoolCa.pem
    ```

    <Check>
      The preceding command outputs the CA certificate to the location specified in the --out flag.
    </Check>
  </Step>

  <Step>
    Run the following command to generate a new key in the next available key slot on the Vectera Plus. Use this key in a later task to create a CSR for the code signing certificate.

    ```shell title="FXCLI" expandable lines wrap theme={null}
      generate --algo RSA --bits 2048 --usage mak --name CodeSigningKeyPair --slot next
    ```
  </Step>

  <Step>
    Run the following command to assign **CodeSigningKeyPair** to the label PKCS #11 attribute of the key created in the preceding step:

    ```shell title="FXCLI" expandable lines wrap theme={null}
      keytable extdata --slot 1 --p11-attr label --p11-value "CodeSigningKeyPair"
    ```

    <Note>
      The value set in the --slot flag must match the key slot where you created the CodeSigningKeyPair.
    </Note>
  </Step>

  <Step>
    Run the following command to generate a CSR by using the **CodeSigningKeyPair**:

    ```shell title="FXCLI" expandable lines wrap theme={null}
      x509 req --private-slot CodeSigningKeyPair --out C:\Integration-Testing-Sandbox\CodeSigning.csr
    ```
  </Step>

  <Step>
    Run the following command to issue a code signing certificate using the CA certificate created in step 5:

    ```shell title="FXCLI" expandable lines wrap theme={null}
      x509 sign --private-slot SigntoolCaKeyPair --issuer C:\Integration-Testing-Sandbox\SigntoolCa.pem --key-usage DigitalSignature --key-usage NonRepudiation --eku CodeSigning --ca false --dn 'O=Futurex\CN=Code Signing' --csr C:\Integration-Testing-Sandbox\CodeSigning.csr --out C:\Integration-Testing-Sandbox\CodeSigning.pem
    ```

    <Note>
      You must move the code signing certificate and CA certificate to the computer where you use Microsoft Signtool.
    </Note>
  </Step>
</Steps>

## Import an existing certificate

This section uses FXCLI to import an existing code-signing certificate in PKCS #12 format onto the Vectera Plus.

<Note>
  The code signing certificate PKCS #12 file must contain only the code signing certificate and its associated private key. Do not include CA certificates in the file.
</Note>

<Steps>
  <Step>
    Run the **fxcli-hsm** program.
  </Step>

  <Step>
    Connect to the Admin TLS port on the HSM by using the `connect tcp` command.

    <Note>
      Before connecting, you must configure the TLS certificates in FXCLI by using the `tls` commands. For additional details, see the FXCLI HSM technical reference on the Futurex Portal.
    </Note>
  </Step>

  <Step>
    Log in with both default Admin identities. When prompted, enter the username and password. Run the following command twice (once for Admin1 and once for Admin2):

    ```shell title="FXCLI" expandable lines wrap theme={null}
      login user
    ```
  </Step>

  <Step>
    Run the following command to import the private key of an existing code-signing certificate that is in PKCS #12 format:

    <Note>
      The code-signing certificate passed into this command must be in PKCS #12 format because this format contains the private key of the code-signing certificate in the file, encrypted under a password.
    </Note>

    ```shell title="FXCLI" expandable lines wrap theme={null}
      pkcs12 import --file C:\Integration-Testing-Sandbox\code_signing_cert.p12 --password safest --slot next --label ImportedCodeSigningKeyPair --win-system-dacl
    ```
  </Step>
</Steps>
