Generate Microsoft SignTool Code Signing certificate on the CryptoHub

perform the following tasks to create the microsoft signtool code signing certificate log in to the {{ch}} perform the following steps to log in to the {{ch}} and go to the certificate management menu open the {{ch}} web dashboard in a browser log in under dual control by using the administrator identities from the service management page, go to the administrative services tab select pki management > certificate management create a certificate container perform the following steps to create a new x 509 certificate container select \[ add ca ] at the bottom of the page or right click anywhere in the window and select add ca in the pop up menu, specify the following information for the certificate container name microsoft signtool host none type x 509 owner group in the drop down, select the microsoft signtool role select \[ ok ] generate a root ca certificate before generating the code signing certificate for microsoft signtool, you must first perform the following steps to generate a root ca certificate right click the x 509 certificate container you created and select add certificate > new certificate in the subject dn tab of the certificate creation wizard, select the classic preset in the drop down menu and specify root as the common name for the certificate in the basic info tab, you can leave the default values set in the v3 extensions tab, select the certificate authority profile in the drop down list select \[ ok ] to finish creating the root ca certificate issue a certificate perform the following steps to issue a code signing certificate for microsoft signtool right click the root ca certificate and select add certificate > new certificate in the subject dn tab of the certificate creation wizard, select the classic preset in the drop down menu and specify ms signtool as the common name for the certificate in the basic info tab, you can leave the default values set in the v3 extensions tab, select the code signing certificate profile in the drop down list select \[ ok ] to finish creating the microsoft signtool code signing certificate create an approval group perform the following steps to create an approval group for pki signing from the service management page, select the administrative services tab select pki management > pki signing approvals select \[ add approval group ] at the bottom of the page or right click anywhere in the window and select add approval group specify microsoft signtool as the name for the approval group and select \[ ok ] right click the newly created approval group and select permission in the first drop down list, select the role automatically created for the microsoft signtool service you deployed, and select \[ add ] in the permission drop down menu for the microsoft signtool role, select the use permission select \[ save ] add an issuance policy perform the following steps to add an issuance policy to the ms signtool code signing certificate from the service management page, select the administrative services tab select pki management > certificate management expand the view for the microsoft signtool certificate container by selecting the plus (+) icons to show both the root and ms signtool certificates right click the ms signtool certificate and select issuance policy > add in the basic info tab, set approvals 0 a later step configures anonymous signing after adding the issuance policy, so don't worry about the following displayed warning message zero approval policy requires anonymous signing security usage allowed hashes sha 256 in the x 509 tab, set the default approval group to microsoft signtool in the object signing tab, select the allow object signing checkbox select \[ ok ] to apply the issuance policy to the microsoft signtool certificate right click the ms signtool certificate and select change security usage in the security usage drop down menu, select anonymous signing select \[ ok ] to apply the change assign a name perform the following steps to assign the ms signtool private key a name from the service management page, go to the administrative services tab select key management > key database in the keys section, you should see the ms signtool key pair right click the ms signtool key pair and select edit enter ms signtool in the name field and select \[ ok ] to save the changes grant permissions perform the following steps to grant microsoft signtool role permissions to use the private key enter ms signtool in the name field and select \[ ok ] to save the changes select key management > key database in the keys section, right click the ms signtool key pair and select permission in the drop down menu, select the microsoft signtool role and select \[ add ] select the permission drop down option for the microsoft signtool role and grant the use permission select \[ save ] export the certificates perform the following steps to export the microsoft signtool and root ca certificates from the service management page, go to the administrative services tab select pki management > certificate management expand the view for the microsoft signtool certificate container by selecting the plus (+) icons twice to show both the root and ms signtool certificates right click the root certificate and select export > certificate(s) change the encoding to pem and select \[ browse ] choose a file name for web transfer and select \[ ok ] select \[ ok ] to initiate the export and download the file when prompted by your browser right click the ms signtool certificate and select export > certificate(s) change the encoding to pem and select \[ browse ] choose a file name for web transfer and select \[ ok ] select \[ ok ] to initiate the export and download the file when prompted by your browser you must copy the microsoft signtool and root ca certificates to the windows machine where you deployed the integration