Create a code-signing certificate

1min
This section describes the following methods for issuing or importing a code-signing certificate on the :
 Issue a code-signing certificate  by using a CA on the .
Import an existing code-signing certificate as a PKCS #12 file onto the .
Microsoft Signtool can subsequently use the code-signing certificate to sign files by using the private key stored on the .
Select the appropriate method and follow the instructions:
Issue a code-signing  certificate
Import existing certificate
This section uses FXCLI to create a new Certificate Authority (CA) on the . A later section uses the new CA to issue a code signing certificate.
1
Run the fxcli-hsm program.
2
Connect to the Admin TLS port on the HSM by using the connect tcp command.
Before connecting, you must configure the TLS certificates in FXCLI by using the tls commands. For additional details, see the FXCLI HSM technical reference on the  Portal.
3
Log in with both default Admin identities. When prompted, enter the username and password. Run the following command twice (once for Admin1 and once for Admin2):
FXCLI
login user
login user
﻿
4
Run the following command to generate a new key in the next available key slot on the . Use this key in the next task to create a self-signed CA.
FXCLI
generate --algo RSA --bits 2048 --usage mak --name SigntoolCaKeyPair --slot next
generate --algo RSA --bits 2048 --usage mak --name SigntoolCaKeyPair --slot next
﻿
5
Run the following command to create a CA certificate using the key that was generated on the HSM in the previous step:
FXCLI
x509 sign --private-slot SigntoolCaKeyPair --key-usage DigitalSignature --key-usage KeyCertSign --ca true --dn 'O=Futurex\CN=Signtool CA' --out C:\Integration-Testing-Sandbox\SigntoolCa.pem
x509 sign --private-slot SigntoolCaKeyPair --key-usage DigitalSignature --key-usage KeyCertSign --ca true --dn 'O=Futurex\CN=Signtool CA' --out C:\Integration-Testing-Sandbox\SigntoolCa.pem
﻿
The preceding command outputs the CA certificate to the location specified in the --out flag.
6
Run the following command to generate a new key in the next available key slot on the . Use this key in a later task to create a CSR for the code signing certificate.
FXCLI
generate --algo RSA --bits 2048 --usage mak --name CodeSigningKeyPair --slot next
generate --algo RSA --bits 2048 --usage mak --name CodeSigningKeyPair --slot next
﻿
7
Run the following command to assign CodeSigningKeyPair to the label PKCS #11 attribute of the key created in the preceding step:
FXCLI
keytable extdata --slot 1 --p11-attr label --p11-value "CodeSigningKeyPair"
keytable extdata --slot 1 --p11-attr label --p11-value "CodeSigningKeyPair"
﻿
The value set in the --slot flag must match the key slot where you created the CodeSigningKeyPair.
8
Run the following command to generate a CSR using the "CodeSigningKeyPair":
FXCLI
x509 req --private-slot CodeSigningKeyPair --out C:\Integration-Testing-Sandbox\CodeSigning.csr
x509 req --private-slot CodeSigningKeyPair --out C:\Integration-Testing-Sandbox\CodeSigning.csr
﻿
9
Run the following command to issue a code signing certificate using the CA certificate created in step 5:
FXCLI
x509 sign --private-slot SigntoolCaKeyPair --issuer C:\Integration-Testing-Sandbox\SigntoolCa.pem --key-usage DigitalSignature --key-usage NonRepudiation --eku CodeSigning --ca false --dn 'O=Futurex\CN=Code Signing' --csr C:\Integration-Testing-Sandbox\CodeSigning.csr --out C:\Integration-Testing-Sandbox\CodeSigning.pem
x509 sign --private-slot SigntoolCaKeyPair --issuer C:\Integration-Testing-Sandbox\SigntoolCa.pem --key-usage DigitalSignature --key-usage NonRepudiation --eku CodeSigning --ca false --dn 'O=Futurex\CN=Code Signing' --csr C:\Integration-Testing-Sandbox\CodeSigning.csr --out C:\Integration-Testing-Sandbox\CodeSigning.pem
﻿
The code signing certificate and CA certificate need to be moved to the computer where Microsoft Signtool will be utilized.
This section uses FXCLI to import an existing code-signing certificate in PKCS #12 format onto the .
The code signing certificate PKCS #12 file must contain only the code signing certificate and its associated private key. Do not include CA certificates in the file.
1
Run the fxcli-hsm program.
2
Connect to the Admin TLS port on the HSM by using the connect tcp command.
Before connecting, you must configure the TLS certificates in FXCLI by using the tls commands. For additional details, see the FXCLI HSM technical reference on the  Portal.
3
Log in with both default Admin identities. When prompted, enter the username and password. Run the following command twice (once for Admin1 and once for Admin2):
FXCLI
login user
login user
﻿
4
Run the following command to import the private key of an existing code-signing certificate that is in PKCS #12 format:
The code-signing certificate passed into this command must be in PKCS #12 format because this format contains the private key of the code-signing certificate in the file, encrypted under a password.
FXCLI
pkcs12 import --file C:\Integration-Testing-Sandbox\code_signing_cert.p12 --password safest --slot next --label ImportedCodeSigningKeyPair --win-system-dacl
pkcs12 import --file C:\Integration-Testing-Sandbox\code_signing_cert.p12 --password safest --slot next --label ImportedCodeSigningKeyPair --win-system-dacl
﻿
﻿
﻿
﻿
Edit the Futurex CNG configuration file
Import certificates into Windows Certificate Store