Create a code-signing certificate

this section describes the following methods for issuing or importing a code signing certificate on the {{vectera}} issue a code signing certificate by using a ca on the {{vectera}} import an existing code signing certificate as a pkcs #12 file onto the {{vectera}} microsoft signtool can subsequently use the code signing certificate to sign files by using the private key stored on the {{vectera}} select the appropriate method and follow the instructions this section uses fxcli to create a new certificate authority (ca) on the {{vectera}} a later section uses the new ca to issue a code signing certificate run the fxcli hsm program connect to the admin tls port on the hsm by using the connect tcp command before connecting, you must configure the tls certificates in fxcli by using the tls commands for additional details, see the fxcli hsm technical reference on the {{futurex}} portal log in with both default admin identities when prompted, enter the username and password run the following command twice (once for admin1 and once for admin2) fxcli login user run the following command to generate a new key in the next available key slot on the {{vectera}} use this key in the next task to create a self signed ca fxcli generate algo rsa bits 2048 usage mak name signtoolcakeypair slot next run the following command to create a ca certificate using the key that was generated on the hsm in the previous step fxcli x509 sign private slot signtoolcakeypair key usage digitalsignature key usage keycertsign ca true dn 'o=futurex\cn=signtool ca' out c \integration testing sandbox\signtoolca pem the preceding command outputs the ca certificate to the location specified in the out flag run the following command to generate a new key in the next available key slot on the {{vectera}} use this key in a later task to create a csr for the code signing certificate fxcli generate algo rsa bits 2048 usage mak name codesigningkeypair slot next run the following command to assign codesigningkeypair to the label pkcs #11 attribute of the key created in the preceding step fxcli keytable extdata slot 1 p11 attr label p11 value "codesigningkeypair" the value set in the slot flag must match the key slot where you created the codesigningkeypair run the following command to generate a csr using the "codesigningkeypair" fxcli x509 req private slot codesigningkeypair out c \integration testing sandbox\codesigning csr run the following command to issue a code signing certificate using the ca certificate created in step 5 fxcli x509 sign private slot signtoolcakeypair issuer c \integration testing sandbox\signtoolca pem key usage digitalsignature key usage nonrepudiation eku codesigning ca false dn 'o=futurex\cn=code signing' csr c \integration testing sandbox\codesigning csr out c \integration testing sandbox\codesigning pem the code signing certificate and ca certificate need to be moved to the computer where microsoft signtool will be utilized this section uses fxcli to import an existing code signing certificate in pkcs #12 format onto the {{vectera}} the code signing certificate pkcs #12 file must contain only the code signing certificate and its associated private key do not include ca certificates in the file run the fxcli hsm program connect to the admin tls port on the hsm by using the connect tcp command before connecting, you must configure the tls certificates in fxcli by using the tls commands for additional details, see the fxcli hsm technical reference on the {{futurex}} portal log in with both default admin identities when prompted, enter the username and password run the following command twice (once for admin1 and once for admin2) fxcli login user run the following command to import the private key of an existing code signing certificate that is in pkcs #12 format the code signing certificate passed into this command must be in pkcs #12 format because this format contains the private key of the code signing certificate in the file, encrypted under a password fxcli pkcs12 import file c \integration testing sandbox\code signing cert p12 password safest slot next label importedcodesigningkeypair win system dacl