Create a code-signing certificate
This section describes the following methods for issuing or importing a code-signing certificate on the :
Microsoft Signtool can subsequently use the code-signing certificate to sign files by using the private key stored on the .
Select the appropriate method and follow the instructions:
This section uses FXCLI to create a new Certificate Authority (CA) on the . A later section uses the new CA to issue a code signing certificate.
Run the fxcli-hsm program.
Log in with both default Admin identities. When prompted, enter the username and password. Run the following command twice (once for Admin1 and once for Admin2):
Run the following command to create a CA certificate using the key that was generated on the HSM in the previous step:
The preceding command outputs the CA certificate to the location specified in the --out flag.
Run the following command to assign CodeSigningKeyPair to the label PKCS #11 attribute of the key created in the preceding step:
The value set in the --slot flag must match the key slot where you created the CodeSigningKeyPair.
Run the following command to generate a CSR using the "CodeSigningKeyPair":
Run the following command to issue a code signing certificate using the CA certificate created in step 5:
The code signing certificate and CA certificate need to be moved to the computer where Microsoft Signtool will be utilized.