Associate a private key with a certificate

2min

This section shows how to associate a private key (stored on the KMES) with its corresponding code signing certificate (stored in the Local Machine Windows certificate store).
The primary method of associating a private key with a certificate is to use a tool called CertUtil. The primary resource for advanced CertUtil command usage is this manual page. However, the example in this section is probably sufficient for your purposes.
To associate a private key held in the KMES with a code signing certificate held in the Local Machine Windows certificate store, open the command prompt and run the following command (replacing the fields surrounded in < and > symbols with the actual values that are required):
PowerShell
certutil -f -csp <human name of csp> -repairstore <store name> <serial number of cert in store>
certutil -f -csp <human name of csp> -repairstore <store name> <serial number of cert in store>
﻿
For example, the command might look like the following example:
PowerShell
certutil -f -csp "Futurex CNG" -repairstore My 00f204e900000070
certutil -f -csp "Futurex CNG" -repairstore My 00f204e900000070
﻿
For this integration, the CSP should be Futurex CNG and the store name should be My. The My value tells CertUtil to look for the certificate in the X.509 certificate store for personal certificates, which is where you imported the code signing certificate in the previous section. The only field that you should change is the serial number field. To find the serial number of your certificate, locate it in the Personal certificate store and double-click it. This opens the Certificate window.
Then, go to the Details tab, and note the serial number listed for the certificate to use in the CertUtil command.
 

Updated 19 Feb 2024

Did this page help you?

Import certificates into the Windows certificate store

Test Microsoft SignTool commands