Thawte Code Signing for Microsoft Authenticode

Please follow our Microsoft Authenticode Signing instructions to sign your components using your Thawte Code Signing certificate:

Download Signing Tools

To develop Windows-based applications, you will need to download and install the platform SDK for Microsoft Windows. Make sure that you are running the most current version of the SDK. You may want to install only the Tools and Redistributable Components of the Microsoft Windows Core SDK to install the minimal tools needed for signing your files.

Note: SignTool.exe is not supported by Microsoft Windows 95/98/Me and NT.

Sign your File

To sign your file, you will use SignTool.exe utility included in the platform SDK and you will need your Code Signing Certificate (.spc) and your private key (.pvk):

Step 1: Export the certificate from Internet Explorer into a PFX file

1. From the menu bar, click on Tools > Internet Options.

2. Click the Content tab.

3. Click the Certificates button.

4. In the Personal tab, select the certificate you wish to export.

5. Click Export.

6. Click Next.

7. Select the Yes, export the Private Key option.

8. Click Next.

Note: Manually check the option box "Include all certificates in the certification path if possible"

9. Click Next.

10. Enter the password to protect the certificate and private key being exported. Enter this password again to confirm then click Next.

11. Browse to the directory where you wish to store the file and select a file name.

12. Click Save and then Next.

13. Click Finish.

14. You should see the message "The export was successful."

15. Click OK.

Step 2: Convert the PFX file to separate PVK and SPC files

Step A: Extract the Private and Public Key

To export the private and public key in Base-64 format, run the following command, using OpenSSL:
openssl pkcs12 -in [filename].pfx -nocerts -nodes -out [filename].key
openssl pkcs12 -in [filename].pfx -nokeys -out [filename].txt

Step B: Convert the Private Key to Microsoft PVK format

To convert the private key file into the Microsoft PVK format, run the PVK conversion tool as follows:
pvk -in [filename].key -topvk -strong -out [filename].pvk

Step C: Export the Public Key

To convert the public key to the required SPC format, please run OpenSSL as follows:
openssl crl2pkcs7 -nocrl -certfile [filename].txt -outform DER -out [filename].spc

Step 3: Sign your file

1. Go to Start > Run.

2. Type CMD and click OK.

3. Change the directory to: c:\Program Files\Microsoft Platform SDK\Bin.

4. Type signtool signwizard.

5. Click Next and browse to the file you want to sign.

6. Click Next, select Custom and click Next.

7. Click Select from file and locate your .spc file and click Next.

8. Click Select from file and locate your .pvk file and click Next.

9. Select MD5 and click Next twice.

10. If you want, enter a description of your file and a website address and click Next.

11. Select Add a timestamp to the data and enter this URL:

12. Click Next and click Finish if all the information is correct.

You will find more information on Microsoft's website.