A certificate is purchased from a certificate authority (like VeriSign) because the certificate authority verifies your identity and the certificate they issue to you points to their certificate authority certificate that is already installed on PCs. It is a best practice to buy your signing certificate.
If you do not want to buy a certificate, then you must create your own certificate authority and a signing certificate derived from it. The certificate authority certificate must be installed on all of the PCs that will run your application. Many system administrators will not want to do this. If you are the system administrator for all of the PCs that will run your application, then it is something you may decide to do.
In all of the instructions below, replace COMPANYNAME with an abbreviation of your company name (like TATA, XEROX, IBM, HP, IAD, etc.)
I did this from memory so I hope it works for you. I don't claim to be an expert in this topic. But, after a lot of research and experimentation this process worked for me recently.
1. Create Certificate Authority Certificate
C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\makecert -n "CN=COMPANYNAME" -cy authority -a sha1 -sv "COMPANYNAME.pvk" -r "COMPANYNAME.cer"
This will ask you for a password. Don't forget it!
2. Open MMC (Run mmc.exe)
* Click File then "Add/Remove Snap-in"
* Select Certificates from the left list, click "Add".
* Select "My user account", Click Finish
* Select Certificates from the list again and "Add" it
* Select "Computer account".
* Save This configuration of MMC (File, then Save) as "Certificates.msc" in the Start Menu, Programs, Administrative Tools directory so that you can access it in the future.
3. Install the new certificate authority certificate into the trusted store Certificates (Local Computer) / Trusted Root Certification Authorities / Certificates ) of the computer that will do the signing and all of the computers that will run your application.
* Double-click Certificates (Local Computer)
* Right click on "Trusted Root Certification Authorities". Select "All Tasks", then "Import".
* Select the new certificate (*.cer), and place it into "Trusted Root Certification * Authorities".
The computer now implicitly trusts all certificates signed by that new certificate authority.
4. Create a signing certificate that is derived from the new certificate authority and store it in the Certificates - Current User / Personal / Certificates store on the PC that will do the signing. You do not have to install this certificate on your user's computers.
C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\makecert -n "CN=COMPANYNAME Software" -ic "COMPANYNAME.cer" -iv "COMPANYNAME.pvk" -a sha1 -sky exchange -pe -sr currentuser -ss my "COMPANYNAMESoftware.cer"
This will ask you for a password with which to lock the new private key you are creating for this certificate.
It will also ask you for the password to the certificate authority's private key from Step 1 above.
* Right click on "Personal" in "Certificates - Current User". Select "All Tasks", then "Import". Select the new certificate "COMPANYNAMESoftware.cer".
5. Create a BAT file in C:\BAT named SIGNCODE.BAT what contains this:
REM create an array of timestamp servers...
REM The SET statement should be all on one line.
REM sign the file...
C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\signtool.exe sign /n "COMPANYNAME Software" %1
for /L %%a in (1,1,300) do (
for %%s in %SERVERLIST% do (
Echo Try %%s
REM try to timestamp the file. This operation is unreliable and may need to be repeated...
C:\"Program Files (x86)"\"Windows Kits"\8.0\bin\x86\signtool.exe timestamp /t %%s %1
REM check the return value of the timestamping operation and retry a max of ten times...
if ERRORLEVEL 0 if not ERRORLEVEL 1 GOTO succeeded
echo Signing failed. Probably cannot find the timestamp server at %%s
set /a timestampErrors+=1
Rem Wait 6 seconds
choice /N /T:6 /D:Y >NUL
REM wait 12 seconds...
choice /N /T:12 /D:Y >NUL
REM return an error code...
echo sign.bat exit code is 1. There were %timestampErrors% timestamping errors.
exit /b 1
REM return a successful code...
echo sign.bat exit code is 0. There were %timestampErrors% timestamping errors.
exit /b 0
6. Sign the program
In a CMD Window, navigate to the directory that contains the program to be signed and run the BAT file.
where "SETUP.EXE" is the program to be signed.