Recently I have been testing signing executable installers and needed a self-signed certificate for testing purposes. Below I outline a very simple way to go about this after trying several different methods.
Generating a self-signed certificate for code signing
Execute the following from an elevated PowerShell prompt.
> $cert = New-SelfSignedCertificate -DnsName test.name.com -CertStoreLocation cert:\LocalMachine\My -type CodeSigning
> $pwd = ConvertTo-SecureString -String "MyPassword" -Force -AsPlainText
> Export-PfxCertificate -cert $cert -FilePath mycert.pfx -Password $pwd
If you are using signtool.exe
to sign your executable you can now use the generates pfx
certificate as follows
> signtool.exe sign /f mycert.pfx /p MyPassword myapp.exe
Obtaining SignTool.exe
Note to obtain signtool.exe
without installing the complete Windows SDK. Download the ISO for the Windows SDK from https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk/. Mount the ISO and open up the Installers
folder and install the appropriate msi for Windows App Certification Kit
.
In my case I installed Windows App Certification Kit x64-x86_en-us.msi
, which installs the executable to C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe
Deleting these self-signed certificates
To cleanup after testing, you probably want to delete these from your certificate store. Open up the certificate store (search Win+S
for certificates and open up Manage Computer Certificates
).
Under Personal\Certificates\
and Intermediate Certification Authorities\Certificates\
delete the certificates you installed earlier, they will have as their issue name the -DnsName
you assigned them earlier.
References
1: https://superuser.com/questions/1145339/self-signing-of-powershell-script
2: https://blog.davidchristiansen.com/2016/09/howto-create-self-signed-certificates-with-powershell/