MDN’s new design is in Beta! A sneak peek:

Signing an executable with Authenticode

This article describes how to digitally sign your executable file, mainly a Windows application installer, with a Microsoft Authenticode Digital ID.


Microsoft has, of course, their own signing tools in the SDK, but another option is to use Mono. Mono's signing tools allow us to sign an executable even on a Mac or Linux box. These steps described here assume you're working on Mac.

Install Mono

Download and install the latest version of the Framework. It's open source and free software!

Set path

export PATH=${PATH}:/Library/Frameworks/Mono.framework/Commands

Export your certificate

  1. Open the Certificate Manager on Windows. Click the Start button and type certmgr.msc into the Search box.
  2. Find the certificate of your organization.
  3. Right-click on the certificate and select All Tasks > Export.
  4. In the Certificate Export Wizard, click Next.
  5. Select "Yes, export the private key" and click Next.
  6. Check "Include all certificates in the certificate path if possible" and click Next.
  7. Enter an arbitrary password to protect your secret key and click Next.
  8. Enter the file name, e.g. authenticode.pfx.
  9. Complete exporting. A PFX file will be exported on your desktop.

Convert your certificate to SPC/PVK format

With OpenSSL, convert the PFX file to PVK and SPC files. OpenSSL comes with Mac.

openssl pkcs12 -in authenticode.pfx -nocerts -nodes -out key.pem
openssl rsa -in key.pem -outform PVK -pvk-strong -out authenticode.pvk
openssl pkcs12 -in authenticode.pfx -nokeys -nodes -out cert.pem
openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out authenticode.spc

Once you get PVK and SPC files, keep them in safe custody. Delete the PFX and PEM files.


signcode \
 -spc authenticode.spc \
 -v authenticode.pvk \
 -a sha1 -$ commercial \
 -n My\ Application \
 -i \
 -t \
 -tr 10 \


Document Tags and Contributors

 Contributors to this page: teoli, Kohei, George3
 Last updated by: Kohei,