Breadcrumbs

Command Line Procedure

If you have created the certificate request on the same computer using certreq, Windows has “remembered” this open request. To install the certificate now, simply run:

›_ Console 

C:\>certreq -accept -user codesign.crt 

Installed Certificate: 

  Serial Number: 2d0000002ba56ec00d8b611e4a00000000002b 

  Subject: CN=YourCompany Code Signing, O=YourCompany, L=Aachen, C=DE 

  NotBefore: 3/25/2022 8:31 AM 

  NotAfter: 3/25/2023 8:31 AM 

  Thumbprint: f61f71e40bcb5d14452d7edd2a034d22801fb547

Since Windows has also remembered that the key for this certificate was created with the Utimaco CryptoServer Key Storage Provider, it has already associated the certificate with that key provider and container. Thus, you can directly move on to sign code.

However, if the request was created on another computer or if you need to reinstall the certificate, an error will be shown:

›_ Console 

C:\>certreq -accept -user codesign.crt 

Certificate Request Processor: Cannot find object or property. 0x80092004 (-2146885628)

In that case, you first have to import the certificate and then manually associate it with the key provider and container.

  1. Run the following command to import the certificate:

›_ Console 

C:\>certutil -addstore -user My codesign.crt 

My "Personal" 

Related Certificates: 

 

Exact match: 

Element 0: 

Serial Number: 2d0000002ba56ec00d8b611e4a00000000002b 

Issuer: CN=Utimaco-RootCA, DC=utimaco, DC=local 

 NotBefore: 3/25/2022 8:31 AM 

 NotAfter: 3/25/2023 8:31 AM 

Subject: CN=YourCompany Code Signing, O=YourCompany, L=Aachen, C=DE  

Non-root Certificate 

Template: 

1.3.6.1.4.1.311.21.8.16593323.14862581.6636168.15641503.12204691.200.1114 8576.10529166 

Cert Hash(sha1): f61f71e40bcb5d14452d7edd2a034d22801fb547   

CertUtil: -addstore command completed successfully.

  1. Then, run the following command to obtain the serial number. Replace “YourCompany Code Signing” with the common name (CN field) of your certificate.

›_ Console 

C:\>certutil -store -user My "YourCompany Code Signing" | findstr Serial 

Serial Number: f61f71e40bcb5d14452d7edd2a034d22801fb547

  1. Use the certutil tool to link the private key on the CryptoServer with the code-signing certificate:

›_ Console 

C:\>certutil -repairstore -user My <SerialNumber> 

My "Personal" 

================ Certificate 0 ================ 

Serial Number: f61f71e40bcb5d14452d7edd2a034d22801fb547 

Issuer: CN=Utimaco-RootCA, DC=utimaco, DC=local 

NotBefore: 3/25/2022 8:31 AM 

NotAfter: 3/25/2023 8:31 AM 

Subject: CN=YourCompany Code Signing, O=YourCompany, L=Aachen, C=DE 

Non-root Certificate 

Template: 

1.3.6.1.4.1.311.21.8.16593323.14862581.6636168.15641503.12204691.200.1114 8576.10529166 

Cert Hash(sha1): f61f71e40bcb5d14452d7edd2a034d22801fb547 

  Key Container = tq-e5742d68-a308-4768-969c-dc11f7c3ed63 

  Unique container name: D5A46CE713A51CA294D36197C327E614   Provider = Utimaco CryptoServer Key Storage Provider 

Private key is NOT exportable 

Signature test passed 

CertUtil: -repairstore command completed successfully.