🥇 Activation Certum Code Signing SimplySign

Instructions for activating a Certum Code Signing Certificate with SimplySign

SimplySign is a cloud-based solution that securely stores your certificate in a virtual Hardware Security Module (HSM), meeting all current industry requirements for private key protection.

The SimplySign Desktop App makes your cloud certificate available to Windows through a virtual smart card, while your mobile phone functions as a second authentication factor and secure key generator (Multi-Factor Authentication). This way, the private key never leaves the secured HSM environment, but Windows can still use the certificate for code signing.

Prerequisites

To use SimplySign, you will need the issued Certum certificate, a smartphone or tablet (Android or iOS), and a desktop computer with an internet connection. You should also have access to your email address used for the certificate order, because Certum sends the activation links there.

Components

(A) SimplySign Mobile App (Android / iOS)
The SimplySign Mobile App generates a time-based token required to log in to the SimplySign service (Multi-Factor Authentication).

Note: The SimplySign Mobile App can only be installed on one mobile device. Please select the device on which you plan to use it permanently.

(B) SimplySign Desktop App (Windows / macOS / Linux)
The SimplySign Desktop App acts as a virtual smart card that makes your cloud-based Code Signing certificate available to Windows. The private key always remains inside the secure Certum HSM.

Component	Platform	Function
SimplySign Mobile App	Android / iOS	Generates one-time passwords (OTP / tokens) for secure login
SimplySign Desktop App	Windows / macOS / Linux	Makes the cloud certificate available to Windows through a virtual smart card

(A) Installation of SimplySign Mobile App (Token Generator for Android, iOS)

The installation can only be completed after your Code Signing Certificate has been issued.

– After issuance, you will receive an email with the subject: “Certificate has been created.”

– You will also receive two additional emails with your SimplySign access details:
“Regaining access to the SimplySign service” and “Secret for regaining access to the SimplySign.”

(1) Download the SimplySign Mobile App for your device:
Android | Apple iOS

(2) On your Desktop PC or laptop, open the link from the email “Regaining access to the SimplySign service” and enter the secret code from the email “Secret for regaining access to the SimplySign”:

(3) A QR code will now be displayed – you will need it for activation on your mobile device:

(4) Open the SimplySign Mobile App on your mobile phone and tap “Activate application”:

(5) Tap “Other activation methods” (DO NOT enter your email address at this step!):

(6) Select “QR code” and scan the QR code displayed in step 3:

(7) Choose “Generate Token” and click “Finish activation”:

The SimplySign Mobile App is now successfully activated for Multi-Factor Authentication!

This mobile app will be required every time the desktop app asks for a current OTP.

(B) Installation of SimplySign Desktop App (Certificate Loader for Windows, macOS, Linux)

The software can be downloaded from Certum’s website:
Certum Software Download

During installation, only select the SimplySign Desktop App. Please uncheck “proCertum SmartSign.”:

SimplySign Desktop App Installation Window

After installation, log in using your SimplySign email address and the current OTP token generated in the SimplySign Mobile App:

After a successful login, the SimplySign icon SimplySign Taskbar Icon

is added to the Windows taskbar (no separate window appears). This is expected behaviour – the app runs in the background and only exposes the cloud certificate to Windows.

Check if the SimplySign certificate is loaded

After you have logged in to the SimplySign Desktop App and the taskbar icon is visible, the code signing certificate becomes available to Windows via the virtual smart card interface (CurrentUser \ My).

To make sure that the correct certificate has been loaded – and to avoid selecting an old or expired one – you can check it in PowerShell.

Show only active (not expired) code signing certificates of the current user:

1	Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert \| Where-Object { $_.NotAfter -gt (Get-Date) } \| Select-Object Subject, Issuer, NotBefore, NotAfter, Thumbprint \| Format-List

Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Where-Object { $_.NotAfter -gt (Get-Date) } | Select-Object Subject, Issuer, NotBefore, NotAfter, Thumbprint | Format-List

Result: you will see only the currently valid SimplySign / Certum code signing certificate(s), with full subject, CA name and validity period. This makes it easier to copy the correct SHA1 thumbprint afterwards or to decide which certificate to use with signtool.exe.

After successfully logging in to the SimplySign Desktop app, you are ready for signinging your code!

(C) Signing Software and Code

You can now sign your applications, for example using:

signtool.exe

SignTool is Microsoft’s command-line utility (included in the Windows SDK) used to digitally sign and verify software on Windows.

1	signtool.exe sign /tr http://time.certum.pl /td sha256 /fd sha256 /a program.exe

signtool.exe sign /tr http://time.certum.pl /td sha256 /fd sha256 /a program.exe

If you have multiple certificates installed, specify the correct one using the /sha1 <SHA1 thumbprint> parameter:

1	signtool.exe sign /sha1 "A1B2C3D4E5A6B7C8D9E0A1B2C3D4E5A6B7C8D9E0" /tr http://time.certum.pl /td sha256 /fd sha256 program.exe

signtool.exe sign /sha1 "A1B2C3D4E5A6B7C8D9E0A1B2C3D4E5A6B7C8D9E0" /tr http://time.certum.pl /td sha256 /fd sha256 program.exe

Note: The SHA1 thumbprint must be entered in uppercase letters.

Tip: If signtool.exe reports “No certificates were found that met all the given criteria”, first re-run the PowerShell check above to confirm that the certificate is visible. If it is visible, use /sha1 to force selection.

Mage.exe (Manifest Generation and Editing Tool)

When signing with Mage.exe, enter the SHA1 thumbprint of your certificate as the CertHash parameter:

1	mage.exe -Sign app.exe.manifest -Algorithm sha256RSA -CertHash A1B2C3D4E5A6B7C8D9E0A1B2C3D4E5A6B7C8D9E0 -TimeStampUri http://time.certum.pl

mage.exe -Sign app.exe.manifest -Algorithm sha256RSA -CertHash A1B2C3D4E5A6B7C8D9E0A1B2C3D4E5A6B7C8D9E0 -TimeStampUri http://time.certum.pl

Note: Always use full file paths enclosed in quotation marks.

SHA1 Thumbprint

To check your certificate’s SHA1 thumbprint, use the following command in PowerShell:

1	Get-ChildItem cert:\ -Recurse -CodeSigningCert

Get-ChildItem cert:\ -Recurse -CodeSigningCert

(D) SimplySign Desktop Options

To keep your Code Signing certificate accessible to Windows without repeatedly entering the OTP token, enable the following options. The PIN cache remains valid for 3 hours.

Right-click the SimplySign icon in your system tray and open “Options”:
CHECK – Enable PIN cache for CSP/KSP-based applications
CHECK – Clean PIN cache after disconnect

(E) Troubleshooting

No certificate shown in PowerShell: Re-check login in the SimplySign tray icon, do not run PowerShell as Administrator, and ensure network is available.
Signing tool does not see certificate: Use the /sha1 parameter or restart the SimplySign Desktop app.
OTP expired: Generate a new OTP in the mobile app and log in again.

Checklist

[ ] Mobile app installed and activated with QR
[ ] Desktop app installed and logged in (taskbar icon visible)
[ ] Certificate visible in PowerShell (Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)
[ ] Signing works with signtool.exe or mage.exe