Instructions for activating a Certum Code Signing certificate in the cloud with SimplySign
SimplySign is a cloud-based service to deploy the certificate in a virtual hardware security module (HSM) due to industry requirements for private key protection.
Prerequisites
To use SimplySign you need the issued Certum certificate, a smartphone or tablet (Android / iOS), and a desktop PC with internet access
Components
The software for signing your code consists of two components:
SimplySign Mobile generates the time-dependent token for logging in to SimplySign (Multi-Factor Authentication)
(B) SimplySign Desktop Version (Windows / MacOS / Linux)
SimplySign Desktop acts as a virtual cryptographic token for your Code Signing certificate.
This virtual token contains the Code Signing certificate and the private key.
The software is available for download on Certum’s website: Certum Software Download
(A) Installation SimplySign Mobile App Code Generator (Android / iOS)
The installation can only be finished after the Code Signing Certificate has been issued.
*) After successful issuance you will receive an email with the subject: “Certificate has been created”*) You will also receive the access code for SimplySign (2 emails):
“Regaining access to the SimplySign service” and “Secret for regaining access to the SimplySign”
(1) Please install the SimplySign Mobile App for your device: Android or Apple iOS
(2) Follow the link included in the email “Regaining access to the SimplySign service” on your PC and enter the access code from the email “Secret for regaining access to the SimplySign”:

(3) A QR code is now displayed – you will need this for the installation on your mobile device:

(4) Please start the SimplySign Mobile App on your mobile device and click on “Activate application”:

(5) Click on “Other activation methods”:

(6) Click on “QR code” and scan the QR code from step 3:

(7) Select the option “Generate Token” and click on “Finish activation”:

The activation of the SimplySign Mobile App for Multi-Factor Authentication is now complete!
(B) Installation SimplySign Desktop App (Windows, Mac, Linux)
The software is available for download on Certum’s website: Certum Software Download

After successful authentication, your Certum Code Signing certificate is available in the local keystore and ready for signing.
Signing software and code
You can now sign your software, e.g.:
signtool.exe
1 | signtool.exe sign /tr http://time.certum.pl /td sha256 /fd sha256 /a program.exe |
signtool.exe sign /tr http://time.certum.pl /td sha256 /fd sha256 /a program.exe
1 | signtool.exe /n "Acme Inc." sign /tr http://time.certum.pl /td sha256 /fd sha256 program.exe |
signtool.exe /n "Acme Inc." sign /tr http://time.certum.pl /td sha256 /fd sha256 program.exe
1 | signtool.exe /sha1 "a1b2c3d4e5a6b7c8d9e0a1b2c3d4e5a6b7c8d9e0" sign /tr http://time.certum.pl /td sha256 /fd sha256 program.exe |
signtool.exe /sha1 "a1b2c3d4e5a6b7c8d9e0a1b2c3d4e5a6b7c8d9e0" sign /tr http://time.certum.pl /td sha256 /fd sha256 program.exe
Mage.exe (Manifest Generation and Editing Tool)
Please input the SHA1 thumbprint of your certificate as CertHash parameter:
1 | mage.exe -Sign app.exe.manifest -Algorithm sha256RSA -CertHash a1b2c3d4e5a6b7c8d9e0a1b2c3d4e5a6b7c8d9e0 -TimeStampUri http://time.certum.pl |
mage.exe -Sign app.exe.manifest -Algorithm sha256RSA -CertHash a1b2c3d4e5a6b7c8d9e0a1b2c3d4e5a6b7c8d9e0 -TimeStampUri http://time.certum.pl
SHA1 Thumbprint
You can check the thumbprint of your certificate in the PowerShell with the following command:
1 | Get-ChildItem cert:\ -Recurse -CodeSigningCert |
Get-ChildItem cert:\ -Recurse -CodeSigningCert
