Instructions for activating a Certum Code Signing certificate in the cloud with SimplySign
SimplySign is a cloud-based service to deploy the certificate in a virtual hardware security module (HSM) due to industry requirements for private key protection.
Prerequisites
To use SimplySign you need the issued Certum certificate, a smartphone or tablet (Android / iOS), and a desktop PC with internet access.
Components
The software for signing your code consists of two components:
SimplySign Mobile generates the time-dependent token for logging in to SimplySign (Multi-Factor Authentication)
Note: The SimplySign Mobile App can only be installed on one mobile device. Please choose the device where you want to use it permanently.
(B) SimplySign Desktop Version (Windows / MacOS / Linux)
SimplySign Desktop acts as a virtual cryptographic token for your Code Signing certificate.
This virtual token contains the Code Signing certificate and the private key.
The software is available for download on Certum’s website: Certum Software Download
(A) Installation SimplySign Mobile App Code Generator (Android / iOS)
The installation can only be finished after the Code Signing Certificate has been issued.
*) After successful issuance you will receive an email with the subject: “Certificate has been created”*) You will also receive the access code for SimplySign (2 emails):
“Regaining access to the SimplySign service” and “Secret for regaining access to the SimplySign”
(1) Please install the SimplySign Mobile App for your device: Android or Apple iOS
(2) Follow the link included in the email “Regaining access to the SimplySign service” on your PC and enter the access code from the email “Secret for regaining access to the SimplySign”:
(3) A QR code is now displayed – you will need this for the installation on your mobile device:
(4) Please start the SimplySign Mobile App on your mobile device and click on “Activate application”:
(5) Click on “Other activation methods” (do not enter your email address here!):
(6) Click on “QR code” and scan the QR code from step 3:
(7) Select the option “Generate Token” and click on “Finish activation”:
The activation of the SimplySign Mobile App for Multi-Factor Authentication is now complete!
(B) Installation SimplySign Desktop App (Windows, Mac, Linux)
The software is available for download on Certum’s website: Certum Software Download
After installation, please enter your SimplySign email address and the current SimplySign Mobile App OTP token to login:
After successful authentication, your Certum Code Signing certificate is available in the local keystore and ready for signing.
Signing software and code
You can now sign your software, e.g.:
signtool.exe
1 | signtool.exe sign /tr http://time.certum.pl /td sha256 /fd sha256 /a program.exe |
signtool.exe sign /tr http://time.certum.pl /td sha256 /fd sha256 /a program.exe
1 | signtool.exe sign /sha1 "A1B2C3D4E5A6B7C8D9E0A1B2C3D4E5A6B7C8D9E0" /tr http://time.certum.pl /td sha256 /fd sha256 program.exe |
signtool.exe sign /sha1 "A1B2C3D4E5A6B7C8D9E0A1B2C3D4E5A6B7C8D9E0" /tr http://time.certum.pl /td sha256 /fd sha256 program.exe
Mage.exe (Manifest Generation and Editing Tool)
Please input the SHA1 thumbprint of your certificate as CertHash parameter:
1 | mage.exe -Sign app.exe.manifest -Algorithm sha256RSA -CertHash A1B2C3D4E5A6B7C8D9E0A1B2C3D4E5A6B7C8D9E0 -TimeStampUri http://time.certum.pl |
mage.exe -Sign app.exe.manifest -Algorithm sha256RSA -CertHash A1B2C3D4E5A6B7C8D9E0A1B2C3D4E5A6B7C8D9E0 -TimeStampUri http://time.certum.pl
SHA1 Thumbprint
You can check the thumbprint of your certificate in the PowerShell with the following command:
1 | Get-ChildItem cert:\ -Recurse -CodeSigningCert |
Get-ChildItem cert:\ -Recurse -CodeSigningCert
SimplySign Desktop Options
To keep the code signing certificate in the local truststore without re-entering the token, you can set up the following options. The PIN cache is valid for 3 hours.
CHECK – Enable PIN cache for CSP/KSP-based applications
CHECK – Clean PIN cache after disconnect