🥇 Activation Certum Code Signing SimplySign - SSLPOINT

Activation Certum Code Signing SimplySign

Instructions for activating a Certum Code Signing certificate in the cloud with SimplySign

SimplySign is a cloud-based service to deploy the certificate in a virtual hardware security module (HSM) due to industry requirements for private key protection.

The SimplySign desktop app makes the certificate available in your local trust store, with your mobile phone acting as the key generator (Multi-Factor Authentication).

Prerequisites

To use SimplySign you need the issued Certum certificate, a smartphone or tablet (Android / iOS), and a desktop PC with internet access.

Components

The software for signing your code consists of two components:

(A) SimplySign Mobile Version (Android / iOS)
SimplySign Mobile generates the time-dependent token for logging in to SimplySign (Multi-Factor Authentication)
Note: The SimplySign Mobile App can only be installed on one mobile device. Please choose the device where you want to use it permanently.
(B) SimplySign Desktop Version (Windows / MacOS / Linux)
SimplySign Desktop acts as a virtual cryptographic token for your Code Signing certificate.
This virtual token contains the Code Signing certificate and the private key.
The software is available for download on Certum’s website: Certum Software Download

(A) Installation SimplySign Mobile App Code Generator (Android / iOS)

The installation can only be finished after the Code Signing Certificate has been issued.

*) After successful issuance you will receive an email with the subject: “Certificate has been created”
*) You will also receive the access code for SimplySign (2 emails):
“Regaining access to the SimplySign service” and “Secret for regaining access to the SimplySign”
(1) Please install the SimplySign Mobile App for your device: Android or Apple iOS
(2) Follow the link included in the email “Regaining access to the SimplySign service” on your PC and enter the access code from the email “Secret for regaining access to the SimplySign”:

(3) A QR code is now displayed – you will need this for the installation on your mobile device:

(4) Please start the SimplySign Mobile App on your mobile device and click on “Activate application”:

(5) Click on “Other activation methods” (do not enter your email address here!):

(6) Click on “QR code” and scan the QR code from step 3:

(7) Select the option “Generate Token” and click on “Finish activation”:

The activation of the SimplySign Mobile App for Multi-Factor Authentication is now complete!

(B) Installation SimplySign Desktop App (Windows, Mac, Linux)

The software is available for download on Certum’s website: Certum Software Download

You only need to install the SimplySign Desktop App – you can unselect “proCertum SmartSign” during installation:
SimplySign Desktop App Installation Window
After installation, please enter your SimplySign email address and the current SimplySign Mobile App OTP token to login:
SimplySign Desktop
After successful authentication, your Certum Code Signing certificate is available in the local keystore and ready for signing.

Signing software and code

You can now sign your software, e.g.:

signtool.exe

1
signtool.exe sign /tr http://time.certum.pl /td sha256 /fd sha256 /a program.exe
signtool.exe sign /tr http://time.certum.pl /td sha256 /fd sha256 /a program.exe
If you have multiple certificates, you can select the certificate with the /sha1 parameter:
1
signtool.exe sign /sha1 "A1B2C3D4E5A6B7C8D9E0A1B2C3D4E5A6B7C8D9E0" /tr http://time.certum.pl /td sha256 /fd sha256 program.exe
signtool.exe sign /sha1 "A1B2C3D4E5A6B7C8D9E0A1B2C3D4E5A6B7C8D9E0" /tr http://time.certum.pl /td sha256 /fd sha256 program.exe
Note: The SHA1 thumbprint should be in capital letters.

Mage.exe (Manifest Generation and Editing Tool)

Please input the SHA1 thumbprint of your certificate as CertHash parameter:

1
mage.exe -Sign app.exe.manifest -Algorithm sha256RSA -CertHash A1B2C3D4E5A6B7C8D9E0A1B2C3D4E5A6B7C8D9E0 -TimeStampUri http://time.certum.pl
mage.exe -Sign app.exe.manifest -Algorithm sha256RSA -CertHash A1B2C3D4E5A6B7C8D9E0A1B2C3D4E5A6B7C8D9E0 -TimeStampUri http://time.certum.pl
Note: Please use full paths with inverted quotes

SHA1 Thumbprint

You can check the thumbprint of your certificate in the PowerShell with the following command:

1
Get-ChildItem cert:\ -Recurse -CodeSigningCert
Get-ChildItem cert:\ -Recurse -CodeSigningCert

SimplySign Desktop Options

To keep the code signing certificate in the local truststore without re-entering the token, you can set up the following options. The PIN cache is valid for 3 hours.

Right-click on the SimplySign icon to open the dialog – please click on “Options”:
CHECK – Enable PIN cache for CSP/KSP-based applications
CHECK – Clean PIN cache after disconnect
SimplySign Desktop Options Menu

Certum Code Signing SimplySign