Knowledge Base

How to sign applications with an EV code signing certificate using SignTool

Updated on June 19, 2026

Overview

By following this article, you will sign an executable (.exe) or installer (.msi) file with an Extended Validation (EV) code signing certificate stored on a Universal Serial Bus (USB) token, and then confirm that the file is signed and timestamped. It covers the prerequisites, the SignTool command used to sign a file, the certificate's Subject / Common Name (CN) value the command needs, the most useful SignTool options, and how to verify success. SignTool is a Microsoft command-line tool that digitally signs files, verifies signatures, and applies trusted timestamps.

What is an EV code signing certificate?

An EV code signing certificate is a high-assurance certificate used to sign software so that operating systems and users can confirm the publisher's identity and that the file has not been altered. With an EV certificate, the private key is held on a hardware USB token and cannot be exported.

Prerequisites

Before you start, make sure you have:

The Microsoft Windows Software Development Kit (SDK), which includes SignTool (download here).

A USB token that holds the EV code signing certificate and its private key. The steps for collecting an EV code signing certificate are described in EV Code Signing Certificates – Collection.

The SafeNet Authentication Client installed (download here).

Note: The private key provisioned on the USB token cannot be exported as a PFX/ PKCS#12 (P12) file.

Steps to sign a file

Open the Windows Command Prompt.

Run the following command, which signs the application using the EV code signing certificate stored on the USB token:

SignTool sign /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "Your Company Name Inc." "C:\path\to\FileToSign.exe"

Replace "Your Company Name Inc." with your certificate's Subject / Common Name (CN). To find it, double-click the EV code signing certificate and open the Details tab, as shown in Figure 1.

Figure 1. Certificate dialog, Details tab — the Subject / CoFigure 1. Certificate dialog, Details tab — the Subject / Common Name (CN) value (“Your Company Name Inc.”) is the name to enter after the /n option.

Figure 1. Certificate dialog, Details tab — the Subject / Common Name (CN) value (“Your Company Name Inc.”) is the name to enter after the /n option.

Replace "C:\path\to\FileToSign.exe" with the actual path to the .exe or .msi file you want to sign — for example, C:\Users\Desktop\foo.exe.

Press Enter. If the file is signed successfully, SignTool returns:

Done Adding Additional Store

Successfully signed and timestamped: FOO.exe

Most used SignTool options

Option	Description
/a	Automatically selects the best signing certificate. SignTool finds all valid certificates that meet the specified conditions and selects the one valid for the longest time.
/n	Specifies the Subject Name of the signing certificate. The value can be a substring of the full subject name.
/fd	Specifies the file digest algorithm used to create the signature.
/tr	Specifies the web address (URL) of the timestamp server.
/td	Specifies the timestamp digest algorithm. Must be used after /tr. Recommended.
/sha1	Selects the signing certificate by its Secure Hash Algorithm 1 (SHA-1) hash.
/csp	Specifies the Cryptographic Service Provider (CSP) that holds the private key container.

How to verify success

Right-click the signed file and select Properties.

Open the Digital Signatures tab. If this tab appears, the file is signed, as shown in Figure 2.

Figure 2. File Properties, Digital Signatures tab — the signFigure 2. File Properties, Digital Signatures tab — the signature list confirms the file is signed with a sha256 digest algorithm and shows the applied timestamp.

Figure 2. File Properties, Digital Signatures tab — the signature list confirms the file is signed with a sha256 digest algorithm and shows the applied timestamp.