Bind Self-Signed Certificate to EXE

TL;DR

You can bind a self-signed certificate to your signed application (EXE) using tools like signtool.exe from the Windows SDK, or by embedding the certificate within the executable itself. This guide covers both methods.

Steps

1. Prerequisites
• Windows SDK: Download and install the Windows SDK to get access to signtool.exe. You only need the signing tools component.
• Self-Signed Certificate: Create a self-signed certificate using PowerShell, OpenSSL or similar tool. Ensure it’s in PFX format (Personal Information Exchange) with a password if required.
• Signed Application: You must have already signed your application with a code signing certificate.
2. Method 1: Using signtool.exe
1. Open Command Prompt as Administrator: This is crucial for permissions.
2. Navigate to the Directory: Change directory to where your signed EXE file is located.
3. Sign with Timestamp (Recommended): Use signtool to timestamp and re-sign the application, including the certificate.

   signtool sign /f "pathtoyourcertificate.pfx" /p "your_password" /t http://timestamp.digicert.com/ your_application.exe

   Replace:

   • "pathtoyourcertificate.pfx" with the actual path to your PFX certificate file.
   • "your_password" with the password for your PFX certificate (if any).
   • http://timestamp.digicert.com/ with a valid timestamp server URL. DigiCert is a common choice, but others exist.
   • your_application.exe with the name of your signed executable file.
4. Verify: Check the application’s properties (right-click -> Properties -> Digital Signatures) to confirm the certificate is bound and valid.
3. Method 2: Embedding Certificate in EXE (Less Common, More Complex)
1. Resource Editor: Use a resource editor like Resource Hacker or similar tool.
2. Open the EXE: Open your signed application with the resource editor.
3. Add Certificate as Resource: Add your certificate (PFX file) as a new resource to the executable.
   • Typically, you’ll add it under a custom resource type and name (e.g., CERTIFICATE).
   • The editor will likely require converting the PFX file into a binary format suitable for embedding.
4. Code Modification: You’ll need to modify your application’s code to load and use the embedded certificate.
   • This involves writing code that reads the resource from the EXE, converts it back into a usable certificate object, and then uses it for secure operations.
   • The specific code will depend on your programming language (C#, C++, etc.).
5. Recompile/Build: Recompile or rebuild your application after making the code changes.
6. Test Thoroughly: Test the application extensively to ensure the embedded certificate is loaded correctly and used as expected.
4. Troubleshooting
• Permissions: Ensure you are running signtool with administrator privileges.
• Timestamp Server: Verify the timestamp server is reachable and functioning correctly.
• PFX Password: Double-check that you have entered the correct password for your PFX certificate.
• Certificate Validity: Ensure the self-signed certificate has not expired and is trusted by the system (or at least, not explicitly blocked). Self-signed certificates are often flagged as untrusted.