Microsoft SignTool with AWS CloudHSM step 3: Sign a file

You are now ready to use SignTool and your imported certificate to sign your example file. In order to do so, you need to know the certificate's SHA-1 hash, or thumbprint. The thumbprint is used to ensure that SignTool only uses certificates that are verified by AWS CloudHSM. In this example, we use PowerShell to get the certificate's hash. You can also use the CA's GUI or the Windows SDK's certutil executable.

To obtain a certificate's thumbprint and use it to sign a file

Open PowerShell as an administrator and run the following command:
```
Get-ChildItem -path cert:\LocalMachine\My
```
Copy the Thumbprint that is returned.
Navigate to the directory within PowerShell that contains SignTool.exe. The default location is C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64.
Finally, sign your file by running the following command. If the command is successful, PowerShell returns a success message.
```
signtool.exe sign /v /fd sha256 /sha1 <thumbprint> /sm C:\Users\Administrator\Desktop\<test>.ps1
```
(Optional) To verify the signature on the file, use the following command:
```
signtool.exe verify /v /pa C:\Users\Administrator\Desktop\<test>.ps1
```

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Microsoft SignTool with AWS CloudHSM step 2: Create a signing certificate

Java Keytool and Jarsigner