AWS CloudHSM
User Guide

Microsoft SignTool with AWS CloudHSM Step 3: Sign a File

You are now ready to use SignTool and your imported certificate to sign your example file. In order to do so, you need to know the certificate's SHA-1 hash, or thumbprint. The thumbprint is used to ensure that SignTool only uses certificates that are verified by AWS CloudHSM. In this example, we use PowerShell to get the certificate's hash. You can also use the CA's GUI or the Windows SDK's certutil executable.

To obtain a certificate's thumbprint and use it to sign a file

  1. Open PowerShell as an administrator and run the following command:

    Get-ChildItem -path cert:\LocalMachine\My

    Copy the Thumbprint that is returned.

    
                    The certificate's hash is returned as the thumbprint
  2. Navigate to the directory within PowerShell that contains SignTool.exe. The default location is C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64.

  3. Finally, sign your file by running the following command. If the command is successful, PowerShell returns a success message.

    signtool.exe sign /v /fd sha256 /sha1 <thumbprint> /sm /as C:\Users\Administrator\Desktop\<test>.ps1
    
                    The .ps1 file was successfully signed.
  4. (Optional) To verify the signature on the file, use the following command:

    signtool.exe verify /v /pa C:\Users\Administrator\Desktop\<test>.ps1