Skip to main content

How to sign Microsoft Authenticodes with Entrust CSaaS (Code Signing as a Service)

User-added image
How to sign a Microsoft Authenticodes with Entrust CSaaS (Code Signing as a Service)


This is a workaround step for signing Microsoft Authenticode using the PKCS11 function with a third-party tool called Jsign from ebourg github .

The Entrust signing client tool does not support CNG signing directly using Microsoft's sign tool in this release.


Several tasks need to be completed before signing the codes

These tasks can be found on the Home screen. To view the requirement tasks, follow the steps below:

1. Login to your ECS portal

2. On your Home screen, click on the Get Started Tab.

3. On the left column, click on Signing Automation Service. Complete the requirement steps in sequence.

4. You may click on the Signing Automation Service Documentation as the reference.

5. Java Development Kit installed and working correctly.

6. The JSign tool has been downloaded and saved it to your computer. The filename is Jsign-5.0.jar.

Step by step to sign the Microsoft Authenticodes using Entrust CSaaS:

1. Create csaas.cfg file. You only need to create this file once.

In any line editor (Notepad, for example), create a text file containing the lines below and save it to your JDK bin folder (for example, C:\Program Files (x86)\Java\jre1.8.0_65\bin) as csaas.cfg. Note: You must use a double-backslash ( \\ )for an absolute path.

name = Entrust
library=C:\\Program Files\\Entrust\\SigningClient\\P11SigningClient64.dll

2. In the command prompt, type Signingclient

This step ensures that the Signing Client Tool is installed correctly and working. The correct result is shown in the screenshot below.

User-added image

3. Find your private key alias name for the private key in your SAS environment. You can run the command:

signingclient list keys

You should see the label name, which will be your alias. In this example, the label name is Staging SG team
User-added image

4. You can run the dir command to ensure the Jsign file is in the same folder as the Java bin folder.

dir jsign*

If the file does not exist, copy the downloaded Jsign-5.0.jar to the Java bin folder.
User-added image

5. You are ready to sign the Authenticodes. Enter the following command:

java -jar jsign-5.0.jar --keystore <your config file> --alias <your ALIAS name>  -storepass <your private key store password> --storetype PKCS11 --tsaurl  --tsmode RFC3161 <your codes file>


<your config file> Your configuration file for the SAS environment. In this example: csaas.cfg
<your codes file> Your own Java codes. In this example, testsign.exe
<your ALIAS name> Your alias name/friendly name/label.
In this example, the alias name is Staging SG team

The alias name is case-sensitive.
<your private key store password> The private key store password you created while activating the signing client license.
In this example, the password is entrust

This switch is optional. If you don't use the storepass switch, you must manually enter the password when prompted.


java -jar jsign-5.0.jar --keystore csaas.cfg --alias "Staging SG team"  -storepass entrust --storetype PKCS11 --tsaurl  --tsmode RFC3161 c:\test\testsign.exe

User-added image

6.  You can just run the verify command below to ensure the code signing has been done successfully.

Before running this command, please install your Windows SDK for Windows 10.

You can go to the command prompt where your signtool.exe is located.

Run the command:

SignTool verify /pa /v <filename>


SignTool verify /pa /v c:\test\testsign.exe

You should see the successfully verified message if you signed your codes successfully.

User-added image