Cryptography Tools

Cryptography tools provide command-line tools for code signing, signature verification, and other cryptography tasks.

Introduction to Code Signing

The software industry must provide users with the means to trust code including code published on the Internet. Many webpages contain only static information that can be downloaded with little risk. Some pages, however, contain controls and applications to be downloaded and run on a user's computer. These executable files can be risky to download and run.

Packaged software uses branding and trusted sales outlets to assure users of its integrity, but these guarantees are not available when code is transmitted on the Internet. Additionally, the Internet itself cannot provide any guarantee about the identity of the software creator. Nor can it guarantee that any software downloaded was not altered after its creation. Browsers can exhibit a warning message that explains the possible dangers of downloading data of any kind, but browsers cannot verify that code is what it claims to be. A more active approach must be taken to make the Internet a reliable medium for distributing software.

One approach to providing guarantees of the authenticity and integrity of files is attaching digital signatures to those files. A digital signature attached to a file positively identifies the distributor of that file and ensures that the contents of the file were not changed after the signature was created.

Digital signatures can be created and verified by using Microsoft's cryptography APIs. For background information on cryptography and the CryptoAPI functions, see Cryptography Essentials.

For detailed information on digital signatures, certificates, and certificate stores, see the following topics:

Currently, CryptoAPI Tools supports Microsoft Authenticode technology by allowing software vendors to sign the following types of files for Authenticode verification.

File name extension Contents
.appx, .msix, .appxbundle, .msixbundle
Packaged Windows Apps.
Self-contained files used for application installation and setup. In a cabinet file, multiple files are compressed into one file. They are commonly found on Microsoft software distribution disks.
Files that contain digital thumbprints of several files. A .cat file can be used to ensure the integrity of the files whose thumbprints it includes.
Files that contain executable functions.
Files that contain executable programs.
Windows shell files for JScript or Microsoft Visual Basic Scripting Edition (VBScript).
Windows installer files.
Files that contain Microsoft ActiveX controls.
Files that contain PowerShell scripts.
Files that contain a certificate trust list (CTL).
Files that contain driver binaries.


For information about digital signing, see the following documents:

  • CCITT, Recommendation X.509, The Directory-Authentication Framework, Consultation Committee, International Telephone and Telegraph, International Telecommunications Union, Geneva, 1989.
  • RSA Laboratories, PKCS #7: Cryptographic Message Syntax Standard. Version 1.5, November, 1993.
  • Schneier, Bruce, Applied Cryptography, 2d ed. New York: John Wiley & Sons, 1996.


These resources may not be available in some languages and countries or regions.


Microsoft Cryptography Tools

The publishing tools and the signing DLL are installed in the \Bin directory of your Microsoft SDK installation. They include the following files.

File name Remarks
Cert2SPC.exe Creates an Software Publisher Certificate (SPC) for testing purposes only.
CertMgr.exe Manages certificates, CTLs, and certificate revocation lists (CRLs).
MakeCat.exe Creates an unsigned catalog file that contains the hashes of a set of files along with associated attributes of each file.
MakeCert.exe Creates an X.509 certificate for testing purposes only.
Pvk2pfx.exe Converts a software publisher certificate file (.spc) or a private key file (.pvk) to Personal Information Exchange (PFX) file format.
SetReg.exe Sets registry keys that control certificate verification.
SignTool.exe Signs and time stamps a file. Additionally, checks the signature of a file.