Acquire a Code Signing Certificate

Updated: April 16, 2014

Applies To: Windows Server 2008

You can use this procedure to acquire a digital signing certificate for your organization.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

You can use the following methods to acquire a code signing certificate:

  • You can purchase a certificate from any of the vendors listed at "Root Certificate Program Member List" at

  • You should purchase a certificate from a commercial certification authority (CA) when you want signatures created with the certificate to be usable outside of your organization. Certificates from the CAs listed are automatically recognized as valid (but not necessarily trusted) by any Windows-based computer because a copy of those CAs are in the Trusted Root Certification Authorities store on each computer.

  • If you only need to use the certificate within the bounds of your organizational network, and do not need to have the certificate recognized by those outside of your organization, you might consider using Certificate Services or the MakeCert program instead, because they do not require a purchase from a CA.

Windows Server 2008, Windows Server 2003, and Windows 2000 Server include Certificate Services as an optional component. By using this component, you can create a public key infrastructure with multiple certificate servers to support all of your organization's internal certificate needs.

The certificates created by Certificate Services will not be considered valid by computers outside of your organization unless you provide a means to securely distribute the certificate to those computers. It is recommended that if you wish to use a certificate that is recognized by computers outsize of your organization that you purchase one from one of the commercial CAs described in the Purchase a code signing certificate from a commercial certificate vendor.

For more information about the creation and maintenance of a Windows certificate server and public key infrastructure in your organization, see "Public Key" at

The two ways to acquire a certificate above involve public key infrastructure systems, either maintained by a third-party commercial vendor, or by your organization. Maintenance of a PKI is not a trivial task. Small organizations that do not wish to purchase a certificate, and cannot maintain an internal certificate server, and users who want to create a certificate for test purposes can use the MakeCert tool that is provided by using the Windows Driver Kit (WDK), which you can find at WDK and WinDbg downloads. The following procedure assumes that you have downloaded and installed the WDK.

  1. Open a WDK Build Environment command prompt by using the Run as administrator option. To do so, right-click the appropriate Build Environment shortcut in your Start menu, and click Run as administrator.

  2. At the Build Environment command prompt, type the following command on a single line (it might appear here on multiple lines due to space limitations):

    makecert -r -n "CN= My Certificate Name " -ss MyCertificateStore -sr localmachine


Value Description


Specifies that the certificate can be used as a "root" certificate, and is "self-signed."

-n "CN= My Certificate Name "

Specifies the name of the certificate. It must conform to the X.500 standard. If it contains spaces, then you must surround the entire string with double quotes.

-ss MyCertificateStore

Specifies the name of the certificate store in which the completed certificate is placed. If the specified store does not exist, Windows creates it. If it contains spaces, then you must surround the entire string with double quotes.

-sr localmachine

Specifies that the certificate store is to be in the Local Computer version of the store, instead of the Per User version.

Formatting legend


Format Meaning


Information that the user must supply


Elements that the user must type exactly as shown

Before the certificate can be used you must place it in the appropriate certificate stores. For standard code-signing purposes, you must place a copy in the Local Computer (not Current User) version of the Trusted Root Certification Authorities store on the computer on which you will be signing driver packages. For a single computer, you can use the procedure in Deploy a Certificate Manually by Using the Certificates Snap-in. For deploying certificates to many computers, see Deploy Certificates by Using Group Policy.

See Also

Other Resources

WDK and WinDbg downloads

Community Additions