Installing a Code Signing Cert from Sectigo (to sign an Electron app on Windows)

By Dave Ceddia

So, you bought a code signing certificate for your Electron app. One step closer to being able to release your app on Windows. Congrats!

Finally, 3 weeks later, after a few phone calls, Sectigo issued the certificate. Woohoo! The email went to spam and you didn’t see it for 3 days, but hey, we’re making progress.

In their email, they say in big red letters that you must use Internet Explorer to download it (or an ancient version of Firefox).

And then you try that, and it fails. Because when you ordered the cert, you didn’t use the on-page tool that required using an ancient web browser. You used OpenSSL to create your certificate signing request (CSR) and private key.

So you call them, and they tell you to call your reseller. Wait – SectigoStore is not actually owned by Sectigo? Haha nope, different company.

But no matter – their lovely live chat people point you at this page of instructions for converting the code signing cert to a PFX, involving some sort of tool that may or may not be linked from that page.

So now you’re stuck. Well, I was stuck here too. Here’s what to do to download the code signing certificate to a PFX file that can actually be used to sign some code.

  1. Download the certificate using the link in your email, but don’t use Internet Explorer. Use Chrome or Edge instead. You’ll get a user.crt file.

IE (and presumably, ancient Firefox, I didn’t try) will try to install the certificate into your system using a private key that’s already installed. But you didn’t use IE in the first place, so you don’t have a private key installed, which is why that failed.

  1. Convert the user.crt from the binary DER format that it came with, into a PEM format that OpenSSL can work with.

    openssl x509 -inform der -in user.crt -out user.pem

If your user.crt file is already in PEM format, you can skip this step. PEM format is plain text and starts with ------ BEGIN BLAH BLAH ------.

  1. Combine the PEM certificate with the private key and the Sectigo root/intermediate CA cert into one big PFX file. Get the Sectigo CA cert at the very bottom of this page that the helpful SectigoStore chat person gave you.

    openssl pkcs12 -export -in user.pem -certfile SectigoRSACodeSigningCA.crt -inkey privatekey.key -out code-signing-cert.pfx

It’ll ask you for a password. Make sure to save that somewhere. You’ll need it to do the actual code signing.

If OpenSSL hangs for you (like it did for me, using a Git Bash shell on Windows 10), prepend the commands with winpty.

And now, if you haven’t forgotten your private key password, you should be all set! The code-signing-cert.pfx

From here, since I’m using electron-builder, I made a .env file in the root of the project with 2 keys:


Run the build, and hopefully code signing will work! Awesome. Time to get back to real work.