signtool fails to sign a binary with a key from a AWS CloudHSM

I just wrote the article Signing executables with Microsoft SignTool.exe using AWS CloudHSM-backed certificates that covers this scenario.

To summarize:

  • You need to ensure that you have the latest binaries for CloudHSM.

  • Check that when the certificate is created (if you self sign) that the relevant Key Container within Windows is created.

  • Run certutil -repairstore if needed.
  • When using the SignTool, check that you specify the certificate HASH


If you need further help, reach out to AWS Support as always or look in the AWS forums.


I wrote to AWS supported and they responded back with:

"This issue seems to be caused by trying to store the certificate on the HSM, and referencing the certificate with SignTool. Although the certutil command shows "CertUtil: -importPFX command completed successfully.", CloudHSM doesn't currently support certificate storage. This feature will be added however, and when it's released will be added to the version history page.

You should be able to use SignTool by referencing the certificate locally (.crt/.cer), and using the private key of the certificate stored on the HSM:

c:> signtool sign /f certname.cer /csp "Cavium Key Storage Provider" /k kontainer_name test.exe

But this approach doesn't work on my end either. So I am still waiting for their assistance