Guide to Resolve SignTool Error: “No Certificates Were Found That Met All the Given Criteria”
The SignTool error “No certificates were found that met all the given criteria” can be frustrating to encounter when trying to sign an app, driver, or other executable file. This error indicates that Windows cannot find a valid code signing certificate that matches the criteria specified in the signing command.
Resolving this error requires investigating why no matching certificate exists in the certificate store and taking steps to install an appropriate certificate. This may involve creating a new code signing certificate, ensuring an existing certificate has not expired or been revoked, or adjusting the signing command criteria.
Key Takeaways
- The “No Certificates Were Found That Met All the Given Criteria” SignTool error occurs when no valid certificate matches the signing criteria.
- Causes include expired or revoked certificates and overly strict signing criteria.
- Solutions involve creating or renewing code signing certificate, ensuring private keys are accessible, and adjusting signing parameters.
- Certificate stores, SignTool parameters, and certificate validity periods should be checked.
- Code signing best practices like using trusted certificates and keeping keys safe are important.
What Does the SignTool Error Message
The full SignTool error when this issue occurs is:
SignTool Error: No certificates were found that met all the given criteria.
This concise but confusing message gives little detail about why a matching certificate was not found. To troubleshoot the issue, it’s important to understand exactly what SignTool is looking for when signing an executable file.
When using SignTool to sign an app, driver, or other executable digitally, the basic command syntax is:
SignTool sign /f <Certificate> /p <Password> <ExecutableFile>
This tells SignTool to sign the executable using a specific certificate file and password.
The “/f” switch specifies the signing certificate – it points to a .cer or .pfx file containing the public and private keys needed to generate the digital signature.
The “/p” switch is the password for the private key associated with the Certificate, which is required to generate the signature.
SignTool needs:
- A certificate file containing a valid code signing certificate
- Access to the associated private key file or container
- The correct password to access the private key
What are the Causes of the SignTool Error
There are several potential reasons why SignTool may not be able to find a valid certificate matching the provided criteria.
The main causes include the following:
The Specified Certificate is Expired
Code signing certificates are only valid for a set period. If the certificate you are attempting to use has expired, SignTool will reject it, and you will be unable to sign the code.
Opening the certificate file in the Windows Certificate Manager will display the validity period and expiration date. To resolve the issue, an expired certificate needs to be renewed or replaced.
The Certificate has been Revoked.
Certificates can be revoked before their expiration date if they have been compromised or for other reasons. A revoked certificate is permanently invalid and will produce the “No certificates found” error in SignTool.
Checking the Certificate Revocation List (CRL) published by the Issuing Certificate Authority can verify whether a certificate has been revoked. As with an expired certificate, a revoked certificate must be replaced with a valid one.
Incorrect Signing Criteria Specified
The SignTool parameters like “/f” and “/p” specify the criteria SignTool uses to select the Certificate. If these do not point to a valid certificate-private key pair, no match will be found.
Double-check that the certificate file path and private key password are correct. Make sure the Certificate’s private key is accessible—it may be stored in a separate .pfx file or CSP container.
Private Key is Not Accessible
In addition to a valid certificate, SignTool needs access to the associated private key to generate the digital signature. If the private key is missing, corrupted, or inaccessible for some reason, SignTool will be unable to sign the code even if the Certificate itself is valid.
For example, if the original .pfx file containing the private key is lost or the password to a CSP container with the key is forgotten, SignTool cannot find a certificate with an accessible private key. The private key needs to be recovered, or a new certificate-private key pair needs to be created.
Certificate Does Not Meet SignTool Criteria
By default, SignTool expects the signing certificate to meet certain standards for code signing certificates. For example, it must have appropriate Key Usage enabled and Enhanced Key Usage, including Code Signing.
If you attempt to use a non-code signing certificate like an SSL certificate, SignTool may reject it as not meeting the expected criteria. Make sure to use a certificate specifically intended for code signing.
5 Easy Steps to Fix “No certificates were found that met all the given criteria” SignTool Error
Based on the potential causes above, here are solutions to troubleshoot and resolve the “No certificates were found” error:
- Renew or Replace an Expired Certificate
- Replace a Revoked Certificate
- Correct SignTool Certificate Parameters
- Recover or Replace Lost Private Key
- Acquire Appropriate Code Signing Certificate
Step:1 Renew or Replace an Expired Certificate
If your code signing certificate has expired, it needs to be renewed or replaced with a new valid certificate:
- Renew the Certificate: If it was issued by a public CA like DigiCert or Sectigo, you may be able to log in to your account and request a renewal. This will extend the validity period.
- Obtain a New Certificate: Alternatively, you can purchase a brand new code signing certificate from a trusted public CA. Make sure to buy another certificate with code signing usage to replace the expired one.
- Use an Existing Unexpired Certificate: You may have other valid code signing certificates in your Windows certificate store that can be used instead. Identify another suitable certificate and adjust the SignTool parameters to point to that certificate file and private key.
Step:2 Replace a Revoked Certificate
If your signing certificate has been revoked, it is permanently invalid and cannot be used again:
- Purchase a Replacement Certificate: As with an expired certificate, you will need to buy a new code signing certificate to replace the revoked one. Make sure it is generation 2 for extended validation.
- Use an Alternate Valid Certificate: If available, you can use SignTool with another existing, unrevoked code signing certificate in your certificate store.
Step:3 Correct SignTool Certificate Parameters
Double-check the SignTool certificate criteria:
- Verify Certificate File Path: Make sure the “/f” parameter points to a valid .cer or .pfx certificate file containing a code signing certificate.
- Check Private Key Access: Ensure SignTool can access the private key file or CSP container with the “/p” password.
- Confirm Certificate Validity: Open the certificate file in the Windows Certificate Manager and verify it is valid, unexpired, and not revoked.
- Use Full Certificate Path: Specify the absolute path to the certificate file in the “/f” parameter, not just the file name.
Step:4 Recover or Replace Lost Private Key
If the private key is inaccessible or missing, you will need to either recover or replace it:
- Restore Key from Backup: If you have a backup of the .pfx file or CSP container with the private key, restore it and ensure SignTool has access.
- Request Private Key Recovery: If you validate your identity, the issuing CA may be able to facilitate the recovery of the private key. Not all CAs offer this capability.
- Obtain a New Certificate: In some cases, the only option is to purchase a brand new code signing certificate and associated new private key.
Step:5 Acquire Appropriate Code Signing Certificate
If the issue is that your signing certificate does not meet SignTool criteria:
- Obtain Code Signing Certificate: Purchase a certificate specifically designed for code signing usage from a trusted public CA like DigiCert, Comodo, or GlobalSign.
- Check Key Usages: To allow code signing, the new Certificate must have the Digital Signature and Key Encipherment key usages enabled.
- Verify Enhanced Key Usage: To be valid for signing executables and drivers, it must include the Code Signing EKU value.
SignTool Signing Process and Best Practices
While the solutions above should resolve most cases of the “No Certificates Were Found That Met All the Given Criteria” error, it’s also helpful to understand the high-level SignTool signing process and certificate management best practices:
SignTool Signing Steps
When signing a file using SignTool, the basic steps are:
- Specify certificate criteria like path and password
- SignTool retrieves certificate matching criteria from the store
- The Certificate’s public key is used to create the signature
- The private key generates the signature value itself
- Signature is injected into the executable file
If any step fails, such as the private key being inaccessible in step 4, the signing will fail with “No certificates found.”
Final Thoughts
In conclusion, the “No certificates found” SignTool error occurs when the specified signing certificate or private key is inaccessible for some reason. Troubleshooting steps include checking for expired or revoked certificates, verifying SignTool parameters point to valid certificates, recovering lost private keys, and acquiring appropriate code signing certificates.
Following code signing best practices for managing certificates and keys will help avoid these issues. Carefully managing validity periods, storage locations, access controls, and SignTool usage is key for successful executable signing.
Frequently Asked Questions
Why does the “No certificates found” error occur in SignTool?
This happens when SignTool cannot find a valid, accessible certificate and private key matching the criteria in the signing command. Causes include expired/revoked certificates, incorrect paths, and inaccessible private keys.
How can I tell if my code signing certificate has expired?
Open the certificate file in Windows Certificate Manager and check the validity period in the Details tab. It will show the expiration date.
What should I do if my private key is lost or corrupted?
If possible, try to recover it from a backup. Otherwise, you will likely need to purchase a new code signing certificate and generate a new public-private key pair.
Can I resolve the error by adjusting SignTool parameters?
Yes, double-check that the certificate file path and private key password are correct. Also, verify that certificate uses code signing.
What is the best way to avoid SignTool errors during signing?
Follow code signing best practices like using trusted certificates, securely storing private keys, backing up keys, and carefully managing validity periods.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.