We’re trying to find a CA who can provide us with a Code Signing certificate that will allow us to export with its private key to generate a .PFX file. The .PFX file is now a mandatory requirement to install OEM 2024 (I think 2023 also had the same stipulation).
However, what we’re finding is that as of this year, new Code Signing certificates are only being distributed via a HSM (USB key, effectively) and therefore cannot be exported as a .PFX file?
“Starting on June 1, 2023, at 00:00 UTC, industry standards will require private keys for code signing certificates to be stored on hardware certified as FIPS 140-2 level 2, Common Criteria EAL 4+, or equivalent.”
Does anyone have the name of a company who can still supply a non-hardware OA certificate that we can install to a machine where we have generated a CSR to give us the corresponding private key and allow us to export the .PFX?
I ask as this is the first time we’ve encountered this , our company doesn’t have a preferred (or previous) CA and at the moment we can’t use OEM 2024 due to the inability to export a certificate to a .PFX file and OEM 2024 not being able to ignore the mandatory requirement.
I tried the ones in the AutoCAD OEM help but none of the ones suggested can supply a certificate and private key as they insist on sending out a dongle (USB stick) with the private key on. Therefore we cannot use this to generate a .PFX file which look, to all intents and purposes, like they are being deprecated.
This is what I found out from our OpsTech team at Tech Soft 3D, thanks Ana Cimpoaca.
DigiCert signing does not provide you with the necessary .PFX file needed by the InstallWizard.
Here’s a very brief description how it works with DigiCert, since you may perhaps use your account with them by manually signing the modules, see further down in this post.
You’d need an account with DigiCert. For that you apply at one.digicert.com and will get an invite email like
Then you log in online and create an api_token and an mfa certificate with password.
This secret info will be used during the code signing that needs to be done connected to the internet.
The Signtool call parameters will be different, for example: signtool sign /tr … /td … /kc “api_key” … /f “C:/Windows/temp/mfa_cert.pem” …
If you have paid for a certificate from DigiCert and want to use it you need to manually sign the required modules listed at the very end of the BuildLog.txt file after the InstallWizard has finished. This may or may not work. I will try to search for an answer to that, meanwhile if anybody already tried that let the community know how it went, please.
For DigiCert signing to work from the InstallWizard, there needs to be added fields for
As option to the now required .PFX file. This is something that can only be taken care of by Autodesk.
Just a heads up for everyone the industry is moving away from the older OV certificates and starting to require Hardware based EV Certificates for added protection. This will more than likely make the .PFX file obsolete in the near future. Because of this we moved to an Extended Validation Code Signing Certificate. We do not use OEM to sign because of this. We sign after the build is compiled. It only runs the check on install execution and is not required during compiling.
Here is an article on EV if anyone is interested:
Thanks Shawn. This is going to be confusing to some of our OEM partners I’m afraid. I have reached out to Autodesk regarding the InstallWizard ‘Digital Signatures’ tab will need additinal options, alternatively manual signing without .PFX file as argument. I will update this thread as soon as I hear back.
Meanwhile, can you by what you write above confirm my statement
above and give a “pseudo” sample signtool call that you’re making when applying an EV certificate, please?
We have not had to use the scenario you describe but the syntax appears to be correct for someone that would set it up that way.
Here is a brief description of our process.
Once you have an EV Code Signing certificate the process is pretty straight forward.
Here is what we do with our EV code signing setup:
Run the OEM Install Wizard to compile build without using the built in Digital Signature Tab
Once complete we digitally sign the msi created by the installer that is located in the "\x64<SoftwareName>" folder.
While you may choose to sign other files the only one that the Autodesk installer seems to care about is the MSI file.
To sign the file you have a couple options with DigiCert:
Or automate the process by scripting the Microsoft sign tool.
To use the Microsoft sign tool you have to locate where it is at on your build machine.
It is typically located in a folder in "C:\Program Files (x86)\Windows Kits\10\bin" that corresponds to the version you have installed such as this “C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\signtool.exe”. There may be several version folders you can choose one so it is usually best to choose the newest one.
From there you can execute a script and run the following command: signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a “C:\InstallName\x64<SoftwareName>\SoftwareName.msi”
With EV code signing you have to log into your Code signing interface either before you run the signtool or it will prompt you to sign in if you missed it. After you sign in once it will continue to sign without prompting.
I hope this helps. I will try to put together something more detailed as soon as I get some time.
Our setup is a bit different in that it does not require us to be online and logged in like the other method you describe. We have a hardware based USB dongle that contains our Private Key. When you use the sign tool it automatically uses the USB. It has been a major advantage for us doing it this way. It does not require us to be online so we can do everything in house. This method can seem intimidating at first but it is actually a more straightforward process than jumping through the online hoops. It seems all Autodesk would have to do is to provide an option to call the sign tool.