Download and Install Code Signing on Rutoken

Aug 19, 2025

Download and Install Code Signing on Rutoken

On this page

• DOWNLOAD AND INSTALL CERTIFICATE USING FORTIFY    

• USING CODE SIGNING                                                                       
  Rutoken version 4.17.0.0 and above
  Rutoken version 4.17.0.0 and below

Download and Install Certificate using Fortify

Prerequisites

• Approved and vetted GlobalSign Code Signing Certificate.

• GlobalSign-provided eToken.

• Downloaded and installed Fortify App in your operating system. Ensure that you meet the following system requirements: 
  
  • Browsers supported by Fortify: Microsoft Edge, Safari, Firefox and Chrome
  • OS supported by Fortify: MAC OS 10.12 or higher, Windows 7 or higher, and Ubuntu 16.04 or higher

• Downloaded and installed Rutoken drivers. 

• For Certificate pickup, you must have access to a Windows PC to proceed. Once the Certificate is installed and stored in the removable device, you may sign from other platforms such as OS X.

Guidelines

1. Open the Certificate Download Ready email and launch the pickup link using any browser. 
2. Enter the Temporary Pickup Password that was set at the time of ordering and click Next to continue. 
   
   
3. Tick I agree to the terms above box, then click Next. 
   
   

4. A pop-up window for the authorization of code will appear on the Access Permission and on Fortify Authorization. If the both codes matched, click Approve to continue. 
   
   

5. In the Create Certificate Request or Self-Signed Certificate window, review the DN or Certificate Identity Detail Information. Then, click Create to continue. Note: If you haven't yet, make sure that your eToken is plugged in to your computer at this point. 

6. A pop-up window will appear, then enter the token password. Note: Please wait for a while as it will take a few seconds to process. 
   
   

7. On the Install Certificate window, under Select Provider, select Rutoken. Then, click Start to proceed. 

8. Once Certificate is successfully installed on the token (or local certificate store), a pop-up confirmation window will appear. Click on OK. 
   
    

Code Signing on Rutoken

Prerequisites

• Downloaded and installed GlobalSign Code Signing Certificate

• Windows Software Development Kit (SDK) for Windows 8.1

• SHA-256 orders may additionally require GlobalSign Code Signing Root R45 (R3 cross).

  IMPORTANT: The Code Signing Root R45 (R3 cross) will need to be installed on the signing computer but not specified as an additional certificate during the signing procedure.

   

Important SignTool Options

1. /ac - Specify an Additional Certificate.
2. /a - Automatically selects the best certificate to sign the file from your Windows Certificate Store.
3. /n "Certificate Common Name" Specifies the certificate to sign the file from your Windows Certificate Store using the certificate common name.
4. /fd SHA256 - Specify the file digest algorithm used in creating file signatures.
5. /t - Specify a Microsoft Authenticode-compatible time stamp server.
6. /tr - Specify an RFC 3161 compliant trusted time stamp server. *Recommended*
7. /td SHA256 - Must be called after "/tr", this command specifies the TimeStamp digest algorithm. *Recommended*}
   TimeStamp URLs: SHA-2 based: http://timestamp.globalsign.com/tsa/r6advanced1

Rutoken version 4.17.0.0 and above

1. You can either sign files out of a working directory or you can place them in your Windows SDK\bin folder.

2. Open the Command Prompt: Windows 7: Start > Run > cmd, or for Windows 8 - 10, press the Windows Key, then type cmd and press enter.

3. Navigate to the directory with signtool.exe.

4. Use the following command to sign your file:
   signtool sign /a /tr http://timestamp.globalsign.com/tsa/r6advanced1 /td SHA256 /fd SHA256 c:/path/to/your/file.exe

5. Enter your Token Password. If the signing is successful, you will see a prompt informing you so.

6. To verify the successful signature, use the following commands:
   Authenticode: signtool verify /v /pa
   Kernel Driver Signing: signtool verify /v /kp

You may also verify the signature within the properties of the file, under the Digital Signatures tab.

Rutoken version 4.17.0.0 and below

1. Install the latest java. (jdk and jre). Note: It’s required for keytool and signing a file.

2. Search where the file is located: "rtPKCS11ECP.dll", f.i.. C:\Windows\System32\rtPKCS11ECP.dll
   Note: You can get it from the SDK website: https://www.rutoken.ru/developers/sdk

3. Download the latest release of jsign from this link and add the file to the library (java jdk bin folder).

4. Create a file called "eToken.cfg". Add the path to the library and the number of the slot into which the token is connected (if there is one on the machine, then most likely on the zero slot), as shown below, and add the file to the library (java jdk bin folder):
   
   name = OpenSC-PKCS11
   description = SunPKCS11 via OpenSC
   library = C:\Windows\System32\rtPKCS11ECP.dll
   slotListIndex = 0

5. Run CMD (Command Prompt) as Administrator and specify the path to the Java jdk bin folder.

6. Get a list of Certificates on your token by using this command:
   
   keytool -list -v -keystore NONE -storetype PKCS11 -storepass 12345678 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg
   
   Whereas, "-storepass 12345678" is the password for your token.

7. You need a certificate field: "Alias name" (f.i.., Alias name: RSA)

8. Sign the file "File.exe":
   
   java -jar jsign-5.0.jar --keystore eToken.cfg --alias "RSA" --storetype PKCS11 --storepass 12345678 --alg SHA-256 --tsaurl
   http://timestamp.globalsign.com/tsa/r6advanced1 --tsmode RFC3161 File.exe