Signing code with a digital certificate on Windows 7

First, download and install Windows 7 SDK if you did not get it yet.

Create an 'info' file "cert.info" to be used by the Microsoft' certificate request utility.
It is a simple text file with content like


[NewRequest]
Subject = "CN=pixamba.com"
Exportable = FALSE
KeyLength = 4096


Some more optional fields are shown here, but you probably do not need them.
Next, open cmd.exe and run there Microsoft' request generation tool:

certreq -new cert.inf cert.req

Upload content of "cert.req" file to your CA server and get a valid certificate for your certificate'  request. How you do it depends on what third party CA you are using.
Providing your CA with a valid certificate request file you should get back from them a valid code signing certificate, either as a file or as text which you copy & save into a e.g. "cert.cer" file.

Once you have received or created such a "cert.cer" file, you run the following command on your Windows machine, forcing it to accept the new certificate:

certreq -accept cert.cer

 Next, run the following command:

"C:\Program Files\Microsoft SDKs\Windows\v7.0\Bin\signtool.exe" sign  /v /tr "http://www.startssl.com/timestamp"  mysoftware.exe

- where "mysoftware.exe" is the binary you are willing to sign

Note, that you might have some other (probably old and expired) certificates installed on your machine. In this case you will get the following error message:

SignTool Error: Multiple certificates were found that meet all the given
        criteria. Use the /a option to allow SignTool to choose the best
        certificate automatically or use the /sha1 option with the hash of the
        desired certificate.

If the last certificate you just installed is the only valid certificate you can use simply add "/a" option and signtool will automatically selected. If you have multiple valid certificates installed, tell signtool which one you are willing to use with "/sha1" option and the certificate's hash (printed to the standard output by signtool).

So your final command will probably look like this:
"C:\Program Files\Microsoft SDKs\Windows\v7.0\Bin\signtool.exe" sign  /a /v /tr "http://www.startssl.com/timestamp"  mysoftware.exe

This should do the signing, giving you the valid output

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

I am still looking for the information how it can be done on Windows 8 since Windows 7 SDK installation there fails with errors in the middle and there is no signtool utility in any other location on my Windows 8 machine.