Before you can sign files, you need to obtain a Software Publisher Certificate (SPC). To do this, you must make a request to a Certification Authority. During the application process, you must generate a key pair and provide the Certification Authority with identification information, such as your name, address, and public key. You must also make a legally binding pledge that you cannot and will not distribute software you know or should have known contains viruses or will otherwise maliciously harm the user's machine or code.
For more information about obtaining a Software Publisher Certificate (SPC), see http://www.microsoft.com/intdev/security/authcode/codesign.htm. To apply for a certificate, see http://www.microsoft.com/intdev/security/authcode/certs.htm. To create a test certificate to test signing your files, see Making a Test Software Publisher Certificate.
The Certification Authority generates a Software Publisher Certificate that conforms to the industry standard X.509 certificate format with Version 3 extensions. The certificate identifies you and contains your public key. It is stored by the Certification Authority for reference and a copy is returned to you via electronic mail. After accepting the certificate, you should include a copy in all published software signed with the private key.