signercli Code Signing Certificate Commands
Legacy Code Signing Certificate Management Reference
1. Overview
The Code Signing Certificate Commands provide a legacy and convenience interface for managing certificates used specifically for code signing.
These commands allow users to:
- List available code signing certificates
- Select the active certificate
- Export the active certificate in PEM format
- Set the private key password
Note
These commands are retained for backward compatibility and ease of use.
Internally, they map to the newer and more general
signercli -certcommands.
2. Available Commands
| Command | Description |
|---|---|
signercli -codesign-list | List available code signing certificates |
signercli -codesign-id [id] | Get or set the active code signing certificate |
signercli -codesign-cert | Output the active code signing certificate (PEM) |
signercli -codesign-set | Set the private key password |
3. Description
These commands manage which code signing certificate is currently active for signing operations.
Key characteristics:
- Only certificates with code signing purpose (EKU) are listed
- The selected certificate is used by default when signing executable files
- Configuration changes affect subsequent
signercli -signoperations
4. Listing Code Signing Certificates
Command Usage
signercli -codesign-list
Lists all certificates registered on the server that are eligible for code signing.
JSON Output (for Automation)
signercli -codesign-list -format json
This output format is suitable for:
- CI/CD pipelines
- Scripting and automation
- Programmatic certificate selection
5. Managing the Active Certificate (codesign-id)
Get Current Certificate ID
signercli -codesign-id
Displays the certificate ID currently selected for code signing.
Set Active Certificate ID
signercli -codesign-id 695a44c0a3985d2d
After setting the ID:
- The specified certificate becomes the default for code signing
- Subsequent signing operations use this certificate automatically
6. Exporting the Active Certificate (codesign-cert)
Output Certificate PEM to Console
signercli -codesign-cert
Prints the PEM-encoded certificate to standard output.
Save Certificate to File
signercli -codesign-cert > cert.pem
Common use cases:
- External verification
- Certificate chain inspection
- Integration with third-party tools
The private key is never included in this output.
7. Setting the Private Key Password (codesign-set)
signercli -codesign-set
- Sets or updates the password for the private key
- Required when using password-protected keys
- Applies to the currently active code signing certificate
8. Relationship to signercli -cert
| Legacy Command | Modern Equivalent |
|---|---|
-codesign-list | signercli -cert list codesign |
-codesign-id | signercli -cert id |
-codesign-cert | signercli -cert pem |
-codesign-set | signercli -cert password |
For new deployments and advanced workflows, use signercli -cert.
9. Typical Use Cases
- Quick certificate selection in interactive sessions
- Backward compatibility with existing scripts
- Simple code signing workflows without full certificate management
10. Related Commands
| Command | Description |
|---|---|
signercli -sign <file> | Sign a file |
signercli -verify <file> | Verify signature |
signercli -cert | Full certificate management |
signercli -config | Profile-based configuration |
11. Summary
The Code Signing Certificate Commands provide a lightweight and backward-compatible interface for managing code signing certificates.
They are best suited for:
- Simple workflows
- Existing automation scripts
- Users migrating gradually to the newer
certcommand set
For full control over certificate lifecycle and storage backends, the signercli -cert command is recommended.