openssl.exe, signtool.exe and osslsigncode.exe are command line tools (no GUI) for Windows, which allow you to execute cryptographic tasks.
OpenSSL is an open source project. Its source code is available on GitHub, but not the binaries. There are instructions for compiling binaries for different platforms, including Windows, but it is not an easy task. Fortunately, according to the OpenSSL wiki, several sources provide OpenSSL binaries:
FireDaemon provides installers for Windows.
All the files are signed with a true/valid EV certificate from Sectigo :-)
Overbyte provides a light and portable (.zip) version.
All the files are signed with a true/valid certificate from Sectigo :-)
The Shining Light Productions provide 2 installers for each realease of OpenSSL.
The ‘Win64 OpenSSL v3.x.x Light’ is sufficient for what we have to do.
It is regrettable that no files are signed :-(
Note: The open source project MSYS2 provides a huge number of applications
(mainly from the Linux world) running natively on Windows.
Once MSYS2 is installed, you can install the openssl package with the command: pacman -S openssl
This solution is overkill if you just need openssl.exe
Version used in this documentation:
> openssl.exe version
OpenSSL 3.6.0 1 Oct 2025 (Library: OpenSSL 3.6.0 1 Oct 2025)
Any openssl version 3.x should work.
osslsigncode.exe being a replacement for signtool.exe, you only need one of the two tools.
SignTool is a proprietary tool provided by Microsoft in the Windows SDK.
After installing the SDK 10.0, the path to signtool.exe looks like
` C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe`
Of course, the exact path depends on the specific release of the SDK.
> signtool.exe /?
Usage: signtool <command> [options] or signtool @<response file>
Valid commands:
sign -- Sign files using an embedded signature.
timestamp -- Timestamp previously-signed files.
verify -- Verify embedded or catalog signatures.
catdb -- Modify a catalog database.
remove -- Remove embedded signature(s) or reduce the size of an embedded signed file.
Note: There is no way to display the version of signtool.exe
osslsigncode.exe being a replacement for signtool.exe, you only need one of the two tools.
osslSignCode is an open source replacement for SignTool using the OpenSSL libraries (ssl-3-x64.dll and crypto-3-x64.dll)
Its source code and
binary are available on GitHub.
> osslsigncode.exe --version
osslsigncode 2.10, using:
OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023)
No default -CAfile location detected
Please send bug-reports to Michal.Trojnara@stunnel.org
Surprisingly, no files are signed or self-signed (for now?).