3 April 2020

Pull Certificate from Digitally Signed Application

Most companies will use a certificate to sign their applications before they release their software to the world. This helps the user know to that the software they are running actually came from the software vendor, and hasn’t been altered or changed by someone.

Certificates are based on key pairs. There is a public key, and a private key. In terms of digitally signing an application, the public key is often just referred to as the Certificate.

How it works, in simpified terms… The software vendor holds a private key, and they guard it, keeping it safe in their organization. You can also think of is their fingerprint that they’ll use when signing something as it is unique. The public key is what we can see. Using a hash in the digitally signed application, we can use their public key, to see is if the hash value can be verified. If it checks out then we know that the digital signature is valid. If it doesn’t, well then we know the signature has been altered.

The I’ll show you below how you can pull the public half of the Certificate from an application. In this example we’ll pull Adobe’s certificate from Adobe Reader DC.


Right click on the application you want the signature of and select “Properties”

Click the “Digital Signature” tab, select the signature, then click the “Details” button.

Note: If you do not see the “Digital Signature” tab, then the file is not digitally signed.

Click the “View Certificate” button.


Click the “Details” tab and then select the “Copy to File” button.

Follow the “Certificate Export Wizard”.

After completing the export wizard, you’ll have the digital signature certificate of the digitally signed application.


Here’s an article I wrote that includes how to set a software restriction GPO policy using a certificate rule.