It is often desirable to automate the process of using signtool.exe to digitally sign compatible files (for example .cab, .msi, .exe, .dll, .ocx) for distribution.
If you signed up with a certificate provider such as Verisign and went through the somewhat tedious but necessary verification exercise, you'll probably have found yourself left at the end of things with a private key (extension .pvk) and a set of certificates they supplied (extension .spc).
Rather than having to import these certificates into the local store on each machine you need to do a build on, signtool.exe can work with a single PFX file which is a complete certificate store (including the private key).
To create the PFX file, all you need is the PVKIMPRT.exe tool which you can download from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=F9992C94-B129-46BC-B240-414BDFF679A7&displaylang=EN
Simply run the tool as follows:
pvkimprt.exe -pfx <yourspc.spc> <yourpvk.pvk>
A dialog will popup asking for the password to the private key, and finally lets you select the output filename.
You are now ready to use signtool.exe at the command line with the "sign" switch (instead of "signwizard"). Assuming you want to digitally sign and timestamp MyInstaller.msi with MyPfxFile.pfx, the command line would be something like this:
signtool.exe sign /f MyPfxFile.pfx /p MyPrivateKeyPassword /d "My Product Name" /du "http://www.myproducturl.com" /t "http://timestamp.verisign.com/scripts/timestamp.dll" "MyInstaller.msi"