How to: Sign Messages by One Signer

[Note: This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

This example creates a CMS/PKCS #7 signed message by using System.Security.Cryptography.Pkcs. The message is signed by a single signer. The signature on that message is then verified.

This example uses the following classes:

The following example requires that a public key certificate with the subject name "MessageSigner1" be contained in the My certificate store, and that the associated private key exists.


This example is only for illustrative purposes. Production environments might use a different model in which the sender and the recipient of the message execute in different processes with their unique public key credentials.

Set up this example by using the Makecert.exe utility, one of several ways to do so. Certificate Creation Tool (Makecert.exe) is a convenient utility for generating test certificates. In a production environment, certificates are generated by a certification authority.

The following Makecert command generates the required public key certificates and private keys.

Makecert -n "CN=MessageSigner1" -ss My

// Copyright (c) Microsoft Corporation.  All rights reserved.
#region Using directives

using System;
using System.Security.Cryptography.Pkcs;
using System.Security.Cryptography.X509Certificates;
using System.Text;


namespace SigningAMessageByOneSigner
    class SignedCmsSingleSigner
        const String signerName = "MessageSigner1";

        static void Main(string[] args)
            Console.WriteLine("System.Security.Cryptography.Pkcs " +
                "Sample: Single-signer signed and verified message");
            //  Original message.
            const String msg = "This is the message to be signed.";

            Console.WriteLine("\nOriginal message (len {0}): {1}  ",
                msg.Length, msg);

            //  Convert message to array of bytes for signing.
            Encoding unicode = Encoding.Unicode;
            byte[] msgBytes = unicode.GetBytes(msg);

            Console.WriteLine("     SETUP OF CREDENTIALS     ");

            X509Certificate2 signerCert = GetSignerCert();

            Console.WriteLine("     SENDER SIDE      ");

            byte[] encodedSignedCms = SignMsg(msgBytes, signerCert);

            Console.WriteLine("     RECIPIENT SIDE     ");

            if (VerifyMsg(encodedSignedCms))
                Console.WriteLine("\nMessage verified");
                Console.WriteLine("\nMessage failed to verify");

        //  Open the My (or Personal) certificate store and search for
        //  credentials to sign the message with. The certificate
        //  must have the subject name "MessageSigner1".
        static public X509Certificate2 GetSignerCert()
            //  Open the My certificate store.
            X509Store storeMy = new X509Store(StoreName.My,

            //  Display certificates to help troubleshoot 
            //  the example's setup.
            Console.WriteLine("Found certs with the following subject " +
                "names in the {0} store:", storeMy.Name);
            foreach (X509Certificate2 cert in storeMy.Certificates)
                Console.WriteLine("\t{0}", cert.SubjectName.Name);

            //  Find the signer's certificate.
            X509Certificate2Collection certColl =
                signerName, false);
                "Found {0} certificates in the {1} store with name {2}",
                certColl.Count, storeMy.Name, signerName);

            //  Check to see if the certificate suggested by the example
            //  requirements is not present.
            if (certColl.Count == 0)
                    "A suggested certificate to use for this example " +
                    "is not in the certificate store. Select " +
                    "an alternate certificate to use for " +
                    "signing the message.");


            //  If more than one matching cert, return the first one.
            return certColl[0];

        //  Sign the message with the private key of the signer.
        static public byte[] SignMsg(
            Byte[] msg,
            X509Certificate2 signerCert)
            //  Place message in a ContentInfo object.
            //  This is required to build a SignedCms object.
            ContentInfo contentInfo = new ContentInfo(msg);

            //  Instantiate SignedCms object with the ContentInfo above.
            //  Has default SubjectIdentifierType IssuerAndSerialNumber.
            //  Has default Detached property value false, so message is
            //  included in the encoded SignedCms.
            SignedCms signedCms = new SignedCms(contentInfo);

            //  Formulate a CmsSigner object for the signer.
            CmsSigner cmsSigner = new CmsSigner(signerCert);

            //  Sign the CMS/PKCS #7 message.
            Console.Write("Computing signature with signer subject " +
                "name {0} ... ", signerCert.SubjectName.Name);

            //  Encode the CMS/PKCS #7 message.
            return signedCms.Encode();

        //  Verify the encoded SignedCms message and return a Boolean
        //  value that specifies whether the verification was successful.
        static public bool VerifyMsg(byte[] encodedSignedCms)
            //  Prepare an object in which to decode and verify.
            SignedCms signedCms = new SignedCms();


            //  Catch a verification exception if you want to
            //  advise the message recipient that 
            //  security actions might be appropriate.
                //  Verify signature. Do not validate signer
                //  certificate for the purposes of this example.
                //  Note that in a production environment, validating
                //  the signer certificate chain will probably
                //  be necessary.
                Console.Write("Checking signature on message ... ");
            catch (System.Security.Cryptography.CryptographicException e)
                Console.WriteLine("VerifyMsg caught exception:  {0}",
                Console.WriteLine("Verification of the signed PKCS #7 " +
                    "failed. The message, signatures, or " +
                    "countersignatures may have been modified " +
                    "in transit or storage. The message signers or " +
                    "countersigners may not be who they claim to be. " +
                    "The message's authenticity or integrity, " +
                    "or both, are not guaranteed.");
                return false;

            return true;