There is a great question and answer at the link below:
How do I create a self-signed certificate for code signing on Windows?
I am a little confused about the two procedures listed ((a)Creating a self-signed Certificate Authority and (b)Creating a code-signing (SPC) Certificate). Do we do a and then do b or is it an either or ?
Creating a self-signed Certificate Authority (CA)
makecert -r -pe -n “CN=My CA” -ss CA -sr CurrentUser
-a sha256 -cy authority -sky signature -sv MyCA.pvk MyCA.cer
Creating a code-signing (SPC) Certificate
makecert -pe -n “CN=My SPC” -a sha256 -cy end
-sky signature
-ic MyCA.cer -iv MyCA.pvk
-sv MySPC.pvk MySPC.cer
Important disclaimer: This of course assumes that these certificates are for internal use only; if you wanted a code-signing certificate that would be trusted by customers, you would skip step (a) and pay an actual CA (one whose certs are already trusted by your customers) to sign your code-signing certificate for you.
You create a (self-signed) CA certificate first (a), then use it to sign your code-signing certificate (b).
You could skip step (a) and just create a self-signed code-signing certificate instead, but there are advantages to creating your own CA cert: