diff --git a/Makefile b/Makefile
index 1bf509f5..ca387266 100644
--- a/Makefile
+++ b/Makefile
@@ -76,6 +76,18 @@ TAR_XFORM_CMD ?= $(shell tar --version | grep -q 'GNU tar' && echo 's')
 # actual signature is made with SHA-256.
 CERT_SHA1 ?= 824455beeb23fe270e756ca04ec8e902d19c62aa
 
+# CERT_FILE is the PKCS#12 file holding the certificate.
+CERT_FILE ?=
+
+# CERT_PASS is the password for the certificate.  It must not contain
+# double-quotes.
+CERT_PASS ?=
+
+# CERT_ARGS are additional arguments to pass when signing Windows binaries.
+ifneq ("$(CERT_FILE)$(CERT_PASS)","")
+CERT_ARGS ?= /f "$(CERT_FILE)" /p "$(CERT_PASS)"
+endif
+
 # SOURCES is a listing of all .go files in this and child directories, excluding
 # that in vendor.
 SOURCES = $(shell find . -type f -name '*.go' | grep -v vendor)
@@ -317,13 +329,16 @@ bin/releases/git-lfs-windows-assets-$(VERSION).tar.gz :
 	@# work properly.
 	$(MAKE) -B GOARCH=amd64 && cp ./bin/git-lfs.exe ./git-lfs-x64.exe
 	$(MAKE) -B GOARCH=386 && cp ./bin/git-lfs.exe ./git-lfs-x86.exe
-	signtool.exe sign /sha1 $(CERT_SHA1) /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v git-lfs-x64.exe
-	signtool.exe sign /sha1 $(CERT_SHA1) /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v git-lfs-x86.exe
+	@echo Signing git-lfs-x64.exe
+	@signtool.exe sign /sha1 $(CERT_SHA1) /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v $(CERT_ARGS) git-lfs-x64.exe
+	@echo Signing git-lfs-x86.exe
+	@signtool.exe sign /sha1 $(CERT_SHA1) /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v $(CERT_ARGS) git-lfs-x86.exe
 	iscc.exe script/windows-installer/inno-setup-git-lfs-installer.iss
 	@# This file will be named according to the version number in the
 	@# versioninfo.json, not according to $(VERSION).
 	mv git-lfs-windows-*.exe git-lfs-windows.exe
-	signtool.exe sign /sha1 $(CERT_SHA1) /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v git-lfs-windows.exe
+	@echo Signing git-lfs-windows.exe
+	@signtool.exe sign /sha1 $(CERT_SHA1) /fd sha256 /tr http://timestamp.digicert.com /td sha256 /v $(CERT_ARGS) git-lfs-windows.exe
 	mv git-lfs-x64.exe git-lfs-windows-amd64.exe
 	mv git-lfs-x86.exe git-lfs-windows-386.exe
 	@# We use tar because Git Bash doesn't include zip.
@@ -347,6 +362,12 @@ release-windows-rebuild: bin/releases/git-lfs-windows-assets-$(VERSION).tar.gz
 		); \
 		status="$$?"; [ -n "$$temp" ] && $(RM) -r "$$temp"; exit "$$status"
 
+.PHONY : release-write-certificate
+release-write-certificate:
+	@echo "Writing certificate to $(CERT_FILE)"
+	@echo "$$CERT_CONTENTS" | base64 --decode >"$$CERT_FILE"
+	@printf 'Wrote %d bytes (SHA256 %s) to certificate file\n' $$(wc -c <"$$CERT_FILE") $$(shasum -ba 256 "$$CERT_FILE" | cut -d' ' -f1)
+
 # TEST_TARGETS is a list of all phony test targets. Each one of them corresponds
 # to a specific kind or subset of tests to run.
 TEST_TARGETS := test-bench test-verbose test-race