OK,
das Zertifikat ist jetzt im Zertifikatsspeicher\Aktueller Benutzer\Eigene Zertifikate\Zertifikate

Commandozeile ist:

Ergebnis:
SignTool Error: No certificates were found that met all the given criteria.

Was läuft da falsch?

This only will work if the store has also the private key for this certificate !
You can check for the small key icon in the store, or open the certificate and it will the private key do exist and stored like these screenshots
Cert1.png
cert2.png

Also notice my old and expired Sectigo issued certificate doesn't have key, as i didn't imported it, so can't be used for signing automatically.

while my Kas issued by Kas is root one and does have key, but it is not for code signing, it is for different usage, and IIS will automatically use/offer it for localhost on my device.

My certificate doesn't show this private key. And I dont't know even if I have a private key. I have a passwort that I used with the old p12 certificate.

From where do I get a private key?

Ich kenne DigiCert nicht, aber vielleicht hilft das DigiCert Certificate Utility weiter? Ansonsten kannst du auch deren Hotline anrufen oder den Support schriftlich kontaktieren. Soweit ich gehört habe, antworten die recht schnell.

Seit 01.06.2023 dürfen Paare von privaten und öffentlichen Schlüsseln nur noch über Hardware-Sicherheitsmodule (USB-Stick, Crypto-Card) ausgeliefert werden.
Du hast damit keinen Zugriff mehr auf den privaten Schlüssel, der bleibt im Hardwaremodul.
Aber für diese Module gibt es Software/Treiber, die das MS-Signtool ansprechen und damit auch die Software signaieren kann.
Alle notwendigen Infos solltest du auf der Webseite des Zertifikatsanbieter finden.

Well, only you and the support can answer the question where is your private key.
See, i have no knowledge for USB/Hardware Token per se, but i know and read RFCs, in fact all code signing certificate (per standard) issued by a CSR (Code Signing Request), this happen either manually or automatically, manually when you build your CSR while the private key stay on device, or automatically, by software you are running like a Browser (namely Internet Explorer, Edge or FireFox to my knowledge only these are supported and capable), the difference is Edge and Internet Explorer (using applet or whatsoever) will generate the key and import it to your OS store and never send it with the CSR, the issuer will generate the certificate (that include your public key from the pair auto generated) from the CSR and sign it, while FireFox will do the same only will save it to its Store !, FireFox has its own store.

You didn't give any more detail, how and using what did you download your certificates, did you use some specified browser as per their request (almost all providers ask for that),... do you have a cabinet or account ? When and Where your CSR had being generated and stored ?...
There is many questions here, and the strange thing i can't find a nice, helpful and detailed resources on the internet explain this matter , may be there is and someone can point it.

As for the latest modification to lock all of these to Hardware Token, i don't have knowledge on how and where CSR (with private key generated) as if they are being sent with already flashed key then the whole thing is farce and circus, and will collapse sooner or later (yes this is a prophecy by me), this must not be the case nor how security should be implemented.

As Sebastian said, their support is your best answer, most likely you are not sure, and they should revoke this certificate and issue new one, and (in theory) their utility should be communicate with their servers and issue a new one, where they (as they will might say) the private key didn't leave you device (PC/token/USB), but who knows and who can tell ?!! yet again this is in theory and my imagination on how it should be done, if it can't be done remotely then either they will ask you send the token back or issue new one for you,
Yet again, you didn't even mention if you have a hardware token, or you ordered and completed the request, then may be they issued the certificate, sent it you in anticipation for the USB/Token to be delivered by mail (shipping i mean) ...

So many questions and so many variables, so sorry ....

So, zusammen mit dem DigiCert Support habe ich das Signieren jetzt über den DigiCert KeyLocker hinbekommen. Ist aber schon eine Wissenschaft für sich.