Joining GoDaddy-issued .spc and .key files into a complete .pfx / .cer certificate

certificatecode-signingkeypfxspc

I have a GoDaddy-issued code signing certificate in a .spc file. Also, I have a private key in .key file. The code signing has been issued some 13 months ago, then it expired and was renewed with GoDaddy. During the renewal process no private key was requested and just a new .spc file was issues.

Now I'm facing the problem of joining the original private key file with the issues certificate to form a .pfx (or .cer?) file suitable for installation into the Windows certificate store.

The command I'm trying is:

openssl.exe pkcs12 -inkey my.key -in my.spc -out my.pfx -export

However, I'm getting an error message that reads “No certificate matches private key”.

I've followed this answer on SO to verify the .key file is a valid private key. However, when I try to verify that .spc is a valid certificate, I just get

unable to load certificate 
5436:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:650:Expecting: TRUSTED CERTIFICATE

What's the correct way of producing an .pfx file from my inputs? I'm using OpenSSL 0.9.8k.

Best Answer

In the end I managed to figure out a procedure that works. Here are the steps to generate a new PFX and CER code signing certificate from SPC and KEY files:

Obtain your new CodeSign.spc certificate from GoDaddy.

Export a PEM-formatted private key from the expired PFX:

openssl.exe pkcs12 -in CodeSign.pfx -nocerts -out CodeSign.pem

Convert the PEM-formatted private key into the PVK format:

pvk.exe -in CodeSign.pem -topvk -strong -out CodeSign.pvk

Combine the PVK and SPC into PFX:

pvk2pfx.exe -pvk CodeSign.pvk -pi <passphrase> -spc CodeSign.spc -pfx CodeSign.pfx -po <passphrase> -f

Import the resulting PFX file into Windows certificate store. Remember to make it exportable.
Export it from the certificate store into the binary CER format as CodeSign.cer.
Optionally delete the certificate from the Windows certificate store.

In case you are renewing your certificate periodically you can store the PVK file and skip steps (2) and (3).

UPDATE: In case you happen to have the certificate in CRT instead of SPC format, do the following to covert it into SPC:

openssl crl2pkcs7 -nocrl -certfile CodeSign.crt -outform DER -out CodeSign.spc

Sources:

The tools you will need:

OpenSSL
pvk.exe — see the download link at the bottom of that page (original location may not be accessible; in such a case see this article with a link to a mirror site or another direct download link here)
pvk2pfx.exe — part of Microsoft SDKs, installs with Visual Studio 2010

Related Solutions

C# – “An internal error occurred.” when loading pfx file with X509Certificate2

Use the local computer store for the private key:

X509Certificate2 cert = new X509Certificate2("myhost.pfx", "pass",
    X509KeyStorageFlags.MachineKeySet);

MachineKeySet is described as "private keys are stored in the local computer store rather than the current user store". The default with no flags is to place in the user store.

Even though you are reading the certificate from disk and storing it in an object the private keys are still stored in the Microsoft Cryptographic API Cryptographic Service Provider key database. On the hosting server the ASP.NET process does not have permission to access the user store.

Another approach (as per some comments below) is to modify the IIS Configuration or App Pool identity -- which do work. However, this assumes that there is access to these configuration items which may not be the case (e.g. in a shared hosting environment).

Visual-studio – Cannot import the keyfile ‘blah.pfx’ – error ‘The keyfile may be password protected’

I was running into this problem as well. I was able to resolve the issue by running
sn -i <KeyFile> <ContainerName> (installs key pair into a named container).

sn is usually installed as part of a Windows SDK. For example C:\Program Files (x86)\Microsoft SDKs\Windows\v8.0A\bin\NETFX 4.0 Tools\sn.exe. Most likely this location is not on the search path for your standard environment. However, the "Developer Command Prompt" installed by Visual Studio adds additional information that usually includes the correct location.

Based on your post that would look like

sn -i companyname.pfx VS_KEY_3E185446540E7F7A

This must be run from the location of your PFX file, if you have the solution loaded in VS 2010 you can simply right click on the pfx file from the solution explorer and choose Open Command Prompt which will launch the .net 2010 cmd prompt tool in the correct directory.

Before running this sn command I did re-install the pfx by right clicking on it and choosing install however that did not work. Just something to note as it might be the combination of both that provided the solution.

Hope this helps solve your problem.

Best Answer

Related Solutions

C# – “An internal error occurred.” when loading pfx file with X509Certificate2

Visual-studio – Cannot import the keyfile ‘blah.pfx’ – error ‘The keyfile may be password protected’

Related Topic