Joining GoDaddy-issued .spc and .key files into a complete .pfx / .cer certificate

Asked 13/1, 2011 at 16:44 Answered 10/11, 2020 at 15:17

Solved certificate key code-signing pfx spc

I have a GoDaddy-issued code signing certificate in a .spc file. Also, I have a private key in .key file. The code signing has been issued some 13 months ago, then it expired and was renewed with GoDaddy. During the renewal process no private key was requested and just a new .spc file was issues.

Now I'm facing the problem of joining the original private key file with the issues certificate to form a .pfx (or .cer?) file suitable for installation into the Windows certificate store.

The command I'm trying is:

openssl.exe pkcs12 -inkey my.key -in my.spc -out my.pfx -export

However, I'm getting an error message that reads “No certificate matches private key”.

I've followed this answer on SO to verify the .key file is a valid private key. However, when I try to verify that .spc is a valid certificate, I just get

unable to load certificate 
5436:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:650:Expecting: TRUSTED CERTIFICATE

What's the correct way of producing an .pfx file from my inputs? I'm using OpenSSL 0.9.8k.

Miyamoto answered 13/1, 2011 at 16:44 Comment(2)

Are you using IE8? Godaddy code signing script does not work with IE8. use firefox – Scrope 13/1, 2011 at 16:55

No. I'm using Chrome 9 and FireFox 9. Nevertheless I can't see any connection between IE8 and my problem. – Miyamoto 13/1, 2011 at 17:30

In the end I managed to figure out a procedure that works. Here are the steps to generate a new PFX and CER code signing certificate from SPC and KEY files:

Obtain your new CodeSign.spc certificate from GoDaddy.

Export a PEM-formatted private key from the expired PFX:

openssl.exe pkcs12 -in CodeSign.pfx -nocerts -out CodeSign.pem

Convert the PEM-formatted private key into the PVK format:

pvk.exe -in CodeSign.pem -topvk -strong -out CodeSign.pvk

Combine the PVK and SPC into PFX:

pvk2pfx.exe -pvk CodeSign.pvk -pi <passphrase> -spc CodeSign.spc -pfx CodeSign.pfx -po <passphrase> -f

Import the resulting PFX file into Windows certificate store. Remember to make it exportable.
Export it from the certificate store into the binary CER format as CodeSign.cer.
Optionally delete the certificate from the Windows certificate store.

In case you are renewing your certificate periodically you can store the PVK file and skip steps (2) and (3).

UPDATE: In case you happen to have the certificate in CRT instead of SPC format, do the following to covert it into SPC:

openssl crl2pkcs7 -nocrl -certfile CodeSign.crt -outform DER -out CodeSign.spc

Sources:

The tools you will need:

OpenSSL
pvk.exe — see the download link at the bottom of that page (original location may not be accessible; in such a case see this article with a link to a mirror site or another direct download link here)
pvk2pfx.exe — part of Microsoft SDKs, installs with Visual Studio 2010

Miyamoto answered 24/3, 2011 at 15:20 Comment(11)

This answer does not include information about how to work with the .key file as mentioned in the original question. In the above process, did you not need to use the .key file? – Hudspeth 10/1, 2014 at 15:41

No, as mentioned in my answer, I had to use the pfx file to export the private key into the PEM format. I haven't used the key file ever since; always follow the abovementioned steps every year when renewing our code signing certificate. – Miyamoto 10/1, 2014 at 15:57

Understood - this is assuming that there is an original pfx (expired) to start with, correct? In my case, I do not have a PFX - thats what I'm trying to get to. I basically picked up your instructions at pvk.exe -in CodeSign.pem -topvk -strong -out CodeSign.pvk but in my case CodeSign.pem was CodeSign.key (which is as I understand just a PEM formatted private key, that could just as easily be named CodeSign.pem as well). Thanks for your help! – Hudspeth 10/1, 2014 at 16:13

Yes, I had the original (expired) PFX. I have a practice of having all such important files stored in a Subversion repository, so we don't loose them (including the history). All the private keys being encrypted ensures this is secure, too. On the other hand, we are avoiding importing complete public/private pairs into Windows' certificate store with exportable private keys, so it's quite important to keep the PFX separately. – Miyamoto 10/1, 2014 at 16:29

Didn't work for me, I get the following: ERROR: Cannot find certificates that match the key. (Error Code = 0x80070490). – Kelp 11/7, 2014 at 7:2

Was able to complete the instructions with the new key file (using @Ryan's method, of substituting the .pem for the .key file) -- but the certificate isn't actually working to create strong name assemblies it says "Failed to extract public key from key pair -- keyset does not exist" (the old .pfx file worked fine for this). – Kelp 11/7, 2014 at 8:8

Did you specify the correct keyset name? Did you run cmd as administrator? – Miyamoto 11/7, 2014 at 8:34

Ondrej Tucny's answer worked for me, with one modification: I needed to add the "-nodes" parameter to the first step (openssl.exe). To convert to P12, use Firefox: Tools, Options, Advanced, Certificates, View Certificates, Import PFX, Backup to P12. – Relish 11/6, 2015 at 18:35

Fantastic! The pvk.exe is not available at the website of drh-consultancy anymore but you find a mirror of the file at tech-pro.net/export-to-pvk-spc.html – Suborn 23/1, 2019 at 17:0

@StefanWanitzek Thanks for pointing that out. Updated in the answer. – Miyamoto 25/1, 2019 at 8:55

The mirror of pvk.exe was blocked at work as "containing malware". I was able to use Nikita Krasnov's answer and avoid the need of any additional software other than OpenSSL. – Beckett 29/1, 2019 at 18:56

I had the similar issue and I spent at least few hours searching around for a solution. GoDaddy provided me with .spc and .pem file and I couldn't create .pfx file out if it using OpenSSL. Finally, I imported .spc file within my local computer using MMC. Once the certificate was imported in my local machine, I noticed that it brought in GoDaddy's chain file along with the Code Sign Cert file itself. MMC View

Now, select both files and right click to export as .pfx file. Supply a password to protect the file and you're done. By far, this is the simplest and straight forward solution. Hope this post helps many people.

Sooty answered 1/10, 2018 at 17:42 Comment(1)

THANK YOU! This solved my problem as well after hours of searching. You're a life saver. – Textbook 15/1, 2019 at 15:21

You can create PFX with openssl only.

Export a PEM-formatted private key from the expired PFX:

openssl pkcs12 -in CodeSign.pfx -nocerts -out CodeSign.pem

Create PFX

openssl pkcs7 -in CodeSign.spc -inform der -print_certs | openssl pkcs12 -export -inkey CodeSign.pem -out CodeSign.pfx

Biddy answered 18/9, 2018 at 12:40 Comment(1)

I kept trying these steps via a WSL command-line and it would not work (the second step would fail, complaining about the private key). I eventually realized that you MUST provide a PEM pass phrase for the first step. This is in addition to any import password you may have had on the original PFX file. – Molech 21/1, 2020 at 15:33

The current answer post was extremely helpful to me in the final steps of moving from an expired certificate file (.pfx or .p12) to a new one with GoDaddy, but I found it lacking information on the initial steps of how to generate a certificate signing request (CSR) from my original certificate file.

For anyone else looking for similar information, here is what I ended up using...

Get the private key:

openssl pkcs12 -in certs-and-key.p12 -out privateKey.key

Get the certificatate:

Beware: This can give you the CA cert

openssl pkcs12 -in certs-and-key.p12 -out certificate.crt -nokeys

Better: Use this command to print only the client cert

openssl pkcs12 -in MacCossLabUW.p12 -clcerts

Then copy the output between:

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Save it to a file named certificate.crt

Now check that the private key and certificate match with the commands:

openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl x509 -noout -modulus -in certificate.crt | openssl md5

Then generate a new CSR:

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key

Use the CSR to Re-Key the certificate.

Download the GoDaddy software publishing certificate (.spc) file.

Verify that the generated certificate matches the request private key:

openssl pkcs7 -inform DER -in certificate.spc -print_certs

Then copy the output between for your certificate (Note: the output will also contain CA certs):

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Save to a file named certificate-new.crt

And run the command:

openssl x509 -noout -modulus -in certificate-new.crt | openssl md5

The output should match the previous call used with the private key and request certificate.

To finish the process, follow the steps outlined in the answer with pvk2pfx.

I also found the schematic diagram in this post quite helpful:

PVK2PFX Error 0x80070490 - Cannot find certificates that match the key

Fezzan answered 2/3, 2012 at 1:7 Comment(0)

For anyone still looking for an answer on how to do this, I just spent a day figuring this out and had to do a mix of things listed in this post. If you are using git-bash on windows, I had to add winpty to the beginning of all calls using openssl or else it would get stuck in the void. The pseudo steps were as follows:

Generate a private key and CSR using openssl

openssl req -newkey rsa:2048 -keyout private.key -out my.csr

Generate a PVK using the private key with openssl

openssl rsa -in private.key -outform PVK -pvk-strong -out codesign.pvk

Use the CSR in the generation of the code sign certificate on Godaddy
Download the Zip from Godaddy and extract the SPC file (as mentioned by OP)
Use pvk2pfx to combine the PVK and the SPC file into a code sign certificate. This was included in the same SDK (and directory) as signtool itself:

pvk2pfx.exe -pvk codesign.pvk -spc SPC_FILEPATH_HERE -pfx codesign.pfx -pi PVK_PASSWORD -po PFX_PASSWORD

Harmon answered 10/11, 2020 at 15:17 Comment(0)

-1

If you generated your certificate request from IIS (I did this on IIS on windows 2012 Server) follow these steps on the server/pc where you generated the request - Open IIS - Click on the top level node (Server node) - Open the Server Certificates settings - Click on "Complete certificate request" under actions on the right - Import your spc file to the server.

From here you can then export to a PFX file

Oxford answered 23/9, 2015 at 5:9 Comment(1)

The question is about a code signing certificate. Your answer is unfortunately irrelevant. – Miyamoto 23/9, 2015 at 7:23

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags