GoDaddy Code Signing Certificate Import To Windows PFX

SPC Code-signing  Certificate to Windows PFX

GoDaddy’s code-signing certificate support lists about 8 articles which don’t include some key details.

Assuming you have generated a CSR and private key using OpenSSL and have received a certificate (an .SPC file) from GoDaddy you can not directly use this with Microsoft’s pvk2pvx.exe or pvkimport.exe to build a PVX certificate store in Windows.

  • pvk2pvx.exe will ask you for a password (when there was none when using openssl to create the key) or in the case of will either ask you for the password – which there was none when the private key was created, or
  • in the case of pvimprt.exe  it will report: Error: 000004c0, The format of the specified password is invalid.

 

Tested Method To Create The PFX

To create the pvx file from the unencrypted private key, use openssl (on Linux in my case) with the following command:

  1. openssl rsa -in your-unencrypted-private.key -outform PVK -pvk-strong -out your-windows-private-key.pvk
    • where your-unencrypted-private.key is the private key created with openssl when you generated the CSR
    • and your-windows-private-key.pvk is the name of the Windows-compatable private key that you want to use with the SPC to create the PVX
  2. The command will ask you to Enter PEM pass phrase:
    Choose a password which you will use on your windows machine in the next step.
  3. Copy the newly created your-windows-private-key.pvk to your Windows PC along with the GoDaddy SPC file, and run the following command to import the PVK:
    pvkimprt -PFX godaddy-provided.spc your-windows-private-key.pvk
    This will open a window and ask for the password you supplied in Step #2 above.
  4. Windows will then open the Certificate Export Wizard

    After successfully entering your password

     

  5. The next screen lets you choose to export as Personal Information Exchange:
    1. Select Personal Information Exchange, and then select Include all certificates in the certification path if possible.
    2. Select Export all extended properties, and then, unless you want to leave a copy of the private key in the certificate store (which if you are automating builds you may want to do), select Delete the private key if the export is successful.
    3.  
  6. The next step again requires the password from Step #2 above:

    Your private key password from Step #2

  7. Next you’ll be asked where to save the PFX exported file, assuming you used your-new.pfx for the following steps.
  8. Open the your-new.pfx  file in Windows by double-clicking on it and the Certificate Import Wizard  will open and allow you to import the PFX certificate (and optional key). You’ll be asked for the Step #2 password again.

Alternate Simpler Method (untested)

An alternative that did not work for me, but would be much simpler is to use openSSL to generate the PFX.

openssl pkcs12 -export -out your-new.pfx  -inkey your-unencrypted-private.key  -in godaddy-provided.spc -certfile CACert.crt

Helpful References

http://powerwf.tumblr.com/post/347822685/realworld-code-signing-for-dummies

Tags: , ,

4 Responses to “GoDaddy Code Signing Certificate Import To Windows PFX”

  1. Robin McDermott 10. Jul, 2015 at 8:07 am #

    THANK YOU! I have been banging my head against the wall trying to install a Go Daddy Code Signing Certificate. There documentation is horrible – often is takes you to documentation on SSL. Their support people also get confused and keep asking about how you want to install the certificate on your website. They were clueless that a code signing certificate has nothing to do with a website. I made baby steps looking for various solutions on the internet, but was really stuck with converting the pvk and spc to the pfx. YOU helped me do that. I am grateful!

  2. J S 10. Jul, 2015 at 10:52 am #

    I had the same problems with GoDaddy “support”, I’m glad it was useful.

  3. SB 15. Sep, 2015 at 2:48 am #

    I’m having the same problem but I get stuck at step C (although I have done everything so far in Windows). I can (create and) enter the password but I get this error:
    Error: 80092004, Cannot find object or property.

    I am unsure where I should put my files but I can confirm that if I change the name of either file I get this error instead:
    Error: 00000002, The system cannot find the file specified.

    So I’m confident it can find the files. My cert is GoDaddy, CSR created using OpenSSL and certificate downloaded with FireFox (unbelievably I found some comments that indicated browser could make a difference).

    Can’t fault GoDaddy phone support on friendliness.. but technically they are totally useless… I lost count of the number of times I had to explain the difference between code and web >-(

    Any further insights would be fantastic – thanks for sharing your results.

    Cheers, SB

  4. SB 15. Sep, 2015 at 5:22 am #

    Update: Finally (after no less than 16 hours) Cert is Working…

    Things that may have made a difference:
    – Reboot Win (Win7 64 bit)
    – Open Cert Manager (Start: Run: certmgr.msc)
    – Delete all old certs from:
    – Personal
    – Other People
    – Create fresh CSR using OpenSSL on Win7
    – Submit to GoDaddy
    – Create .pvk from .key using modified approach:
    – OpenSSL> rsa -in MyPrivate.key -outform PVK -out MyPrivate.pvk
    – (NB: ” PVK -pvk-strong ” does not seem to work in Windows….?)

    Also, my original password for the .key –> to .pvk was 24 chars long, this could have been the cause of my error. When it finally worked I used a shorter password (12 chrs).

    Hope this helps someone!

Leave a Reply