GoDaddy Code Signing Certificate Import To Windows PFX

SPC Code-signing  Certificate to Windows PFX

GoDaddy’s code-signing certificate support lists about 8 articles which don’t include some key details.

Assuming you have generated a CSR and private key using OpenSSL and have received a certificate (an .SPC file) from GoDaddy you can not directly use this with Microsoft’s pvk2pvx.exe or pvkimport.exe to build a PVX certificate store in Windows.

  • pvk2pvx.exe will ask you for a password (when there was none when using openssl to create the key) or in the case of will either ask you for the password – which there was none when the private key was created, or
  • in the case of pvimprt.exe  it will report: Error: 000004c0, The format of the specified password is invalid.

 

Tested Method To Create The PFX

To create the pvx file from the unencrypted private key, use openssl (on Linux in my case) with the following command:

  1. openssl rsa -in your-unencrypted-private.key -outform PVK -pvk-strong -out your-windows-private-key.pvk
    • where your-unencrypted-private.key is the private key created with openssl when you generated the CSR
    • and your-windows-private-key.pvk is the name of the Windows-compatable private key that you want to use with the SPC to create the PVX
  2. The command will ask you to Enter PEM pass phrase:
    Choose a password which you will use on your windows machine in the next step.
  3. Copy the newly created your-windows-private-key.pvk to your Windows PC along with the GoDaddy SPC file, and run the following command to import the PVK:
    pvkimprt -PFX godaddy-provided.spc your-windows-private-key.pvk
    This will open a window and ask for the password you supplied in Step #2 above.
  4. Windows will then open the Certificate Export Wizard

    After successfully entering your password

     

  5. The next screen lets you choose to export as Personal Information Exchange:
    1. Select Personal Information Exchange, and then select Include all certificates in the certification path if possible.
    2. Select Export all extended properties, and then, unless you want to leave a copy of the private key in the certificate store (which if you are automating builds you may want to do), select Delete the private key if the export is successful.
    3.  
  6. The next step again requires the password from Step #2 above:

    Your private key password from Step #2

  7. Next you’ll be asked where to save the PFX exported file, assuming you used your-new.pfx for the following steps.
  8. Open the your-new.pfx  file in Windows by double-clicking on it and the Certificate Import Wizard  will open and allow you to import the PFX certificate (and optional key). You’ll be asked for the Step #2 password again.

Alternate Simpler Method (untested)

An alternative that did not work for me, but would be much simpler is to use openSSL to generate the PFX.

openssl pkcs12 -export -out your-new.pfx  -inkey your-unencrypted-private.key  -in godaddy-provided.spc -certfile CACert.crt

Helpful References

http://powerwf.tumblr.com/post/347822685/realworld-code-signing-for-dummies

Tags: , ,

4 Responses to “GoDaddy Code Signing Certificate Import To Windows PFX”