bshardi
05-27-2008, 02:20 PM
I wanted to tell everyone about my experiences after purchasing my code-signing certificate from Comodo using Firefox. I would like to echo everyones advice to use Internet Explorer as the browser of choice for ordering your certificate.
However for you few or many who use Firefox, you will not get a credentials (.spc) or a private key file (.pvk). Instead, Firefox will register your Certificate in its Certificate Manager. What follows is the path I took to get my credentials and private key files. (Someone out there may know a better way but this is what got me running.)
To get to the Certificate Manager, open Firefox, select Tools in the menu and then select Options. In the Options window click on Advanced then select the Encryption tab. Click on the button "View Certificates" at the bottom of the window to open the Certificate Manager window. On the Your Certificates tab, you can see the certificate you just bought. Mine was under the USERTRUST Network option.
Your only option is to Backup the certificate. This will create a PFX file; however, firefox saves the file as a *.p12 file. I tried renaming the file to a PFX file but I am not using SignTool.exe and it did not work in SetupBuilder with just the PFX (oh, rats). It would be interesting to know if SignTool.exe would use the backup file that Firefox produces. Note: The password you use for the backup is the password you will use for the certificate in all of the following steps and in SetupBuilder.
Once you have your backup file you need to use some other tools to produce your credentials file and private key file. I tried following the instructions from Comodo (by the way I was very pleased with their help.) but they did not work. I eventually found the information at www.tech-pro.net (http://www.tech-pro.net/export-to-pvk-spc.html) (I think the link was somewhere in this forum but could not verify that.)
Here is the information from tech-pro (with a few changes from me)...
To export your private key and software publishing certificate from the .pfx file you need the OpenSSL tools (http://www.openssl.org/). You can download a ready compiled Windows binary package from Shining Light Productions (http://www.slproweb.com/products/Win32OpenSSL.html). The 'light' package is all you need.
The OpenSSL utility will export the private key to an OpenSSL .pem format file. The .pvk private key format required by the code signing tools is a Microsoft proprietary format which OpenSSL does not support. Dr. Stephen N Henson, an OpenSSL consultant in the UK, has reverse-engineered the .pvk file format and developed a conversion utility which you can download here (http://www.drh-consultancy.demon.co.uk/pvk.html). In case you should have trouble accessing the server it is also mirrored here (http://www.tech-pro.net/files/pvktool.zip). The utility is contained in a Zip archive and you simply need to extract it to the same folder as the OpenSSL tools.
Exporting the files
Having downloaded and installed the conversion tools, you are ready to export your code signing certificate and private key file from the .pfx (.p12) file. The commands given below assume that the location of the conversion tools has been added to the PATH environment variable. Otherwise you should type the full path to each program.
In the examples we will also assume that the .pfx (.p12) file name is mycert.pfx (mycert.p12) and that the desired output filenames are mykey.pvk and mycert.spc. You may, of course, substitute other names if you so wish, and specify a full path if the files are located in a different folder. Remember to quote the paths to the files if they contain spaces.
Exporting the private key
First export the private key to an OpenSSL .pem format file.
openssl.exe pkcs12 -in mycert.p12 -nocerts -nodes -out mykey.pem
You will be asked for the password of the private key file, if you specified one.
Now you use Dr. Henson's conversion utility to convert the .pem file into the proprietary Microsoft .pvk format.
pvk.exe -in mykey.pem -topvk -strong -out mykey.pvk
That takes care of the private key file.
Exporting the software publishing certificate
Converting your code signing certificate into a software publishing certificate .spc file is also a two stage process. First, the certificate is exported to an OpenSSL .pem format file, and then this is converted to the final .spc format.
openssl.exe pkcs12 -in mycert.p12 -nokeys -out mycert.pem
openssl.exe crl2pkcs7 -nocrl -certfile mycert.pem -outform DER -out mycert.spc
Again, you will be asked for the password of the private key file if you specified one.
You now have a .pvk and .spc (YES! I was so excited) pair which you can use to digitally sign executables using signcode.exe. The intermediate .pem files created during the conversion are no longer needed, and may be deleted.
This got me my files for SetupBuilder. I hope this helps and keeps someone from spending too much time trying to get the files.
Feel free to correct any errors or add your own experiences.
However for you few or many who use Firefox, you will not get a credentials (.spc) or a private key file (.pvk). Instead, Firefox will register your Certificate in its Certificate Manager. What follows is the path I took to get my credentials and private key files. (Someone out there may know a better way but this is what got me running.)
To get to the Certificate Manager, open Firefox, select Tools in the menu and then select Options. In the Options window click on Advanced then select the Encryption tab. Click on the button "View Certificates" at the bottom of the window to open the Certificate Manager window. On the Your Certificates tab, you can see the certificate you just bought. Mine was under the USERTRUST Network option.
Your only option is to Backup the certificate. This will create a PFX file; however, firefox saves the file as a *.p12 file. I tried renaming the file to a PFX file but I am not using SignTool.exe and it did not work in SetupBuilder with just the PFX (oh, rats). It would be interesting to know if SignTool.exe would use the backup file that Firefox produces. Note: The password you use for the backup is the password you will use for the certificate in all of the following steps and in SetupBuilder.
Once you have your backup file you need to use some other tools to produce your credentials file and private key file. I tried following the instructions from Comodo (by the way I was very pleased with their help.) but they did not work. I eventually found the information at www.tech-pro.net (http://www.tech-pro.net/export-to-pvk-spc.html) (I think the link was somewhere in this forum but could not verify that.)
Here is the information from tech-pro (with a few changes from me)...
To export your private key and software publishing certificate from the .pfx file you need the OpenSSL tools (http://www.openssl.org/). You can download a ready compiled Windows binary package from Shining Light Productions (http://www.slproweb.com/products/Win32OpenSSL.html). The 'light' package is all you need.
The OpenSSL utility will export the private key to an OpenSSL .pem format file. The .pvk private key format required by the code signing tools is a Microsoft proprietary format which OpenSSL does not support. Dr. Stephen N Henson, an OpenSSL consultant in the UK, has reverse-engineered the .pvk file format and developed a conversion utility which you can download here (http://www.drh-consultancy.demon.co.uk/pvk.html). In case you should have trouble accessing the server it is also mirrored here (http://www.tech-pro.net/files/pvktool.zip). The utility is contained in a Zip archive and you simply need to extract it to the same folder as the OpenSSL tools.
Exporting the files
Having downloaded and installed the conversion tools, you are ready to export your code signing certificate and private key file from the .pfx (.p12) file. The commands given below assume that the location of the conversion tools has been added to the PATH environment variable. Otherwise you should type the full path to each program.
In the examples we will also assume that the .pfx (.p12) file name is mycert.pfx (mycert.p12) and that the desired output filenames are mykey.pvk and mycert.spc. You may, of course, substitute other names if you so wish, and specify a full path if the files are located in a different folder. Remember to quote the paths to the files if they contain spaces.
Exporting the private key
First export the private key to an OpenSSL .pem format file.
openssl.exe pkcs12 -in mycert.p12 -nocerts -nodes -out mykey.pem
You will be asked for the password of the private key file, if you specified one.
Now you use Dr. Henson's conversion utility to convert the .pem file into the proprietary Microsoft .pvk format.
pvk.exe -in mykey.pem -topvk -strong -out mykey.pvk
That takes care of the private key file.
Exporting the software publishing certificate
Converting your code signing certificate into a software publishing certificate .spc file is also a two stage process. First, the certificate is exported to an OpenSSL .pem format file, and then this is converted to the final .spc format.
openssl.exe pkcs12 -in mycert.p12 -nokeys -out mycert.pem
openssl.exe crl2pkcs7 -nocrl -certfile mycert.pem -outform DER -out mycert.spc
Again, you will be asked for the password of the private key file if you specified one.
You now have a .pvk and .spc (YES! I was so excited) pair which you can use to digitally sign executables using signcode.exe. The intermediate .pem files created during the conversion are no longer needed, and may be deleted.
This got me my files for SetupBuilder. I hope this helps and keeps someone from spending too much time trying to get the files.
Feel free to correct any errors or add your own experiences.