export to pfx?

leemidgley · May 27, 2011, 3:36pm

Hi,

I have renewed the code sign certificate and i can’t export the pfx from within IE certificates - the options are diabled on IE8.

Can only do top 3
DER, Base-64 & .P7B

This has been an ongoing issue since I renewed - gone through the process 3 times now. (pvk and spc files don’t seem to match when using signcode.exe)

Lee.

salvatoreg · May 27, 2011, 3:50pm

This typically means that IE doesn’t have access to the private key. You may need to import the PVK & SPC file into the Windows Certificate Store using ‘imprtpvk.exe’ [ Combine PVK + SPC to PFX - Powered by Kayako Help Desk Software ]

Worst comes to worst, you may need to re-apply for your code signing certificate if you recently applied so that you can get a PFX file.

leemidgley · May 27, 2011, 7:34pm

Thanks for the reply but that documentation is now out of date with the latest Windows 7.1 sdk from Microsoft, If I’m not mistaken it is now called: pvk2pfx.exe

but when I try that I get an error:-

pvk2pfx -pvk mykey9.pvk -spc mykey9.spc -pfx mykey9.pfx
ERROR: Password incorrect or PVK file corrupted.
(Error Code = 0x80090005).

This is the same problem when I use signtool with pvk and spc.

So I was wondering wether it would be possible to use the certificate placed in IE when I ordered instead
You know the certifcate comodo put in IE certificates - should that have a private key by default?.. just thinking if it’s todo with IE8, do you know people who have successfully gone through this process in IE8?

I’ve been trying to get this to work now for over 2 months + 2 free renews & countless support emails going over the same things to different support staff over and over again… I don’t think another renew will make any difference, I need to try something different. ( in 2009 I did this and it worked straight away but then I was on XP sp2 and IE6)

Another question, why don’t you simply send the .pfx when ordering, it would make things a lot lot easier. do you keep a record of the pvk password entered on your website? (I used the same one as I used in 2009)

Thanks,
Lee.

salvatoreg · May 28, 2011, 12:08am

You’re most likely using the wrong SPC/PVK file combination or the password is wrong.

So I was wondering wether it would be possible to use the certificate placed in IE when I ordered instead You know the certifcate comodo put in IE certificates

I don’t think you can because that appears to have been revoked when you got the replacements.

- should that have a private key by default?

If you added it via the SPC file, no. If we did, then usually it does.

just thinking if it's todo with IE8, do you know people who have successfully gone through this process in IE8?

It has nothing to do with IE8 and everything to do with the Microsoft Certificate Enrollment ActiveX control. It’s a bit wonky.

I've been trying to get this to work now for over 2 months + 2 free renews & countless support emails going over the same things to different support staff over and over again... I don't think another renew will make any difference, I need to try something different. ( in 2009 I did this and it worked straight away but then I was on XP sp2 and IE6)

Simply put, you need to use Firefox and export it out as a P12/PFX file for use with signtool. It’s the one thing that support certificate enrollment really well. You will need to go through one more re-issue to achieve this. Re-open a ticket with our Support team and get your certificate re-issued, this time using Firefox.

Another question, why don't you simply send the .pfx when ordering, it would make things a lot lot easier.

While it would make things easier, it compromises the integrity of the certificate since another party now has access to the private key. What happens when you apply for these types of certificates on IE is a little ActiveX control creates a CSR/PrivateKey pair on your local machine and sends us the CSR and we then kick out a certificate after the validation process. As a result, we never see the private key.

do you keep a record of the pvk password entered on your website? (I used the same one as I used in 2009)

No, for security reasons we do not.

leemidgley · May 28, 2011, 10:31am

ok, thanks… I will try the re-issue and firefox route… I’ve noticed every 3 times IE8 hasn’t had the private key in the certificate.

just one quick question when I renew with firefox when ordering… use these settings?

select ‘Microsoft Enhanced Cryptographic Provider 1.0’
select ‘Key storage: In the file’ (.pvk) like I have before?
select ‘Key size: 2048’
Exportable ‘ticked’
User protected ‘unticked’

My usage is to sign exe’s with signtool.

Thanks,
Lee.

salvatoreg · May 28, 2011, 3:44pm

You won’t see those settings with Firefox.

You’ll need to export the certificate as a .p12 file [ Knowledgebase - Powered by Kayako Help Desk Software ], then rename the file extension with .pfx because signtool complains otherwise.