Business / Enterprise Security Products & Services > Code Signing Certificate

export to pfx?

(1/2) > >>

leemidgley:
Hi,

I have renewed the code sign certificate and i can't export the pfx from within IE certificates - the options are diabled on IE8.

Can only do top 3
DER, Base-64 & .P7B

This has been an ongoing issue since I renewed - gone through the process 3 times now. (pvk and spc files don't seem to match when using signcode.exe)

Lee.

Sal Amander:

--- Quote from: leemidgley on May 27, 2011, 10:36:48 AM ---Hi,

I have renewed the code sign certificate and i can't export the pfx from within IE certificates - the options are diabled on IE8.

Can only do top 3
DER, Base-64 & .P7B

This has been an ongoing issue since I renewed - gone through the process 3 times now. (pvk and spc files don't seem to match when using signcode.exe)

Lee.

--- End quote ---

This typically means that IE doesn't have access to the private key. You may need to import the PVK & SPC file into the Windows Certificate Store using 'imprtpvk.exe' [ https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1344 ]

Worst comes to worst, you may need to re-apply for your code signing certificate if you recently applied so that you can get a PFX file.

leemidgley:
Thanks for the reply but that documentation is now out of date with the latest Windows 7.1 sdk from Microsoft, If I'm not mistaken it is now called: pvk2pfx.exe

but when I try that I get an error:-

pvk2pfx -pvk mykey9.pvk -spc mykey9.spc -pfx mykey9.pfx
ERROR: Password incorrect or PVK file corrupted.
(Error Code = 0x80090005).

This is the same problem when I use signtool with pvk and spc.

So I was wondering wether it would be possible to use the certificate placed in IE when I ordered instead
You know the certifcate comodo put in IE certificates - should that have a private key by default?...  just thinking if it's todo with IE8, do you know people who have successfully gone through this process in IE8?

I've been trying to get this to work now for over 2 months + 2 free renews & countless support emails going over the same things to different support staff over and over again...  I don't think another renew will make any difference, I need to try something different.  ( in 2009 I did this and it worked straight away but then I was on XP sp2 and IE6)

Another question, why don't you simply send the .pfx when ordering, it would make things a lot lot easier. do you keep a record of the pvk password entered on your website?   (I used the same one as I used in 2009)

Thanks,
Lee.

Sal Amander:

--- Quote from: leemidgley on May 27, 2011, 02:34:49 PM ---Thanks for the reply but that documentation is now out of date with the latest Windows 7.1 sdk from Microsoft, If I'm not mistaken it is now called: pvk2pfx.exe

but when I try that I get an error:-

pvk2pfx -pvk mykey9.pvk -spc mykey9.spc -pfx mykey9.pfx
ERROR: Password incorrect or PVK file corrupted.
(Error Code = 0x80090005).

This is the same problem when I use signtool with pvk and spc.

--- End quote ---

You're most likely using the wrong SPC/PVK file combination or the password is wrong.


--- Quote ---So I was wondering wether it would be possible to use the certificate placed in IE when I ordered instead You know the certifcate comodo put in IE certificates
--- End quote ---

I don't think you can because that appears to have been revoked when you got the replacements.


--- Quote ---- should that have a private key by default?
--- End quote ---
If you added it via the SPC file, no. If we did, then usually it does.


--- Quote ---just thinking if it's todo with IE8, do you know people who have successfully gone through this process in IE8?
--- End quote ---

It has nothing to do with IE8 and everything to do with the Microsoft Certificate Enrollment ActiveX control. It's a bit wonky.


--- Quote ---I've been trying to get this to work now for over 2 months + 2 free renews & countless support emails going over the same things to different support staff over and over again...  I don't think another renew will make any difference, I need to try something different.  ( in 2009 I did this and it worked straight away but then I was on XP sp2 and IE6)
--- End quote ---

Simply put, you need to use Firefox and export it out as a P12/PFX file for use with signtool. It's the one thing that support certificate enrollment really well.  You will need to go through one more re-issue to achieve this. Re-open a ticket with our Support team and get your certificate re-issued, this time using Firefox.


--- Quote ---Another question, why don't you simply send the .pfx when ordering, it would make things a lot lot easier.
--- End quote ---

While it would make things easier, it compromises the integrity of the certificate since another party now has access to the private key. What happens when you apply for these types of certificates on IE is a little ActiveX control creates a CSR/PrivateKey pair on your local machine and sends us the CSR and we then kick out a certificate after the validation process. As a result, we never see the private key.


--- Quote --- do you keep a record of the pvk password entered on your website?   (I used the same one as I used in 2009)
--- End quote ---

No, for security reasons we do not.

leemidgley:
ok, thanks... I will try the re-issue and firefox route...  I've noticed every 3 times IE8 hasn't had the private key in the certificate.

just one quick question when I renew with firefox when ordering...  use these settings?

select 'Microsoft Enhanced Cryptographic Provider 1.0'
select 'Key storage: In the file' (.pvk) like I have before?
select 'Key size: 2048'
Exportable 'ticked'
User protected 'unticked'

My usage is to sign exe's with signtool.

Thanks,
Lee.

Navigation

[0] Message Index

[#] Next page

Go to full version
Seo4Smf 2.0 © SmfMod.Com Smf Destek