Code Signing Certificate with KeySpec=1 cannot be used with Visual Studio 2005

maro · January 9, 2008, 9:16am

Apparently there are two kinds of code signing certificates…

The first category, where the key is marked AT_KEYEXCHANGE “can be used for symmetric encryption or signing or both, depending on the algorithm.” (IX509PrivateKey::get_KeySpec (certenroll.h) - Win32 apps | Microsoft Learn). These certificates can be used to sign code using tools like signcode.exe or signtool.exe. But if you try to use automatic signing from inside Visual Studio 2005, you will get the message “Object already exists” (Title: “Error during Import of the Keyset”) and the build will fail (Andreas Klein | Microsoft Learn). I submitted a bug report to the Visual Studio Team (Bing).

Certificates of the second category contain keys marked AT_SIGNATURE. This last ones can be used only to sign code. And it seems that AT_SIGNATURE-keys are the only keys supported by the automatic signing feature of Visual Studio 2005. “If the EKU (Extended Key Usage) or KU (Key Usage) setting for the certificate is set, it must also explicitly contain the Code Signing setting.” (ClickOnce Manifest Signing and Strong-Name Assembly Signing Using Visual Studio Project Designer's Signing Page | Microsoft Learn)

Is there a way to re-mark a certificate with a key specification of AT_SIGNATURE in order to enable using it with Visual Studio 2005?

maro · January 17, 2008, 10:29am

Andreas Klein, a distinguished Microsoft Escalation Engineer, was so kind as to provide an easy and elegant way out: just use the tool CertUtil to create a new the PFX-file with KeySpec set to AT_SIGNATURE.

You can read his blog here: Andreas Klein | Microsoft Learn

asifimam · January 29, 2008, 2:08pm

Hi Maro/Support ppl manging this forum,
I faced the same problem, one of which is linked with chanied certificates and its resolution is given in FAQ’s section. The other one is mentioned above by Maro.
I have followed the same process, every thing goes smooth until I get back to Certificates Repository to export the certificate (which is imported with KeySpec value = AT_SIGNATURE). It never gives me option “Yes, export the private key” [Always disabled]. This eventually does not let me export this changed certificate as a pfx file. (I want to use that PFX file then in VS-2005).

Please help in this regard.

Thanks

sathish · January 29, 2008, 6:23pm

Hi,

Could you please provide the operating system and browser information which you have use to appy and coect the certificate. (:NRD)

asifimam · January 30, 2008, 5:45am

Hi Sathis,
I have used Windows VISTA Business and it holds IE 7.0. Although it applied the certificates successfully.

Thanks.

sathish · January 30, 2008, 5:48pm

Hi,

In vista by defaulst the certificates will be stored in CSP, you can contact the support team at support@comodo.com to get instruction on exporting the certificate with private key.