Code Signing Certificate with KeySpec=1 cannot be used with Visual Studio 2005

Apparently there are two kinds of code signing certificates…

The first category, where the key is marked AT_KEYEXCHANGE “can be used for symmetric encryption or signing or both, depending on the algorithm.” ( These certificates can be used to sign code using tools like signcode.exe or signtool.exe. But if you try to use automatic signing from inside Visual Studio 2005, you will get the message “Object already exists” (Title: “Error during Import of the Keyset”) and the build will fail ( I submitted a bug report to the Visual Studio Team (

Certificates of the second category contain keys marked AT_SIGNATURE. This last ones can be used only to sign code. And it seems that AT_SIGNATURE-keys are the only keys supported by the automatic signing feature of Visual Studio 2005. “If the EKU (Extended Key Usage) or KU (Key Usage) setting for the certificate is set, it must also explicitly contain the Code Signing setting.” (

Is there a way to re-mark a certificate with a key specification of AT_SIGNATURE in order to enable using it with Visual Studio 2005?

Andreas Klein, a distinguished Microsoft Escalation Engineer, was so kind as to provide an easy and elegant way out: just use the tool CertUtil to create a new the PFX-file with KeySpec set to AT_SIGNATURE.

You can read his blog here:

Hi Maro/Support ppl manging this forum,
I faced the same problem, one of which is linked with chanied certificates and its resolution is given in FAQ’s section. The other one is mentioned above by Maro.
I have followed the same process, every thing goes smooth until I get back to Certificates Repository to export the certificate (which is imported with KeySpec value = AT_SIGNATURE). It never gives me option “Yes, export the private key” [Always disabled]. This eventually does not let me export this changed certificate as a pfx file. (I want to use that PFX file then in VS-2005).

Please help in this regard.



Could you please provide the operating system and browser information which you have use to appy and coect the certificate. (:NRD)

Hi Sathis,
I have used Windows VISTA Business and it holds IE 7.0. Although it applied the certificates successfully.



In vista by defaulst the certificates will be stored in CSP, you can contact the support team at to get instruction on exporting the certificate with private key.