Code Signing with Vista

I have just applied for a code signing key using IE7 on Windows Vista. How do I extract the key to use with SignTool? I presume it’s been automatically installed into IE7’s Personal Certificates. Can you provide full instructions for extracting the key and using it to sign a .msi file with SignTool.


Hi Andrew. is a Comodo sales affiliate. You should have bought your certificate through us! :wink: We have articles about code signing at . I think you will find the answer you need at . You may also find our free drag and drop code signing tool helpful.

I would welcome any feedback if the article could be made clearer.

On a Vista machine you can only use the CSP method which basically when collecting the code sign cert it should automatically install this into the personal store. You can then export the certificate as a .pfx which include the private and public key

Cryptographic service provider is know as a (CSP), for additional information please read the following article as this explains the methodology of an code sign cert.

Export your certificate to a pfx file (be sure to check “Include all certificates in the certification path if possible”).

Install openssl. You can find compiled binaries on

Extract your private key from the pfx file.

->openssl pkcs12 -in -nocerts -nodes -out

The pfx password will be asked.

Download the pvk transform utility. This file can be found at


→ pvk -in -topvk -strong -out

Extract your certificates from the pfx file.

openssl pkcs12 -in -nokeys -out

The pfx password will be asked.

Transform your pem file to a spc file

->openssl crl2pkcs7 -nocrl -certfile -outform DER -out