Thursday, January 28, 2010

thawte signing certificate howto mykey.pvk mycert.spc from .pfx file

Work around to moving Microsoft® Authenticode® (Multi-Purpose) Certificate to different machines running different Windows platforms
Printer Friendly


Solution ID: SO2694
Version: 4.0
Published: 12/13/2007
Updated: 10/21/2009
Average Rating1 2 3 4 5 2 rating(s)




1 2 3 4 5
Select the number of stars and add (optional) article comments here. To submit click 'Rate'. Rate Problem
Sign code on different Windows platforms
Move Certificate
Move Code Signing Certificate

Resolution
There are two solutions you can try, the first solution allows you to move the Certificate and private key to the new machine as an exported .PFX file(PKCS#12) which signcode will recognise if you specify the -cn parameter, you will be unable to use the .spc and .pvk file therefore the -v and -spc parameters will be invalid.

The Second solution makes use of Openssl and a Windows binary program(PVKTOOL) in order to extract the private key and Certificate from the .PFX backup file and convert the Certificate into a .spc file and private key into a .pvk file which will work on the new machine running the different Windows Operating System.
- OpenSSL is an opensource Unix/Linux based tool used to implement PKI. It consists of a set of libraries, which you compile locally, and is capable of generating keys, certificates, and creating SSL connections to a web server. We use it as a troubleshooting tool for SSL connections and to convert keys into different formats.

- PVKTOOL is a conversion tool created by Dr Stephen Henson which you can use to convert the private key into a .pvk file once it has been extracted from the .PFX backup file and converted into a text format using Openssl. For more information please go to: http://www.drh-consultancy.demon.co.uk

Solution 1:

Using the pvkimprt.exe utility import the Certificate(.spc) and private key(.pvk) into the registry on the machine the Certificate was requested on and then export the keys from the registry as a .PFX file which will contain the Certificate and it's corresponding private key, you can then import the Certificate into IE on the new machine and sign using the -cn parameter in the signcode command line.

Follow these instructions to import the .spc and .pvk files into the registry:

1. Download the pvkimprt tool from the Microsoft site: http://www.microsoft.com/downloads/details.aspx?FamilyID=F9992C94-B129-46BC-B240-414BDFF679A7&displaylang=EN

2. Double click the executable file named pvkimprt.exe

3. Complete the installation process.

4. Import the files using the following command: pvkimprt -import mycert.spc mykey.pvk

5. View the imported files in Internet Explorer > Tools > Internet Options > Content > Certificates

To export the keys as a .pfx file using pvkimprt.exe:

c:\pvkimprt -pfx mycert.spc mykey.pvk

It will bring up the export wizard, in the first window tick "Yes to export the private key", in the second window untick the option 'Enable strong protection..' and tick the option 'Include all Certificates in the certification path if possible', then click next, in the third window specify a private key password(please do not forget it), in the forth window click 'browse' and save the file to your desktop, click next and finish.

Once done, move the .pfx file to the new machine and import it into the IE browser. In IE click Tools > internet options > content > certificates > personal, click the import button, during the process mark the private key as exportable.

You can now sign and timestamp your code(timestamping is optional): signcode -cn "My Organisation" mycab.cab -t http://timestamp.verisign.com/scripts/timstamp.dll

Your code is now signed and timestamped, please run Checktrust.exe to ensure that the file has been signed correctly: chktrust mycab.cab

If you are signing VBA Macros, you can import the .PFX backup file into the IE browser on the new machine and use the VB editor to add the digital signature.
Solution 2:

Secure copy(SCP) or FTP the exported .PFX to your Linux machine. In order to extract the private key from the .PFX file please run the following command:

openssl pkcs12 -in mybackup.pfx -nocerts -out mykey.key

In order to extract the Certificate from the .PFX file please run the following command:

openssl pkcs12 -in mybackup.pfx -nokeys -out mycert.crt

In order to convert the Certificate(mycert.crt) into a .spc file please run the following command:

openssl crl2pkcs7 -nocrl -certfile mycert.crt -outform DER -out newcertfile.spc

You will now need to download the Windows PVKTOOL utility in order to convert the private key(mykey.key) into a .pvk file. Please download the utility from the following link:

http://www.drh-consultancy.demon.co.uk/pvk.html (scroll down to conversion tools and click on where it says Win32 binary here

1.Unzip the file and copy the pvk.exe utility to a new folder named pvktool on your c:\ drive.

2. Secure copy(SCP) or FTP the mykey.key file from the Linux machine to the pvktool folder on the new Windows machine.

3. Please go into your command prompt and change directory(cd) into your pvktool folder.

c:\cd pvktool

4. In order to convert the private key(mykey.key) into a .pvk file, please run the following command:

pvk -in mykey.key -topvk -out newkeyfile.pvk

Once done you can use the private key file(newkeyfile.pvk) and Certificate file(newcertfile.spc) to sign with signcode. Please read the following solution on how to sign with signcode: SO279

Please note that timestamping code allows it to be usable for an extended period of time, as the browser validates the timestamp. If the code is downloaded after the Certificate is expired (and it has been timestamped) you will not receive an error indicating that the certificate has expired. Please specify Verisigns' timestamp server url when you sign a file, the timestamp server validates the date and the time the file was signed. The Certificate expires but the signature will be valid for as long as the file is in production

No comments: