I have a GoDaddy-issued code signing certificate in a .spc
file. Also, I have a private key in .key
file. The code signing has been issued some 13 months ago, then it expired and was renewed with GoDaddy. During the renewal process no private key was requested and just a new .spc
file was issues.
Now I'm facing the problem of joining the original private key file with the issues certificate to form a .pfx
(or .cer
?) file suitable for installation into the Windows certificate store.
The command I'm trying is:
openssl.exe pkcs12 -inkey my.key -in my.spc -out my.pfx -export
However, I'm getting an error message that reads “No certificate matches private key”.
I've followed this answer on SO to verify the .key
file is a valid private key. However, when I try to verify that .spc
is a valid certificate, I just get
unable to load certificate
5436:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:650:Expecting: TRUSTED CERTIFICATE
What's the correct way of producing an .pfx
file from my inputs? I'm using OpenSSL 0.9.8k.
In the end I managed to figure out a procedure that works. Here are the steps to generate a new PFX and CER code signing certificate from SPC and KEY files:
CodeSign.spc
certificate from GoDaddy.Export a PEM-formatted private key from the expired PFX:
Convert the PEM-formatted private key into the PVK format:
Combine the PVK and SPC into PFX:
Import the resulting PFX file into Windows certificate store. Remember to make it exportable.
CodeSign.cer
.In case you are renewing your certificate periodically you can store the PVK file and skip steps (2) and (3).
UPDATE: In case you happen to have the certificate in CRT instead of SPC format, do the following to covert it into SPC:
Sources:
The tools you will need:
pvk.exe
— see the download link at the bottom of that page (original location may not be accessible; in such a case see this article with a link to a mirror site or another direct download link here)pvk2pfx.exe
— part of Microsoft SDKs, installs with Visual Studio 2010