I have a code-signing certificate (SPC) file from GoDaddy. The file was generated from an existing private key:
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAvcG2SEalg9pvkTvtMI8cZg07tVA0RuK7LeGlFdk1smXgqrsH
.... snipped ....
MURwR0FXgNAuFNQ0yBNFNW2+o9uBceLuCSUalgi4pQw1uBmP5QkUYA==
-----END RSA PRIVATE KEY-----
I generated a certificate signing request and sent this to GoDaddy:
-----BEGIN CERTIFICATE REQUEST-----
MIICiDCCAXACAQAwQzFBMD8GCSqGSIb3DQEJARYyYXBwbGVAdGVrNC1uZXdtZWRp
.... snipped ....
nJwd9pSDPuYaNHl33N1BJkXFusG7ta0D6UjisA==
-----END CERTIFICATE REQUEST-----
GoDaddy then returned me an SPC file. My research shows that typically you'd have a SPC/PVK pair but obviously my private key isn't of PVK type. I've tried several methods (pvkimprt, pvk2pfx, openssl, keytool) but can't seem to convert my key to PVK type or my SPC to a PKCS12 type independently without both the certificate (SPC) and private key being in a single key-store.
The command that I appear to need to do this in one step is: openssl pkcs12 -in cert_from_godaddy.spc -inkey private.key -export -out full_code_signing_chain.pkcs12
However, running that I just get: Loading 'screen' into random state - done No certificate matches private key
But, the certificate (SPC) is for the private key. What am I doing wrong?!
Background: I'm trying to generate a .p12 file sign an Adobe AIR application
To be honest I can not understand at all what you are trying to do.
You got back the SPC file which is just the #PKCS7 der encoding with your certificate.
You also have your private key.
All you need to do is import the certificate to the pkcs12 keystore to have the signed certificate with your private key.
Here is how I created a .p12 file from GoDaddy's .spc file: 1. Right click myCert.spc, Install Certificate (to install the .spc into Windows) 2. Double click myCert.spc (to open it in certmgr), export to a .cer file. 3. Import that .cer file into Firefox. 4. From with Firefox: backup what you just imported to create a .p12 file.
Then you can use that .p12 file to sign your code.
To create a P12 truststore from a private key and a SPC file do the following steps with OpenSSL:
- (Optional): Extract the private key from an old P12 truststore:
openssl pkcs12 -in old.p12 -nocerts -out privateKey.pem
- Extract the certificate chain from the SPC file:
openssl pkcs7 -inform DER -outform PEM -in godaddy.spc -print_certs > certificates.pem
- Create the new P12 truststore:
openssl pkcs12 -export -out new.p12 -inkey privateKey.pem -in certificates.pem
来源:https://stackoverflow.com/questions/9112166/how-to-generate-a-pkcs12-p12-from-a-spc-code-signing-certificate-and-pkcs