Joining GoDaddy-issued .spc and .key files into a complete .pfx / .cer certificate

爷,独闯天下 提交于 2019-11-29 20:30:36

In the end I managed to figure out a procedure that works. Here are the steps to generate a new PFX and CER code signing certificate from SPC and KEY files:

  1. Obtain your new CodeSign.spc certificate from GoDaddy.
  2. Export a PEM-formatted private key from the expired PFX:

    openssl.exe pkcs12 -in CodeSign.pfx -nocerts -out CodeSign.pem
    
  3. Convert the PEM-formatted private key into the PVK format:

    pvk.exe -in CodeSign.pem -topvk -strong -out CodeSign.pvk
    
  4. Combine the PVK and SPC into PFX:

    pvk2pfx.exe -pvk CodeSign.pvk -pi <passphrase> -spc CodeSign.spc -pfx CodeSign.pfx -po <passphrase> -f
    
  5. Import the resulting PFX file into Windows certificate store. Remember to make it exportable.

  6. Export it from the certificate store into the binary CER format as CodeSign.cer.
  7. Optionally delete the certificate from the Windows certificate store.

In case you are renewing your certificate periodically you can store the PVK file and skip steps (2) and (3).

UPDATE: In case you happen to have the certificate in CRT instead of SPC format, do the following to covert it into SPC:

openssl crl2pkcs7 -nocrl -certfile CodeSign.crt -outform DER -out CodeSign.spc

Sources:

The tools you will need:

  • OpenSSL
  • pvk.exe — see the download link at the bottom of that page (original location may not be accessible; in such a case see this article with a link to a mirror site)
  • pvk2pfx.exe — part of Microsoft SDKs, installs with Visual Studio 2010

I had the similar issue and I spent at least few hours searching around for a solution. GoDaddy provided me with .spc and .pem file and I couldn't create .pfx file out if it using OpenSSL. Finally, I imported .spc file within my local computer using MMC. Once the certificate was imported in my local machine, I noticed that it brought in GoDaddy's chain file along with the Code Sign Cert file itself. MMC View

Now, select both files and right click to export as .pfx file. Supply a password to protect the file and you're done. By far, this is the simplest and straight forward solution. Hope this post helps many people.

brendanx

The current answer post was extremely helpful to me in the final steps of moving from an expired certificate file (.pfx or .p12) to a new one with GoDaddy, but I found it lacking information on the initial steps of how to generate a certificate signing request (CSR) from my original certificate file.

For anyone else looking for similar information, here is what I ended up using...

Get the private key:

openssl pkcs12 -in certs-and-key.p12 -out privateKey.key

Get the certificatate:

Beware: This can give you the CA cert

openssl pkcs12 -in certs-and-key.p12 -out certificate.crt -nokeys

Better: Use this command to print only the client cert

openssl pkcs12 -in MacCossLabUW.p12 -clcerts

Then copy the output between:

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Save it to a file named certificate.crt

Now check that the private key and certificate match with the commands:

openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl x509 -noout -modulus -in certificate.crt | openssl md5

Then generate a new CSR:

openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey privateKey.key

Use the CSR to Re-Key the certificate.

Download the GoDaddy software publishing certificate (.spc) file.

Verify that the generated certificate matches the request private key:

openssl pkcs7 -inform DER -in certificate.spc -print_certs

Then copy the output between for your certificate (Note: the output will also contain CA certs):

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Save to a file named certificate-new.crt

And run the command:

openssl x509 -noout -modulus -in certificate-new.crt | openssl md5

The output should match the previous call used with the private key and request certificate.

To finish the process, follow the steps outlined in the answer with pvk2pfx.

I also found the schematic diagram in this post quite helpful:

PVK2PFX Error 0x80070490 - Cannot find certificates that match the key

You can create PFX with openssl only.

  1. Export a PEM-formatted private key from the expired PFX:

    openssl pkcs12 -in CodeSign.pfx -nocerts -out CodeSign.pem
  2. Create PFX

    openssl pkcs7 -in CodeSign.spc -inform der -print_certs | openssl pkcs12 -export -inkey CodeSign.pem -out CodeSign.pfx

If you generated your certificate request from IIS (I did this on IIS on windows 2012 Server) follow these steps on the server/pc where you generated the request - Open IIS - Click on the top level node (Server node) - Open the Server Certificates settings - Click on "Complete certificate request" under actions on the right - Import your spc file to the server.

From here you can then export to a PFX file

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!