We recently renewed the code signing certificate we use to certify that our product installers are genuine and from a trusted download source. As part of this process, you generate a code signing request (CSR) along with a private key and you send the CSR to a Certificate Authority like GoDaddy.com. The CA then validates your organization’s identity and creates a code signing certificate for your organization. This article is about creating a Windows Server code signing certificate using OpenSSL and pvkimprt based on our experience.
Once you have the certificate from the CA, you still need to take a couple of steps to finish the process. In our case, we used the OpenSSL tool to create our CSR and private key on Server 2008 and then sent the CSR to our CA. This process went smoothly and we didn’t hit a snag until we needed to combine the certificate with the private key to create a PKCS#12 file—with a PFX extension—we can use to sign installers and .NET assemblies.
We used the PVK Digital Certificate Files Importer utility from Microsoft—pvkimprt.exe—to combine the certificate with the private key and produce our PFX file. However, when running the command to combine the files as described here, we ran into the following error.
Error: 000004c0, The format of the specified password is invalid.
This head scratcher caused some consternation since I hadn’t even been prompted for a password. After much searching and cursing, I found the following fantastic articlefrom a fella that ran into the exact same issue a couple of years ago. The culprit that causes the pvkimprt utility to fail is the private key created by OpenSSL does not work with pvkimprt. You need to use the PVK Utility to convert the OpenSSL private key to a format that works with pvkimprt.exe. Once you download the PVK Utility, just run PVK from a command line like follows to generate a compatible private key file for pvkimprt.
pvk.exe -in privateKey.key -out privateKey.pvk -strong -topvk
Once you have the converted pvk file, you can run the pvkimprt utility again and it should fire up the Export Private Key wizard and allow you to complete the creation of your .pfx file.
- Killer article that puts it all together: http://powerwf.tumblr.com/post/347822685/realworld-code-signing-for-dummies
- Another good article describing the problem: http://www.xxeo.com/archives/2004/05/06/whipped-cream-microsoft-authenticode-pvkmprtexeerror-000004c0-and-other-delights.html
- PVK Utility download: http://www.drh-consultancy.demon.co.uk/pvk.html
- Install a code signing certificate: http://support.godaddy.com/help/article/5087
- Request a code signing certificate: http://support.godaddy.com/help/4777?locale=en