We created the certificate request and the private key with openssl as follows
req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
We sent the CSR out and after verification, we got back the spc file. Now I want to sign my code with signtool. Apparently, I need to generate a pfx file combining the spc and the private key, so I invoke
pvk2pfx.exe -pvk file.pvk -spc file.spc -pfx cert.pfx
This program asks for a password, but we never set a password on the private key. We just pressed enter. If we try to press enter at the dialog, we get
ERROR: Password incorrect. (Error Code = 0x80070056)
If we try any other text, we get
ERROR: Bad file format. (Error Code = 0x8007000b)
I also tried using signtool and the wizard, which apparently accepts the spc and pvk separated. When I specify the private key (from disk, CSP: Microsoft strong cryptographic provider, provider type RSA Full) I get
The signing certificate and private key do not match or do not contain valid information.
The problem is that apparently the .key you get from the openssl and the .pkv that signtool and pkv2pfx require are not the same thing. You have to convert the .key from the openssl output , using this pvk utility. It's simple to use and generates the pvk file that microsoft tools want.
I came across this question when facing a "Bad File Format" error when using pvk2pfx, and the accepted answer's dead link didn't let me progress.
So, assuming the ultimate goal here is to end up with a pfx, regardless of the particular tool used to accomplish this, I used OpenSSL:
E:\Path\To\Cert\> openssl pkcs12 -export -out MyOutput.pfx -inkey MyPrivateKey.pvk -in MyCertificate.cer
This will use the MyPrivateKey.pvk and MyCertificate.cer files and produce a MyOutput.pfx file.
Hope this helps other lost souls.
User contributions licensed under CC BY-SA 3.0