pvk2pfx does not allow me to create a pfx file with an empty private key password


We created the certificate request and the private key with openssl as follows

req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

We sent the CSR out and after verification, we got back the spc file. Now I want to sign my code with signtool. Apparently, I need to generate a pfx file combining the spc and the private key, so I invoke

pvk2pfx.exe -pvk file.pvk -spc file.spc -pfx cert.pfx

This program asks for a password, but we never set a password on the private key. We just pressed enter. If we try to press enter at the dialog, we get

ERROR: Password incorrect.
(Error Code = 0x80070056)

If we try any other text, we get

ERROR: Bad file format.
(Error Code = 0x8007000b)

I also tried using signtool and the wizard, which apparently accepts the spc and pvk separated. When I specify the private key (from disk, CSP: Microsoft strong cryptographic provider, provider type RSA Full) I get

The signing certificate and private key do not match 
or do not contain valid information.

Any suggestion?

asked on Stack Overflow Sep 25, 2014 by Stefano Borini

2 Answers


The problem is that apparently the .key you get from the openssl and the .pkv that signtool and pkv2pfx require are not the same thing. You have to convert the .key from the openssl output , using this pvk utility. It's simple to use and generates the pvk file that microsoft tools want.

answered on Stack Overflow Sep 25, 2014 by Stefano Borini

I came across this question when facing a "Bad File Format" error when using pvk2pfx, and the accepted answer's dead link didn't let me progress.

So, assuming the ultimate goal here is to end up with a pfx, regardless of the particular tool used to accomplish this, I used OpenSSL:

  1. Download installer from https://slproweb.com/products/Win32OpenSSL.html
  2. Install Open SSL
  3. Open a Win64 Open SSL Command Prompt
  4. Run the following command: E:\Path\To\Cert\> openssl pkcs12 -export -out MyOutput.pfx -inkey MyPrivateKey.pvk -in MyCertificate.cer

This will use the MyPrivateKey.pvk and MyCertificate.cer files and produce a MyOutput.pfx file.

Hope this helps other lost souls.

answered on Stack Overflow Apr 22, 2021 by Veli Gebrev • edited Apr 22, 2021 by Veli Gebrev

User contributions licensed under CC BY-SA 3.0