Issues with Code Signing Certificate

2

My boss recently purchased a code signing certificate from Comodo. I now have the task of making it work in VS2013 using Strong Name Key signing and perhaps as a post-build event, too. He did the whole purchasing process on the same machine (Windows 8.1 64-bit laptop) and using the same browser (Firefox 59.0.1 64-bit). I have gone to the Menu > Options > Privacy & Security > View Certificates > Your Certificates screen in Firefox, and selected the cert that was just purchased. I then clicked the "Backup" button, named it something generic, like companyCert.p12 (I don't get any other choice or settings but .p12), clicked the "Save" button, and entered a 16-character alphanumeric (caps and lowercase) password, and clicked the "OK" button. I got the popup saying that the export was successful.

When I try to import that .p12, or the extension-renamed .pfx, file into the local user's Personal or Trusted Publishers certificate store through mmc (even tried certmgr.msc just for kicks), I get:

The password you entered is incorrect.

When I try to build my assemblies in VS using the .p12 file to Strong Name Key sign them, I get:

The key file 'absolute\path\to\cert\companyCert.p12' does not contain a public/private key pair.

When I try to do the same thing but renaming the extension to .pfx, I am prompted for the password, so I input that, and I get:

An error occurred during encode or decode operation.

So I then tried to import the .p12/.pfx using the command prompt (running as administrator) and CertUtil using the following line:

certutil -importPFX -user "absolute\path\to\cert\companyCert.p12" AT_SIGNATURE

and I was prompted for the password, which I input, and got:

CertUtil: -importPFX command FAILED: 0x80092002 (-2146885630 CRYPT_E_BAD_ENCODE)

CertUtil: An error occurred during encode or decode operation.

for both .p12 and .pfx.

I've tried all of these several times just in case I did something wrong with the password or something. I've tried going back into the Firefox certificates and instead of clicking on the "Backup"

button in the Your Certificates screen, clicking on the code signing certificate, and clicking "View..." That takes me to the Certificate Viewer window, where I click on the Details tab and click the

"Export" button. There, I am given the choice of X.509 Certificates:

PEM (.crt/.pem, both with or without chain)

DER (.der without chain)

and PKCS#7 (.p7c with or without chain)

I did all but .der when trying to do the code signing, but to no avail. I was able to import some of them into the local user's Personal and Trusted Publisher stores, but I was unable to get any of

them to work in VS for Strong Name Key signing.

As I understand it, I need to be able to get the private/public key certificate in the local store on the OS level, not just Firefox's browser level, and then I should be able to export how I need to. Is that correct? If it's not, please, someone tell me what I can do to get this to work.

windows
visual-studio
firefox
x509certificate
code-signing
asked on Stack Overflow Mar 20, 2018 by Meloviz

2 Answers

3

In my case I could successfully import the .pfx file in my Desktop running Windows 10, but when I tried to import the certificate in the server running Windows Server 2016 I received the error "The password you entered is incorrect".

To solve the problem:

  1. Remove the certificate from my windows (using Management Console / Certificates)
  2. Import the original .pfx certificate to my Desktop Computer
  3. Export the certificate (using Management Console / Certificates)

The trick is:

When exporting the certificate, select the encryption "TripleDES-SHA1".

answered on Stack Overflow Feb 26, 2019 by educoutinho
1

I downloaded - DigiCertUtil - and manually installed the certificate with this tool, and it worked perfectly! https://www.digicert.com/util/

I managed to re-export the file and use the certUtil.exe with -importPFX.

Initially i used the digicert utility to install the certificate on one machine and add it to the store. Then i exported it from the google chrome browser to a new .pfx file. (Settings > manage certificates > export) And voila all of sudden the file was no longer corrupted and could be used with the certUtil.exe

I saw a post where the Comodo Support Team blamed Firefox for the issue, which made me wonder if chrome could export after the use of DigiCertUtil.

answered on Stack Overflow Jun 8, 2018 by NotJohn • edited Dec 17, 2018 by NotJohn

User contributions licensed under CC BY-SA 3.0