We use certificate to sign ActiveX in our product.
Usually client sent me spc and pvk files and password for private key.
I used spc and pvk files to generate pfx file and sign ActiveX using this pfx file.
Previous certificate will be expired soon and client sent me the new certificate.
But now he sent me keystore file and email with certificates in BASE64 format.
There are following entries in email:
Below is your Code Signing certificate:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Below is the intermediate CA certificate:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Below is your certificate in pkcs7 format:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
I did next steps to create pfx file:
1. Put certificate in pkcs7 format from email to file certificate.p7b.
2. Export certificate in pkcs7 format into certificate.cer file.
openssl.exe pkcs7 -print_certs -in certificate.p7b -out certificate.cer
3. Generate certificate.spc file from certificate.cer.
cert2Spc.exe certificate.cer certificate.spc
4. Export private key from keystore into PKCS#12 (.p12) file.
keytool -importkeystore -srckeystore keystore -destkeystore new-store.p12 -deststoretype PKCS12
5. Extract private key from PKCS#12 to PEM.
openssl.exe pkcs12 -in new-store.p12 -nodes -out private.rsa.pem
6. Create PVK file from PEM.
openssl rsa -in private.rsa.pem -outform PVK -pvk-strong -out FILENAME.pvk
7. Create PFX file from SPC and PVK files.
pvk2pfx.exe -pvk FILENAME.pvk -pi <password> -spc certificate.spc -pfx myproject.pfx -po <password>
Is it correct approach?
To many steps as for me.
Is there much shortest path to generate pfx file?
What should I do with "Code Signing certificate" from email?
srckeystore
parameter. It looks like Volodymyr already has a pre-existing keystore that probably contains the keypair associated with the signing certificate. In other words, his keystore just happens to be namedkeystore
. – aTotalStranger