How to create PFX with my chain of certificates?

9
votes

i'm applying a digital signature to my executable. Using signtool on Windows XP or Windows Vista:

>signtool.exe sign /f "avatar.pfx" MyApp.exe

automatically included the entire certification chain in the digital signature.

Starting with Windows 7 the entire certification chain is no longer included. You must manually include the certificate that:

  • signed your key
  • signed the certificate that signed your key
  • ...
  • ...until there are no more certificates to include

i am told that i have to do this using the /ac switch with the signtool utility.

From MSDN documentation of signtool:

/ac FileName
Specifies a file that contains an additional certificate to add to the signature block.

How do i get the filename of the certificate that signed my certificate?

It's more confusing because i don't have any such file. i have my digitally signed executable with no embedded certification chain:

enter image description here

Stackoverflow user davidcl had the same question. In this self-answered answer he says that i need to

do the signing using a PFX file that contains the root certificate, intermediate certificate, developer certificate, and private key.
After creating the appropriate PFX file - which was an odyssey in itself...

But he doesn't give how he created the PFX that contains the entire certification chain.

See also

2
code-signingcode-signing-certificate
Would it be OK if I gave you a description using OpenSSL?emboss
If it's an analogy that might be useful - sure.Ian Boyd
To get this right, you do have a .pfx that only contains one certificate?emboss
i had a pfx that contained only our certificate, and our private key. a) convert certificate to spc (Software Publishing Certificate): >cert2spc.exe Avatar.cer Avatar.spc b) combine spc and Private Key (pvk) into pfx: >pvk2pfx.exe -pvk Avatar.pvk -spc Avatar.spc -pfx Avatar.pfxIan Boyd
I'm confused - does this mean this fixed your problem?emboss

2 Answers

7
votes

Install OpenSSL for Windows. Once accomplished, you have the openssl.exe executable somewhere on your system.

Now proceed as follows.

  1. openssl pkcs12 -in avatar.pfx -out avatar.pem -nodes

(You need to enter the .pfx password here)

  1. openssl pkcs12 -in avatar.pfx -out mycert.pem -nodes -clcerts

(again the PW)

  1. openssl x509 -in mycert.pem -out mycert.cer -outform DER

Now open your Explorer and double-click on the mycert.cer. View the details and somewhere it will talk about an issuer. This is the company that issued your key store, your next goal is to get their intermediate certificates and the final root certificate. If you are lucky, there is an extension called "Authority Information Access" in your certificate that tells you where to get the issuing certificate directly. If you are not so lucky, then you will find a URL for OCSP access in the "Authority Information Access" or a URL for CRLs in the extension "CRL Distribution Points". These should at least give you a vague idea of the vendor's "homepage". In case of doubt, just google around, or ask me again :)

If you are on the vendor's page, you will have to watch out for "CA certificates" or "Intermediate Certificates". You need to download the one whose name is exactly the same as what you found in the "Issuer" field of your own certificate.

Now the funny part: The certificate you just found will again have an "Issuer" field. Lucky you if the issuer is the same company (typically the case for large CAs such as VeriSign), then you will find the corresponding certificate on the same site you are currently on. If not, repeat the previous steps.

Repeat this cumbersome procedure until you're at a point where you have found a certificate whose "Subject" field is exactly the same as its "Issuer" field. You're done then. This is a so-called "self-signed root certificate".

Most of these certificates will come in "DER"/"ASN.1"/"X.509" format - if you have the choice, download "PEM" format, otherwise you will first need to convert the certificates into "PEM" format by

openssl x509 -in cert.der -inform DER -out cert.pem

Once you have all the missing certificates in PEM format

  1. open the initial file created in step 1, avatar.pem, in a text editor.

  2. open the missing certificate PEM files in separate windows

  3. copy the missing certificates (the entire file, including the "----- BEGIN CERTIFICATE -----" and "----- END CERTIFICATE -----") and append them to avatar.pem

  4. save the result

  5. issue

openssl pkcs12 -export -in avatar.pem -out newavatar.pfx -name ""

You will have to enter a new password that is to be used with the new file.

1
votes

Minor addendum to Ian's comment above "In the end I had a much easier way to get a .cer...". These days when you export your code signing pfx from the Thawte webpage, you can specify that you want the entire chain included. Hence you can import the pfx with certmgr.msc and then export the single Thawte intermediate certificate as a codesign.cer file. Then use that with the signtool /ac switch. No need to have an old signed app. Be sure to delete your temp certificate in the store, so your test of the newly signed app is valid. --William Croft