Codesign – Converting a PFX file to SPC and PVK files

Converting a PFX file to SPC and PVK files

Export Certificate with Private Key.

Use the export wizard with the following options:

1. Export Private Key (Yes)
2. DO NOT TICK include all certificates in the certification path if possible
3. TICK enable strong protection
4. DO NOT TICK delete private key

Prerequisite: OpenSSL 0.9.8 or better. OpenSSL 1.x preferred.

Note: If you are running Windows you may download OpenSSL here. Otherwise, you can find compiled binaries
directly from the OpenSSL Website or consult your Operating System’s package management feature.

Private Key (PVK)

1. Extract your Private Key from the PFX/P12 file to PEM format.

openssl pkcs12 -in PFX_FILE -nocerts -nodes -out PEM_KEY_FILE

Note: The PFX/P12 password will be asked. This is the password you gave the file upon exporting it.

2. Convert PEM Private Key to PVK format.

OpenSSL 0.9.8 series:
pvk -in PEM_KEY_FILE -topvk -out PVK_FILE

OpenSSL 1.x series:
openssl rsa -in PEM_KEY_FILE -outform PVK -pvk-strong -out PVK_FILE

Note #1: In order to use pvk for OpenSSL 0.9.8 series, you must download PVK Transform.

Note #2: A PEM passphrase may be asked. This will be the password/passphrase that you will use to sign
your code.

Software Publisher’s Certificate (SPC)

1. Extract Certificate from P12/PFX file.

openssl pkcs12 -in PFX_FILE -nokeys -out CERT_PEM_FILE

2. Convert Certificate to SPC format.

openssl crl2pkcs7 -nocrl -certfile CERT_PEM_FILE -outform DER -out SPC_FILE

Note: If you have exported your certificate from another browser outside of IE, then please ensure in the
CERT_PEM_FILE that ONLY your certificate exists or else code signing will NOT WORK!

Example Conversion

openssl pkcs12 -in my_pfx_file.pfx -nocerts -nodes -out rsa.pem
openssl rsa -in rsa.pem -outform PVK -pvk-strong -out mykey.pvk

openssl pkcs12 -in my_pfx_file.pfx -nokeys -nodes -out cert.pem
openssl crl2pkcs7 -nocrl -certfile cert.pem -outform DER -out cert.spc

Comments are closed