Exporting a code signing certificate to a PVK, SPC pair

If your code signing certificate is in a Personal Information Exchange (.pfx) format file, you can use it to sign code using the signtool.exe included with Microsoft Visual Studio and the Platform SDK. If you are a shareware developer then you can also use it to sign software PAD files using the Association of Shareware Professionals' signpad.exe tool. Tech-Pro CodeSign helps automate the use of these tools, allowing you to digitally sign your software with drag and drop ease.

If you don't own a copy of Visual Studio then you can obtain a copy of signtool.exe by downloading the Windows SDK. This can be quite a big download but the latest SDK uses a net installer that only downloads the parts you need. If you only want the code signing tools you can deselect all of the install options except Tools.

As an alternative, you could convert the .pfx file to a private key (.pvk) and software publishing certificate (.spc) pair, which is usable by Microsoft's original code signing tools. This is quite a complicated process, involving the use of third party tools. This article describes how to carry out the conversion.

Note: If your code signing certificate is in the Internet Explorer certificate store, then you must first export it to a Personal Information Exchange (.pfx) format file.

Obtaining the conversion tools

To export your private key and software publishing certificate from the .pfx file you need the OpenSSL tools. You can download a ready compiled Windows binary package from Shining Light Productions. The 'light' package is all you need.

The OpenSSL utility will export the private key to an OpenSSL .pem format file. The .pvk private key format required by the code signing tools is a Microsoft proprietary format which OpenSSL does not support. Dr. Stephen N Henson, an OpenSSL consultant in the UK, has reverse-engineered the .pvk file format and developed a conversion utility which you can download here. In case you should have trouble accessing the server it is also mirrored here. The utility is contained in a Zip archive and you simply need to extract it to the same folder as the OpenSSL tools.

Exporting the files

Having downloaded and installed the conversion tools, you are ready to export your code signing certificate and private key file from the .pfx file. The commands given below assume that the location of the conversion tools has been added to the PATH environment variable. Otherwise you should type the full path to each program.

In the examples we will also assume that the .pfx file name is mycert.pfx and that the desired output filenames are mykey.pvk and mycert.spc. You may, of course, substitute other names if you so wish, and specify a full path if the files are located in a different folder. Remember to quote the paths to the files if they contain spaces.

Exporting the private key

First export the private key to an OpenSSL .pem format file.

openssl.exe pkcs12 -in mycert.pfx -nocerts -nodes -out mykey.pem

You will be asked for the password of the private key file, if you specified one.

Now you use Dr. Henson's conversion utility to convert the .pem file into the proprietary Microsoft .pvk format.

pvk.exe -in mykey.pem -topvk -strong -out mykey.pvk

That takes care of the private key file.

Exporting the software publishing certificate

Converting your code signing certificate into a software publishing certificate .spc file is also a two stage process. First, the certificate is exported to an OpenSSL .pem format file, and then this is converted to the final .spc format.

openssl.exe pkcs12 -in mycert.pfx -nokeys -out mycert.pem
openssl.exe crl2pkcs7 -nocrl -certfile mycert.pem  -outform DER -out mycert.spc

Again, you will be asked for the password of the private key file if you specified one.

You now have a .pvk and .spc pair which you can use to digitally sign executables using signcode.exe. The intermediate .pem files created during the conversion are no longer needed, and may be deleted.