Microsoft and OpenSSL
I recently had to re-figure out how to coax windows and linux with GoDaddy to obtain compatible code signing certificates. This is *much* harder when using a mixed environment than it should be.
GoDaddy issues spc files and needs csr files which are generated in conjunction with pvk files but Ant/Java want p12 files and most Microsoft signtools want pfx files but you can't generate any of these without pem files. Here are the steps:
- Log into your build server
- Generate private key, don't forget the password:
openssl genrsa -des3 -out code-sign.pvk 2048
- Generate the csr:
openssl req -new -key code-sign.pvk -out code-sign.csr
- Take csr to GoDaddy
- Download spc file
- Convert spc to pem:
openssl pkcs7 -inform DER -in code-sign.spc -print_certs \ -out code-sign.pem
- Add the private key to the pem, this was the trickiest part. Apparently openssl outputs files in pem format unless otherwise instructed and the pkcs12 export doesn't like to be given more than one file during import:
cat code-sign.pvk >> code-sign.pem
- Generate p12 (which is also a pfx), use the passwords from above again to simplify things:
openssl pkcs12 -export -in code-sign.pem -out code-sign.p12
The P12 file is basically the same thing as a Microsoft PFX, awhile ago Microsoft switched to PKCS12 P12 but insists on calling their files PFX source
