If you are dealing with automated builds, and you want to sign your code without typing the password every time, you will find yourself using the ancient pvkimprt tool.
Because you need to import the public signed certificate with it’s password encrypted private key into the Microsoft Certificate Store Provider (aka the CSP, aka somewhere in the registry). You will use the pvkimprt to do this. Then you can use signcode utility to sign executables without having to type your password in each time. This is necessary for automated builds, and can be ok if the machine is secure.
We got our certs from Verisign (as you can read on the cert), and for some reason, I couldn’t use pvkimprt to get the certs and keys into the CSP. It turns out that the keys generated by Verisign are not ‘quite right’. You will get the error:
Error: 000004c0, The format of the specified password is invalid.
No, the password wasn’t wrong. No, this wasn’t the Win XP vs. Win 2K password length issue (that happened last year 🙂 ).
I couldn’t figure out the issue, so I searched and searched. Then I tried some great software from the http://www.openssl.org/ folk and a helpful person who wrote a great FAQ on PKCS#12/PFX. This person also wrote a document describing the PVK file format. The trick is to use the PVK convert tool written by this person (also on that page) to convert your Verisign PVK to a STRONG PVK. Then I could import the keys using pvkimprt.exe without a problem.
C:\pvk>pvk -in verisign.PVK -out new.pem Enter Password: Enter PEM pass phrase: Verifying - Enter PEM pass phrase: C:\pvk>pvk -in new.pem -strong -out new.pvk -topvk Enter PEM pass phrase: Enter Password: Verifying - Enter Password: C:\pvk>PVKIMPRT.EXE verisign.SPC new.pvk C:\pvk>
May this post save you hours of frustration in your quest toward automation!