Whipped cream, Microsoft Authenticode, pvkmprt.exe,Error: 000004c0, and other delights…

Hey,

If you are dealing with automated builds, and you want to sign your code without typing the password every time, you will find yourself using the ancient pvkimprt tool.

Why?

Because you need to import the public signed certificate with it’s password encrypted private key into the Microsoft Certificate Store Provider (aka the CSP, aka somewhere in the registry). You will use the pvkimprt to do this. Then you can use signcode utility to sign executables without having to type your password in each time. This is necessary for automated builds, and can be ok if the machine is secure.

We got our certs from Verisign (as you can read on the cert), and for some reason, I couldn’t use pvkimprt to get the certs and keys into the CSP. It turns out that the keys generated by Verisign are not ‘quite right’. You will get the error:

Error: 000004c0, The format of the specified
password is invalid.

No, the password wasn’t wrong. No, this wasn’t the Win XP vs. Win 2K password length issue (that happened last year 🙂 ).

I couldn’t figure out the issue, so I searched and searched. Then I tried some great software from the http://www.openssl.org/ folk and a helpful person who wrote a great FAQ on PKCS#12/PFX. This person also wrote a document describing the PVK file format. The trick is to use the PVK convert tool written by this person (also on that page) to convert your Verisign PVK to a STRONG PVK. Then I could import the keys using pvkimprt.exe without a problem.

For example:

C:\pvk>pvk -in verisign.PVK -out new.pem
Enter Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

C:\pvk>pvk -in new.pem -strong  -out new.pvk -topvk
Enter PEM pass phrase:
Enter Password:
Verifying - Enter Password:

C:\pvk>PVKIMPRT.EXE verisign.SPC new.pvk

C:\pvk>

Done!

May this post save you hours of frustration in your quest toward automation!

This entry was posted in General. Bookmark the permalink.

9 Responses to Whipped cream, Microsoft Authenticode, pvkmprt.exe,Error: 000004c0, and other delights…

  1. Steve says:

    I found this article five miutes after atempting an import of a new cert with pvkimprt.exe. Without it, I may have spent years solving the problem. Thanks very much.

  2. dru says:

    BTW, a little explanation about the title. The title is a take on the old Herb Alpert album, ‘Whipped Cream and Other Delights’. It is probably one of the more notable album covers, of all time. One last note, Soul Asylum did an album with a similar take called ‘Clam Dip and Other Delights’… and it too is quite interesting visually.

  3. Sam Burns says:

    Hi, as with the other poster I found your website on the first google results page. Thanks for posting these details – great help. I tried the signcode app with the same password I was supplying to pvkimprt.exe so I knew the password was ok.

    Cheers.

  4. Hi I also have the same error, and got redirected to this page, by an employee at Verisign. My question is: Does there exist a tool that all ready is compiled for Windows and reedy to use, so that people whit no c++, Perl or c expirence has a chance to generate a Strong PKV? If so please let me know

  5. dru says:

    Hi Carsten,

    I don’t know of any such tool. If you find one, please send a link.

  6. MIke says:

    You’re a lifesaver! Saved me countless hours!

  7. Jeremy says:

    Hi, I keep getting the same “Error: 000004c0, The format of the specified password is invalid” pvkimprt error. I am 100% certain that the password is correct since I use the same password with MS signtool with the same spc and pvk files!

    Any pointers/ideas?

  8. Pingback: Create a Code Signing Certificate on Windows Server 2008 with OpenSSL and pvkimprt | Web Active Directory Blog

  9. Cris Mooney says:

    Thank you, no doubt saved me hours. Last time I signed with Thawte their site automatically saved my “pvk”, but this year I missed it – or did not do it. When I exported my “pxf” as from IE “Tools -> Internet Options -> Content -> Certificates” with “Yes export private key” to get my “fpx” (which openssl can convert to pem for pks – https://support.godaddy.com/help/article/6034/converting-an-exported-pfx-code-signing-file-to-pvk-and-spc-files-using-windows) the IE export defaulted to “Enable strong protection”, which must not have been the default before. A nightmare each year, I thank you for your post!

Leave a Reply

Your email address will not be published.