将 GoDaddy 颁发的 .spc 和 .key 文件加入完整的 .pfx / .cer 证书
我在 .spc 文件中拥有 GoDaddy 颁发的代码签名证书。另外,我在 .key 文件中有一个私钥。代码签名大约 13 个月前发布,随后过期并通过 GoDaddy 续订。在续订过程中,未请求私钥,仅发出新的 .spc 文件。
现在我面临着将原始私钥文件与问题证书连接起来以形成适合安装到 Windows 中的 .pfx (或 .cer?) 文件的问题证书存储。
我正在尝试的命令是:
openssl.exe pkcs12 -inkey my.key -in my.spc -out my.pfx -export
但是,我收到一条错误消息,内容为“没有证书与私钥匹配”。
我已经关注 这个答案用于验证 .key 文件是有效的私钥。但是,当我尝试验证 .spc 是有效证书时,我只是得到
unable to load certificate
5436:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:650:Expecting: TRUSTED CERTIFICATE
What's the right way of generated an .pfx file from my input?我正在使用 OpenSSL 0.9.8k。
I have a GoDaddy-issued code signing certificate in a .spc file. Also, I have a private key in .key file. The code signing has been issued some 13 months ago, then it expired and was renewed with GoDaddy. During the renewal process no private key was requested and just a new .spc file was issues.
Now I'm facing the problem of joining the original private key file with the issues certificate to form a .pfx (or .cer?) file suitable for installation into the Windows certificate store.
The command I'm trying is:
openssl.exe pkcs12 -inkey my.key -in my.spc -out my.pfx -export
However, I'm getting an error message that reads “No certificate matches private key”.
I've followed this answer on SO to verify the .key file is a valid private key. However, when I try to verify that .spc is a valid certificate, I just get
unable to load certificate
5436:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:650:Expecting: TRUSTED CERTIFICATE
What's the correct way of producing an .pfx file from my inputs? I'm using OpenSSL 0.9.8k.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
最后我设法找出一个可行的程序。以下是从 SPC 和 KEY 文件生成新的 PFX 和 CER 代码签名证书的步骤:
CodeSign.spc证书。从过期的 PFX 中导出 PEM 格式的私钥:
将 PEM 格式的私钥转换为 PVK 格式:
将PVK和SPC合并为PFX:
将生成的 PFX 文件导入到 Windows 证书存储中。请记住使其可导出。
CodeSign.cer。如果您定期更新证书,您可以存储 PVK 文件并跳过步骤 (2) 和 (3)。
更新:如果您碰巧拥有 CRT 格式的证书而不是 SPC 格式的证书,请执行以下操作将其转换为 SPC:
来源:
您需要的工具:
pvk.exe— 请参阅该页面底部的下载链接(原始位置可能无法访问;在这种情况下,请参阅本文,其中包含指向镜像的链接网站或其他直接下载链接此处)pvk2pfx.exe— Microsoft 的一部分SDK,随 Visual Studio 2010 一起安装In the end I managed to figure out a procedure that works. Here are the steps to generate a new PFX and CER code signing certificate from SPC and KEY files:
CodeSign.spccertificate from GoDaddy.Export a PEM-formatted private key from the expired PFX:
Convert the PEM-formatted private key into the PVK format:
Combine the PVK and SPC into PFX:
Import the resulting PFX file into Windows certificate store. Remember to make it exportable.
CodeSign.cer.In case you are renewing your certificate periodically you can store the PVK file and skip steps (2) and (3).
UPDATE: In case you happen to have the certificate in CRT instead of SPC format, do the following to covert it into SPC:
Sources:
The tools you will need:
pvk.exe— see the download link at the bottom of that page (original location may not be accessible; in such a case see this article with a link to a mirror site or another direct download link here)pvk2pfx.exe— part of Microsoft SDKs, installs with Visual Studio 2010我遇到了类似的问题,我花了至少几个小时寻找解决方案。 GoDaddy 为我提供了 .spc 和 .pem 文件,如果使用 OpenSSL,我无法创建 .pfx 文件。最后,我使用 MMC 在本地计算机中导入 .spc 文件。将证书导入到我的本地计算机后,我注意到它引入了 GoDaddy 的链文件以及代码签名证书文件本身。 MMC 视图
现在,选择两个文件并右键单击以导出为 .pfx 文件。提供一个密码来保护文件,然后就完成了。到目前为止,这是最简单直接的解决方案。希望这篇文章可以帮助很多人。
I had the similar issue and I spent at least few hours searching around for a solution. GoDaddy provided me with .spc and .pem file and I couldn't create .pfx file out if it using OpenSSL. Finally, I imported .spc file within my local computer using MMC. Once the certificate was imported in my local machine, I noticed that it brought in GoDaddy's chain file along with the Code Sign Cert file itself. MMC View
Now, select both files and right click to export as .pfx file. Supply a password to protect the file and you're done. By far, this is the simplest and straight forward solution. Hope this post helps many people.
您只能使用 openssl 创建 PFX。
从过期的 PFX 中导出 PEM 格式的私钥:
创建 PFX
You can create PFX with openssl only.
Export a PEM-formatted private key from the expired PFX:
Create PFX
当前的答案帖子对于我从过期的证书文件(.pfx 或 .p12)转移到 GoDaddy 的新证书的最后步骤非常有帮助,但我发现它缺乏有关如何生成证书的初始步骤的信息来自我的原始证书文件的签名请求(CSR)。
对于寻找类似信息的其他人,这就是我最终使用的...
获取私钥:
获取证书:
注意:这可以为您提供 CA 证书
更好:使用此命令仅打印客户端证书
然后复制输出:
将其保存到名为certificate.crt的文件中
现在检查私钥和证书是否与命令匹配:
然后生成新的CSR:
使用CSR重新- 键入证书。
下载 GoDaddy 软件发布证书 (.spc) 文件。
验证生成的证书是否与请求私钥匹配:
然后复制证书的输出(注意:输出还将包含 CA 证书):
保存到名为certificate-new.crt 的文件
并运行命令:
输出应该匹配先前的调用使用私钥和请求证书。
要完成该过程,请按照 pvk2pfx 答案中概述的步骤进行操作。
我还发现这篇文章中的示意图非常有帮助:
PVK2PFX 错误 0x80070490 - 找不到与密钥匹配的证书
The current answer post was extremely helpful to me in the final steps of moving from an expired certificate file (.pfx or .p12) to a new one with GoDaddy, but I found it lacking information on the initial steps of how to generate a certificate signing request (CSR) from my original certificate file.
For anyone else looking for similar information, here is what I ended up using...
Get the private key:
Get the certificatate:
Beware: This can give you the CA cert
Better: Use this command to print only the client cert
Then copy the output between:
Save it to a file named certificate.crt
Now check that the private key and certificate match with the commands:
Then generate a new CSR:
Use the CSR to Re-Key the certificate.
Download the GoDaddy software publishing certificate (.spc) file.
Verify that the generated certificate matches the request private key:
Then copy the output between for your certificate (Note: the output will also contain CA certs):
Save to a file named certificate-new.crt
And run the command:
The output should match the previous call used with the private key and request certificate.
To finish the process, follow the steps outlined in the answer with pvk2pfx.
I also found the schematic diagram in this post quite helpful:
PVK2PFX Error 0x80070490 - Cannot find certificates that match the key
对于仍在寻找如何执行此操作的答案的人,我只是花了一天的时间来解决这个问题,并且必须执行本文中列出的各种操作。如果您在 Windows 上使用 git-bash,我必须将
winpty添加到使用 openssl 的所有调用的开头,否则它会陷入空白。伪步骤如下:For anyone still looking for an answer on how to do this, I just spent a day figuring this out and had to do a mix of things listed in this post. If you are using git-bash on windows, I had to add
winptyto the beginning of all calls using openssl or else it would get stuck in the void. The pseudo steps were as follows:如果您从 IIS 生成证书请求(我在 Windows 2012 Server 上的 IIS 上执行此操作),请在生成请求的服务器/电脑上执行以下步骤
- 打开IIS
- 单击顶级节点(服务器节点)
- 打开服务器证书设置
- 单击右侧操作下的“完成证书请求”
- 将您的 spc 文件导入到服务器。
然后您可以从这里导出到 PFX 文件
If you generated your certificate request from IIS (I did this on IIS on windows 2012 Server) follow these steps on the server/pc where you generated the request
- Open IIS
- Click on the top level node (Server node)
- Open the Server Certificates settings
- Click on "Complete certificate request" under actions on the right
- Import your spc file to the server.
From here you can then export to a PFX file