Convert .pfx (p12) certificate to a .pvk + .spc

Steps required to convert .pfx (p12) to .pvk + .spc

Follow all of these steps carefully to convert your .PFX (p12) certificate to a .pvk + .spc combination on Windows®

Microsoft® Wizard

Use the Microsoft® export wizard with the following options:

• Export Private Key

• DO NOT TICK "include all certificates in the certification path if possible"

• TICK "enable strong protection"

• DO NOT TICK "delete private key"

• Prerequisite: OpenSSL

Note: If you are running Windows® you may download OpenSSL here [4]. Otherwise, you can find compiled binaries directly from the OpenSSL [4] website or consult your Operating System's package management feature.


Extracting the private key

• Extract your private key from the pfx file: -> openssl pkcs12 -in (pfx-file) -nocerts -nodes -out (pem-key-file)

• Example: ->openssl pkcs12 -in SOMETHING.pfx -nocerts -nodes -out SOMETHING.PEM

The PFX password will be asked.

• Download the PVK transform utility. This file can be found here [5]: -> pvk -in(pem-key-file) -topvk -out (pvk-file)

• Example: -> pvk -in SOMETHING.PEM -topvk -out SOMETHING.pvk

• Extract your certificates from the PFX file: -> openssl pkcs12 -in (pfx-file) -nokeys -out (pem-certs-file)

  • Example: -> openssl pkcs12 -in SOMETHING.pfx -nokeys -out SOMETHING_CERTS.pem

The PFX password will be asked.

• Transform your PEM file to a SPC file
  -> openssl crl2pkcs7 -nocrl -certfile (pem-certs-file) -outform DER -out (spc-file)

• Example: -> openssl crl2pkcs7 -nocrl -certfile SOMETHING_CERTS.pem -outform DER -out SOMETHING.SPC

Using the Microsoft® Authenticode® Certificate

In order to use the Microsoft® Authenticode® Certificate to sign VBA projects you will need to import the .pvk and .spc file into your registry using a tool called pvkimprt and then export the keys as a .pfx file which you can import into your browser, this will then allow you to add the signature to the VBA Macros using the Visual Basic editor.

To download pvkimprt.exe directly from Microsoft®, see the following url: http://www.microsoft.com/downloads/details.aspx?FamilyID=f9992c94-b129-4... [6] or download it from here [7].

The pvkimprt.exe is a self extracting file, with the same name as the tool you will use to import the files. Make sure you install the file before running the pvkimprt command.


Importing the files

To import the files using pvkimprt.exe, you must reference the full path for your .spc and .pvk files.

You will then be prompted for the Private Key password you specified when you generated the Private Key file.

• Once the keys have been imported into the registry you will need to export the private key and certificate attached together as a .pfx file using the pvkimprt tool.

• To export the keys as a .pfx file using pvkimprt.exe: c:\pvkimprt -pfx cert.spc key.pvk

• It will bring up the export wizard, in the first window tick 'Yes' to export the private key, in the second window untick the option 'Enable strong protection..' and tick the option 'Include all certificates in the certification path if possible', then click next, in the third window specify a private key password (do not forget it), in the forth window click 'browse' and save the file to your desktop, click next and finish

• Once done, go to your IE properties, click on Tools > internet options > content > certificate > remove, and remove the certificate from the Personal Certificate store. Once completed import the backup file(.pfx) you created above into your IE browser. Then go to Tools > internet options > content > certificates > import, import the backup file(.pfx), during the import process mark the private key as exportable

Signing with the Vidual Basic Editor

To sign the files using the Visual Basic Editor:

• Open up the Visual Basic Editor

• Highlight the project you wish to sign

• Select the Tools > Digital Signature option

• Choose 'My Organization' as the certificate you wish to use for signing, but make sure that the 'you have a private key corresponding to this certificate' text appears

• Click "Ok"

• Go to the File click "Save" and save the file before exiting the VB Editor

VBA signing Office 2k & XP VBA Macros

Signing Microsoft Office 2k & XP VBA Macros with a Digi-Sign Digi-Code™

This document details the process needed to sign Microsoft Office 2K & XP VBA macros with a Digi-Sign Digi-Code™ certificate including a worked example. All web links are provided for illustration purposes only, and are correct at time of publishing. It is recommended that the user checks for any updates that may become available since the publishing of this document.

Pre-requisites:

• Microsoft's tool to import PVK files:

http://www.microsoft.com/downloads/details.aspx?familyid=F9992C94-B129-4... [8]
(pvkimprt.exe)

• Your code signing certificate from Digi-Sign (as PVK and SPC files).

Preparation:

Download the PVK import tool from Microsoft (pvkimport.exe).
http://www.microsoft.com/downloads/details.aspx?familyid=F9992C94-B129-4... [8]

Obtain your code signing certificate from Digi-Sign here.

Procedure:

1. Install pvkimport you downloaded from Microsoft. Remember the paths to where you installed it (c:\codesign\). You may also copy your certificate and key files to this directory (mycert.spc & mykey.pvk).

2. Open a command-prompt and change to the folder where you installed pvkimport. (c:\codesign\).

3. Combine your SPC and PVK certificate/key files that you received from Digi-Sifn into a PFX file using pvkimport: (c:\codesign> pvkimprt –pfx c:\codesign\mycert.spc c:\codesign\mycert.pvk)
This will start a wizard.

Enter a password [PIN Code]
Choose options:

• Yes, Export the Private Key (check) and click Next
• Include all Certificates in Path if possible (check) and click Next
• Re-enter the password [PIN Code] and click Next
• Choose path and file name (c:\codesign\mycert.pfx) and click Next
• Click Finish.

4. Install your Digi-Code™ certificate in Windows registry.

• Locate the saved PFX file using your favourite file browser
• Double click the PFX file
• Follow the installation wizard
• Enter a password [PIN Code]
• Clinck Next and Finish

5. You can check the private key has been imported successfully by using MMC. Open MMC, select add/remove snap in and select certificates for your personal certificate store. Opening your code signing certificate should show code signing usage and that you have the private key corresponding to the certificate.

6. Within your MS Office document, open the Visual Basic editor from the Tools – Macro
menu.

7. Open the VBA project you wish to sign, and select Digital Signature from the Tools menu.

8. Select Chose from the Digital Signature window and choose your code signing certificate that you
wish to use to sign your VBA macro.

9. Click OK followed by Save, close to return to your Office document. Your macro is now digitally signed.