Convert Microsoft Authenticode or Microsoft Organizational certificate to PVK and SPC files

Solution ID:    SO8052    Updated:    06/10/2014

Problem

If the Microsoft Authenticode or Microsoft Organizational certificate has been order and installed on a PC that runs Windows Vista or Windows 7, the certificate will be installed directly into the certificate store in Internet Explorer. Under certain circumstances, the signing software might still require the certificate to be in two separate files: the .pvk (private key) and .spc (the public key) files.

myprivatekey.pvk and mycredentials.spc not created

Export and convert browser installed Microsoft Authenticode certificate to separate .pvk and .spc files

Export and convert browser installed Microsoft Organizational certificate to separate .pvk and .spc files

Convert .pfx (PKCS#12) to .pvk and .spc

Solution

To convert a browser installed Microsoft Authenticode or a Microsoft Organizational certificate to separate .PVK and .SPC files, please follow one of the methods below. 

Note: If the Code Signing ID cannot be exported with the private key (this is required to obtain the .pfx file), then you will need to replace the certificate. Please see solution SO1737 for replacing a Code Signing ID.

Method 1:  Automated Procedure (batch job)

Step 1: Export the certificate from Internet Explorer into a .pfx file
 
  1. From the menu bar, click on Tools > Internet Options.
  2. Click the Content tab
  3. Click the Certificates button
  4. In the Personal tab, select the certificate to export
  5. Click Export.
  6. Click Next.
  7. Select the Yes, export the Private Key option
  8. Click Next.
    Note:
    Manually check the option box "Include all certificates in the certification path if possible."
  9. Click Next.
  10. Enter the password to protect the certificate and private key being exported. Enter this password again to confirm then click Next
  11. Browse to the directory to store the file and enter "authenticode" as file name
    Note: Under this batch process, the file name must be "authenticode"
  12. Click Save and then Next.
  13. Click Finish.
  14. A confirmation message will display: "The export was successful."
  15. Click OK.
     

A file named authenticode.pfx will be created.

 
Step 2: Convert the .pfx file to separate .pvk and .spc files

Download the attached pfx_to_pvk_and_spc.zip file below. Unzip the folder to a location and also save the authenticode.pfx file to this location.

Then using the command line, path to the location of the utilities and .pfx file and run

convert authenticode.pfx

This will generate the myprivatekey.pvk and mycredentials.spc files automatically.


Method 2:  Manual Procedure using OpenSSL

The following tools are required for this manual conversion procedure:

OpenSSL (www.openssl.org)

PVK Conversion Tool (http://www.drh-consultancy.demon.co.uk/pvk.html)

The pfx_to_pvk_and_spc.zip file at the bottom of this solution, contains the required tools for the conversion.
 
NOTE: These tools were not created nor are they supported by Symantec.

 
Step 1: Export the certificate from Internet Explorer into a PFX file
 
To export the certificate from Internet Explorer into a PFX file, see Method 1 - Step 1 above.
 
 
Step 2: Export the Private and Public Key
 
To export the private and public key in Base-64 format, run the following command, using OpenSSL:
 
openssl pkcs12 -in [filename].pfx -nocerts -nodes -out [filename].key

openssl pkcs12 -in [filename].pfx -nokeys -out [filename].txt
 

Step 3: Convert the Private Key to Microsoft PVK format

To convert the private key file into the Microsoft PVK format, run the PVK conversion tool as follows:
 
pvk -in [filename].key -topvk -strong -out [filename].pvk
 

Step 4: Export the Public Key

To convert the public key to the required SPC format, run the following command, using OpenSSL:

openssl crl2pkcs7 -nocrl -certfile [filename].txt -outform DER -out [filename].spc

Attachment

pfx_to_pvk_and_spc.zip
0Bytes • < 1 minute @ 56k, < 1 minute @ broadband


Legacy ID

vs45201

Disclaimer:

Terms of use for this information are found in Legal Notices

Contact Support

Find Answers

Languages

This article is available in the following languages: