I’ve had several people ask questions surrounding how to get a pfx file to use for ClickOnce manifest signing when you have purchased a real certificate from a provider like Verisign or Comodo (www.instantssl.com – a great, cheaper alternative that has its root issuer already installed as a trusted root certification authority).
Usually when you purchase a certificate, the process involves going to the provider’s site, such as instantssl.com, providing your contact information online and entering payment information. The certificate issuer must then verify your identity through some means (corporate DUNS number, business license, bank statement, utility bill, etc.). Once they have done that, they will allow you to download and install your certificate through your browser. They should also provide you with a separate download or generation of a .pvk (private key) file that will contain the private key portion of your certificate. They may or may not provide you a download of a .spc or .cer file that just contains the public key portion of your certificate. If they do not provide a download of the .spc file, you may have to export it from your certificate store after the browser installs it as described later in this post.
Step 1: Download and install pvkimprt.exe
If you have a .spc or .cer file and a .pvk file, then you have the pieces you need to create a .pfx file. You will need to download,expand, and install the pfximprt tool,which you can get here:
Generate an install a public/private key pair certificate in your store
To generate a pfx file from an spc/cer and pvk file, do the following:
1. Open a command prompt and run pvkimprt, passing the spc and pvk file:
C:>”C:\Program Files\Pvkimprt\pvkimprt.exe” softinsightcomodo.spc softinsightcomodo.pvk
2. You will be prompted for a password for the pvk file as shown in Figure 1. The password is the one you provided when you ordered the certificate or when the pvk file was issued to you.
- After entering your password and clicking OK, the certificate import wizard will launch as shown in Figure 2.
- Click Next, and you will be prompted as shown in Figure 3 for selecting the store. Just allow it to automatically select the store (the default) and click Next.
- You will then just see the summary as shown in Figure 4, click Finish.
- You should now have a publisher certificate installed into your personal certificate store that contains both the public and private keys for the same certificate. Now you need to export it to a .pfx file that you can back up and use on other machines. Open certmgr by running certmgr.exe from a Visual Studio 2005 command prompt (see Figure 5).
- Find the certificate you just imported (by publisher name) in the list in the Personal tab (selected by default). Press the Export button.
- The first step of the export wizard will be presented (see Figure 6). Press Next.
- The next step asks whether you want to export the private key. If you are generating a pfx file for ClickOnce deployment, the answer here must be yes, which is not selected by default (see Figure 7). Press Next.
- The next step asks what export file format you want, the default is fine (see Figure 8). Press Next.
- The next step asks for a password to protect the pfx file that will be output, use a secure password and be careful who you give it to because this is the last line of defense if someone is able to get their hands on your physical pfx file to prevent them from being able to use it. Enter a password twice and click Next (see Figure 9)
- The next step has you enter the path to the output file. You can press the browse button and navigate to the desired folder and select the file format from the file type drop down, or you can just type in a path (see Figure 10). Press Next.
- You will see the summary screen, press Finish to generate the file (see Figure 11).
- You will see a message box showing that the export was successful (see Figure 12).
At this point you now have a pfx file that you can point to with your Visual Studio project Signing tab properties to sign your ClickOnce manifests. You can share that file with other trusted members of your team and they can use it to sign your applications to put them into production.
Just realize that anyone who gets their hands on that file and knows or can guess the password will be able to sign and publish applications that look like they come from you, so you need to treat those files (particularly the pfx and pvk) very carefully.