opensslcode-signingcode-signing-certificatecodesignkey

Convert a code signing certificate from Sectigo/Comodo into a .pfx file that is actually usable

When I tried to download the code signing certificate from Sectigo/Comodo, using Firefox I just ended up downloading a file called CollectCCC, with no file extension. It is not clear to me how to use it to sign a binary. When I try to use it to sign a binary (with /debug on) I get the following:

> .\installation\signtool.exe sign /debug /f 'C:\Users\username\Downloads\CollectCCC' .\DraughtHub_Link.exe

The following certificates were considered:
    Issued to: GoDragons
    Issued by: Sectigo RSA Code Signing CA
    Expires:   Fri Oct 22 00:59:59 2021
    SHA1 hash: <hash>

    Issued to: Sectigo RSA Code Signing CA
    Issued by: USERTrust RSA Certification Authority
    Expires:   Wed Jan 01 00:59:59 2031
    SHA1 hash: <hash>

    Issued to: USERTrust RSA Certification Authority
    Issued by: AAA Certificate Services
    Expires:   Mon Jan 01 00:59:59 2029
    SHA1 hash: <hash>

    Issued to: AAA Certificate Services
    Issued by: AAA Certificate Services
    Expires:   Mon Jan 01 00:59:59 2029
    SHA1 hash: <hash>

After EKU filter, 4 certs were left.
After expiry filter, 4 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.

Part of the problem is that I wasn't able to download their certificate using IE (their recommended way, sigh), because I hadn't created a code signing certificate request using IE. I created the code signing certificate request using openssl.

Here is the error message I got from IE: IE error message

I tried importing the CollectCCC into IE as well and that failed.

Disclaimer: I would not recommend using Sectigo and/or Comodo for code signing certificates! My experience with them was terrible! It's worth paying more to get a better service.

Solution

  • After a lot of googling, I eventually worked out that the CollectCCC file is of type .p7s.

    You can convert .p7s files into .pfx files (required to sign binaries) using openssl with the following commands (it's a two step process):

    openssl pkcs7 -inform der -in CollectCCC -print_certs -out CollectCCC.pem
openssl pkcs12 -export -out certificate.pfx -inkey ~/.csr/www.draughthub.com.key -in CollectCCC.pem

    where you replace ~/.csr/www.draughthub.com.key with the location of the private key you created to make the code sign certificate request. The second step will prompt you for a password. This is the password you used to create the request (and corresponding private key).