Kevin kcsasquatch wrote: > I found the following page from Thawte (a certificate authority like > Verisign) useful. > > http://search.thawte.com/thawte/solutionDisplay.do?clusterName=DefaultCluster&groupId=1&docType=1006&docProp=$solution_id&docPropValue=vs25869&gotoLink=0&resultType=5002&directSolutionLink=1
That page is about requesing an authenticode cert using IE, and using it with Microsoft's Signcode.exe tool. Clearly no consideration was given in that page to portability of private keys. I believe Thawte also has a page on how to do that same thing using a mozilla or Netscape browser. If you can find that page, I might suggest using that as an alternative. If you get an authenticode cert using a mozilla browser (such as FireFox), then you can export the cert and private key in a password protected PCXS#12 (pfx) file. Microsoft software will have no difficulty IMPORTING a pfx file. So that might be a better route to go for key portability. I wonder if Microsoft's signcode.exe tool requires a pvk file, or if it is able to use a key in Windows' key store. > It indicates that the .pvk file will be provided by Thawte when they > fulfill your certificate request. Actually, the pvk file is generated right on your PC when you use Thawte's page for generating a CSR with IE, and Thawte never gets a copy of it. > Sorry I can't be of more help. You helped plenty. Thanks. Kaspar Brand wrote: > ... a .pvk file is created when XEnroll's PVKFileName property is set - > see http://msdn2.microsoft.com/en-us/library/aa383187.aspx which says >> Historically, Authenticode has exported the private key to a .pvk >> file on a disk and removed the keys from the registry. By default, >> private keys are not generated for exportation, ... specifying a >> non-NULL value for the PVKFileName property causes the private keys >> to be generated as exportable and the private and public keys to be >> written to the file specified by the PVKFileName property. The >> private key is removed from the CSP. The file name specified by the >> property can be any accessible file. By default, no .pvk file is >> generated, and the keys are not generated as exportable. However, that page also says: > Alternatively, the user could determine the current value of the > CRYPT_EXPORTABLE bit in the GenKeyFlags property and then perform a > bitwise-OR operation [... to] specifically set the CRYPT_EXPORTABLE > bit when updating the GenKeyFlags property. If a VBScript page did that, then the resulting key would be trivially exportable to a PKCS#12 file with Windows' cert manager. I'd recommend that anyone writing VBScript to create key pairs for cert enrollment do that, so that the private key and cert can readily be exported in a pfx file. /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
