Convert a code signing certificate from Sectigo/Comodo into a .pfx file that is actually usable

Question

When I tried to download the code signing certificate from Sectigo/Comodo, using Firefox I just ended up downloading a file called CollectCCC, with no file extension. It is not clear to me how to use it to sign a binary. When I try to use it to sign a binary (with /debug on) I get the following:

> .\installation\signtool.exe sign /debug /f 'C:\Users\username\Downloads\CollectCCC' .\DraughtHub_Link.exe

The following certificates were considered:
    Issued to: GoDragons
    Issued by: Sectigo RSA Code Signing CA
    Expires:   Fri Oct 22 00:59:59 2021
    SHA1 hash: <hash>

    Issued to: Sectigo RSA Code Signing CA
    Issued by: USERTrust RSA Certification Authority
    Expires:   Wed Jan 01 00:59:59 2031
    SHA1 hash: <hash>

    Issued to: USERTrust RSA Certification Authority
    Issued by: AAA Certificate Services
    Expires:   Mon Jan 01 00:59:59 2029
    SHA1 hash: <hash>

    Issued to: AAA Certificate Services
    Issued by: AAA Certificate Services
    Expires:   Mon Jan 01 00:59:59 2029
    SHA1 hash: <hash>

After EKU filter, 4 certs were left.
After expiry filter, 4 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.

Part of the problem is that I wasn't able to download their certificate using IE (their recommended way, sigh), because I hadn't created a code signing certificate request using IE. I created the code signing certificate request using openssl.

Here is the error message I got from IE:

I tried importing the CollectCCC into IE as well and that failed.

Disclaimer: I would not recommend using Sectigo and/or Comodo for code signing certificates! My experience with them was terrible! It's worth paying more to get a better service.

Answer 1

After a lot of googling, I eventually worked out that the CollectCCC file is of type .p7s.

You can convert .p7s files into .pfx files (required to sign binaries) using openssl with the following commands (it's a two step process):

openssl pkcs7 -inform der -in CollectCCC -print_certs -out CollectCCC.pem
openssl pkcs12 -export -out certificate.pfx -inkey ~/.csr/www.draughthub.com.key -in CollectCCC.pem

where you replace ~/.csr/www.draughthub.com.key with the location of the private key you created to make the code sign certificate request. The second step will prompt you for a password. This is the password you used to create the request (and corresponding private key).

Answer 2

I went through this process recently and I also had troubles with this process. After I bought a code signing certificate from Sectigo, I had to:

Step 1. Create a certificate request file (.csr) and the certificate key file (.key). After this you will have 2 files, one with .key extension and one with .csr extension.

openssl.exe req -nodes -newkey rsa:3072 -nodes -keyout DESIREDNAME.key -out DESRIREDNAME.csr -subj "/C=COUNTRY_CODE/ST=STATE_NAME/L=CITY_NAME/O=ORGANIZATION_NAME /CN=YOUR_DOMAIN_NAME.com"

Step 2. Use the .csr file on Sectigo website to generate your certificate.

Step 3. Download your certificate from the email received from Sectigo. After this step you should have a new file with .crt extension, in my case it was user.crt.

Step 4. Convert the .key and .crt files to a .pfx file for code signing.

openssl.exe pkcs12 -inkey DESIREDNAME.key -in user.crt -export -out mycertificate.pfx

During this process you will be asked to set a password for the .pfx file.

Step 5. Dual sign the file with SHA1 and SHA256.

signtool.exe sign /tr http://timestamp.digicert.com /td sha1 /fd sha1 /f mycertificate.pfx /p MY_CERT_PASSWORD myapp.exe

signtool.exe sign /tr http://timestamp.digicert.com /as /td sha256 /fd sha256 /f mycertificate.pfx /p MY_CERT_PASSWORD myapp.exe

Note that the second call contains the /as parameter to append the signature. Remember, always sign with SHA1 first and append the SHA256 second.

Step 6. Right click your file and select Properties. Check the Digital Signatures tab. Your file should be now digitally signed. Congratulations!

Some side notes:

At Step 1 I have used one openssl.exe found in C:\Program Files\Git\usr\bin\openssl.exe but this one failed at Step 4 with "can't find certificates" error. I had to install Win64 OpenSSL Light from https://slproweb.com/products/Win32OpenSSL.html and then Step 4 worked as expected and my .pfx file was finally generated.

I did not have signtool.exe available on my machine, so from Visual Studio Installer I selected to modify the installation and I added one of the Windows 10 SDK item from Individual Components. Then I had this file available in C:\Program Files (x86)\Windows Kits\10\bin\10xxxx\x64\signtool.exe.

Can't wait to see those AV false positives go away now that my application is digitally signed :)