That is the version of ZXPSignCmd I used.
Just to make sure I redownloaded it, but still the same result.
As far as I know, ZXPSignCmd only supports .p12 certificate.
The filename extensions .p12 and .pfx are just different extensions for the PKCS#12 file format (see Wikipedia - PKCS 12 for more details).
If my .pfx would have been an invalid certificate format ZXPSignCmd instead would have read:
Error - Could not read certificate file. Please check that any certificate file(s) are valid and that any supplied passwords
Renaming my .pfx to .p12 didn't help either. So, the filename extension shouldn't matter in that case.
The OpenSSL output for my certificate and a self-signed certificate from ZXPSignCmd also look quite similar.
Is there a hidden verbose/debug/developer flag for ZXPSignCmd to get more information about what exactly fails?
Given what you've said, I suspect the problem may be that your PFX file either does not contain the complete certificate chain, or does not contain the private key to be used for signing.
Given that you're on Windows, this should be fairly easy to rectify by re-exporting your PFX file.
In Internet Explorer, go to Internet Options, click on the Content tab and then Certificates.
Find the signing certificate (probably listed under Personal), click on it and then click Export.
A wizard will appear - select "Yes, export the private key", and when asked to select a format choose PKCS #12 (.PFX). Check the box "Include all certificates in the certification path if possible", and then choose a password.
The exported PFX file can be renamed to P12 to use with ZXPSignCmd (along with your new chosen password).
If any of this doesn't work, let us know what went wrong and we'll try to get to the bottom of it.
I already tried a new exported PFX with the mentioned flags set. Both the original PFX I got from GlobalSign and the new exported one weren't working.
Does it matter if I use Internet Explorer or the Certificate Manager (certmgr.msc) for export?
Out of curiosity I used OpenSSL to convert my PFX to PEM for human readability and as far as I can tell all 3 necessary certificates were included.
And as I said the OpenSSL PKCS#12 info output for my PFX looks valid, too. Certificate bag is mentioned 3 times which I assume corresponds with the 3 certificates (for self-signed certificates it is listed only once).
Maybe there are colliding root certificates and the export chose the wrong one. Is that possible?
1 person found this helpful
No, it doesn't matter - using Certificate Manager should also have worked.
I don't think the issue is that the wrong root certificate has been chosen, otherwise we'd be seeing a different error. In the PEM file you exported, I would expect to see several certificate sections, each starting with BEGIN CERTIFICATE and ending with END CERTIFICATE. Just above each certificate's "BEGIN CERTIFICATE" line should be "subject" and "issuer" - the last certificate (at the bottom of the PEM file), should have your personal certificate name as the subject. Then, working upwards, each certificate should have an "issuer" which matches the "subject" of the certificate above it.
The first certificate in the PEM file should have the same value for "subject" and "issuer" - identifying the certificate authority's root certificate.
Also in the PEM file I'd expect to see a section "BEGIN RSA PRIVATE KEY"...."END RSA PRIVATE KEY".
Does this all match what you're seeing?
Assuming your PEM file looks OK, you could try using OpenSSL to convert it to PKCS12 format, using the command:
openssl pkcs12 –export –in my_pem_file.pem –out my_pkcs12_file.p12
Also, please ensure that you're using only ASCII characters in your P12 password, just in case that's causing problems.
I'm currently not at my machine so I can't check. But if I remember correctly my personal certificate was listed first, then the code signing certificate from GlobalSign below it and the root certificate from GlobalSign last. I'm not sure about the PRIVATE KEY section but I think it was there.
If the ordering of the certificates might be an issue I can try to reorder it in the PEM and then convert it to PKCS12. Not sure if that will work.
Thanks for the link, I will try that. Maybe the Mozilla certificate export does something slightly different than Microsoft's.
Interesting, the internal order of the certificates really does matter. I reordered the certificate sections in my PEM file and converted it back to PKCS12 and now it works.
I also tried the certificate export via Firefox following the instructions OMFguy2 posted. That also worked.
I took a look into a PEM version of the Mozilla certificate and it showed the same certificate section order as my adapted PEM. Only the private key section position was different, which doesn't seem to be a problem.
So, Microsoft seems to export the certificates in following order:
Personal Certificate -> GlobalSign Code Signing Certificate -> GlobalSign Root Certificate
whereas Mozilla's and my adapted order is:
GlobalSign Root Certificate -> GlobalSign Code Signing Certificate -> Personal Certificate
Thanks very much for explaining what worked for you - glad you managed to get the problem sorted in the end.
Newer builds of ZXPSignCmd do attempt to re-order certificates before signing to overcome this kind of problem, but it appears there are still some cases where it's not able to. I'm surprised to hear the ordering of the certificates exported by Windows was the reverse of what was required - exporting with Windows is usually a simple way of ensuring the order is correct (compared to exporting with Mac OS, which doesn't change the order at all). It's also useful to know that you had success with Mozilla.