12 Replies Latest reply on Sep 11, 2014 11:40 PM by fgregor

    Signing a package with .pfx code signing certificate

    P.Stelzer Level 1

      Hi,

       

      I've got a code signing certificate (.pfx) from GlobalSign and tried to sign my extension package.

       

      I used the ZXPSignCmd tool and got the following response:

      Unable to build a valid certificate chain. Please make sure that all certificates are included in the certificate file.

       

      The necessary certificate chain is installed on my system (Windows 7):

      My code signing certificate,

      the certificate from GlobalSign the signed my certificate

      and the GlobalSign root certificate that signed it.

       

      The OpenSSL info output for the certificate looks fine too:

      MAC Iteration 2000

      MAC verified OK

      PKCS7 Data

      Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000

      PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000

      Certificate bag

      Certificate bag

      Certificate bag

       

       

      On the other hand signing other files with the Windows SDK Signtool works and results in a correct certificate chain (visible in the file's details).

       

      Any idea what I might be doing wrong?

       

      Regards

      Philipp

        • 1. Re: Signing a package with .pfx code signing certificate
          OMFguy2 Level 1

          you need the 2014 latest version of ZXPSignCmd.

           

          Download Extension Builder 3 - Adobe Labs

           

          bottom of the page.

          • 2. Re: Signing a package with .pfx code signing certificate
            P.Stelzer Level 1

            That is the version of ZXPSignCmd I used.

            Just to make sure I redownloaded it, but still the same result.

            • 3. Re: Signing a package with .pfx code signing certificate
              Carl Sun Level 4

              As far as I know, ZXPSignCmd only supports .p12 certificate.

              • 4. Re: Re: Signing a package with .pfx code signing certificate
                P.Stelzer Level 1

                The filename extensions .p12 and .pfx are just different extensions for the PKCS#12 file format (see Wikipedia - PKCS 12 for more details).

                 

                If my .pfx would have been an invalid certificate format ZXPSignCmd instead would have read:

                Error - Could not read certificate file. Please check that any certificate file(s) are valid and that any supplied passwords

                are correct.

                 

                Renaming my .pfx to .p12 didn't help either. So, the filename extension shouldn't matter in that case.

                The OpenSSL output for my certificate and a self-signed certificate from ZXPSignCmd also look quite similar.

                 

                Is there a hidden verbose/debug/developer flag for ZXPSignCmd to get more information about what exactly fails?

                • 5. Re: Re: Signing a package with .pfx code signing certificate
                  fgregor Adobe Employee

                  Hi Philipp,

                   

                  Given what you've said, I suspect the problem may be that your PFX file either does not contain the complete certificate chain, or does not contain the private key to be used for signing.

                   

                  Given that you're on Windows, this should be fairly easy to rectify by re-exporting your PFX file.

                   

                  In Internet Explorer, go to Internet Options, click on the Content tab and then Certificates.

                   

                  Find the signing certificate (probably listed under Personal), click on it and then click Export.

                   

                  A wizard will appear - select "Yes, export the private key", and when asked to select a format choose PKCS #12 (.PFX). Check the box "Include all certificates in the certification path if possible", and then choose a password.

                   

                  The exported PFX file can be renamed to P12 to use with ZXPSignCmd (along with your new chosen password).

                   

                  If any of this doesn't work, let us know what went wrong and we'll try to get to the bottom of it.

                   

                  Best regards,

                  Fraser

                  • 6. Re: Re: Re: Signing a package with .pfx code signing certificate
                    P.Stelzer Level 1

                    Hi Fraser,

                     

                    I already tried a new exported PFX with the mentioned flags set. Both the original PFX I got from GlobalSign and the new exported one weren't working.

                    Does it matter if I use Internet Explorer or the Certificate Manager (certmgr.msc) for export?


                    Out of curiosity I used OpenSSL to convert my PFX to PEM for human readability and as far as I can tell all 3 necessary certificates were included.

                    And as I said the OpenSSL PKCS#12 info output for my PFX looks valid, too. Certificate bag is mentioned 3 times which I assume corresponds with the 3 certificates (for self-signed certificates it is listed only once).


                    Maybe there are colliding root certificates and the export chose the wrong one. Is that possible?


                    Regards

                    Philipp

                    • 7. Re: Re: Re: Signing a package with .pfx code signing certificate
                      fgregor Adobe Employee

                      Hi Philipp,

                       

                      No, it doesn't matter - using Certificate Manager should also have worked.

                       

                      I don't think the issue is that the wrong root certificate has been chosen, otherwise we'd be seeing a different error. In the PEM file you exported, I would expect to see several certificate sections, each starting with BEGIN CERTIFICATE and ending with END CERTIFICATE. Just above each certificate's "BEGIN CERTIFICATE" line should be "subject" and "issuer" - the last certificate (at the bottom of the PEM file), should have your personal certificate name as the subject. Then, working upwards, each certificate should have an "issuer" which matches the "subject" of the certificate above it.

                       

                      The first certificate in the PEM file should have the same value for "subject" and "issuer" - identifying the certificate authority's root certificate.

                       

                      Also in the PEM file I'd expect to see a section "BEGIN RSA PRIVATE KEY"...."END RSA PRIVATE KEY".

                       

                      Does this all match what you're seeing?

                       

                      Assuming your PEM file looks OK, you could try using OpenSSL to convert it to PKCS12 format, using the command:

                      openssl pkcs12 –export –in my_pem_file.pem –out my_pkcs12_file.p12


                      Also, please ensure that you're using only ASCII characters in your P12 password, just in case that's causing problems.


                      Best regards,

                      Fraser

                      1 person found this helpful
                      • 8. Re: Re: Re: Signing a package with .pfx code signing certificate
                        OMFguy2 Level 1

                        I did what Fraser said and it worked for me.

                         

                        Did you try this:

                         

                        http://www.multunus.com/blog/2010/02/convert-code-signing-certificates-from-pfx-to-p12-for mat/

                        1 person found this helpful
                        • 9. Re: Re: Re: Signing a package with .pfx code signing certificate
                          P.Stelzer Level 1

                          I'm currently not at my machine so I can't check. But if I remember correctly my personal certificate was listed first, then the code signing certificate from GlobalSign below it and the root certificate from GlobalSign last. I'm not sure about the PRIVATE KEY section but I think it was there.

                           

                          If the ordering of the certificates might be an issue I can try to reorder it in the PEM and then convert it to PKCS12. Not sure if that will work.

                           

                          Regards

                          Philipp

                          • 10. Re: Re: Re: Signing a package with .pfx code signing certificate
                            P.Stelzer Level 1

                            Thanks for the link, I will try that. Maybe the Mozilla certificate export does something slightly different than Microsoft's.

                            • 11. Re: Re: Signing a package with .pfx code signing certificate
                              P.Stelzer Level 1

                              Interesting, the internal order of the certificates really does matter. I reordered the certificate sections in my PEM file and converted it back to PKCS12 and now it works.

                              I also tried the certificate export via Firefox following the instructions OMFguy2 posted. That also worked.

                               

                              I took a look into a PEM version of the Mozilla certificate and it showed the same certificate section order as my adapted PEM. Only the private key section position was different, which doesn't seem to be a problem.

                               

                              So, Microsoft seems to export the certificates in following order:

                               

                              Personal Certificate -> GlobalSign Code Signing Certificate -> GlobalSign Root Certificate

                               

                              whereas Mozilla's and my adapted order is:

                               

                              GlobalSign Root Certificate -> GlobalSign Code Signing Certificate -> Personal Certificate

                              • 12. Re: Re: Signing a package with .pfx code signing certificate
                                fgregor Adobe Employee

                                Thanks very much for explaining what worked for you - glad you managed to get the problem sorted in the end.

                                 

                                Newer builds of ZXPSignCmd do attempt to re-order certificates before signing to overcome this kind of problem, but it appears there are still some cases where it's not able to. I'm surprised to hear the ordering of the certificates exported by Windows was the reverse of what was required - exporting with Windows is usually a simple way of ensuring the order is correct (compared to exporting with Mac OS, which doesn't change the order at all). It's also useful to know that you had success with Mozilla.

                                 

                                Best wishes,

                                Fraser