català | česky | dansk | deutsch | english | español | français | lingála | magyar | nederlands | norsk | polski | português | svenska


If you got a code-signing certificate from CAcert then you may of realized that because of the way it is imported into the browser the only thing you can get is either a .p12 from Mozilla/Firefox or a .pfx from Internet Explorer. That is what is called a PKCS#12 container file. It contains both your private key and the regular certificates. However most programs require the individual .pvk and .p7b or .spc files in order to digitally sign the file using Authenticode.

This page will describe how you can break down the .p12/.pfx file into the individual .pvk and .p7b/.spc files for use with Authenticode. Protect these files. The one major problem with .pvk files is that the key is not password protected. However if you ever purchased a code-signing certificate from thawte then that is how it is presented to you; as 2 individual files.

These instructions will be written from a Windows users perspective. For linux users please replace DOS command prompt with whatever shell you normally use. These instructions will be equally useful for linux users.

Required Files

For these steps you will need the following files:

OpenSSL Version 0.9.7 or higher is recommended. Linux and Unix users should have openssl installed or available as a package. For Windows users you can get an OpenSSL Installer that will install it for you.

pvktool for converting from pem to pvk formats. It is available from the following links for various platforms. All RPMs are signed with Jacco de Leeuw' PGP key. - Win32 Executable From Steven Henson's PVK homepage
The following links are from the original authors own website. - Win32 Executable
pvk-0.12-3jdl.src.rpm - Source RPM (hold 'shift' while clicking link)
pvk-0.12-3jdl.i386.rpm - Fedora Core 4 Binary (hold 'shift' while clicking link)
pvk-0.12-3jdl.i386.rpm - Red Hat 8.0 binary RPM (hold 'shift' while clicking link)
pvk-0.12-3jdl.i586.rpm - Mandrake 10.0 binary RPM (hold 'shift' while clicking link)
pvk-0.12-3jdl.i586.rpm - Mandrake 9.2 binary RPM (hold 'shift' while clicking link)
pvk-0.12-3jdl.i586.rpm - Mandrake 9.1 binary RPM (hold 'shift' while clicking link)

Starting with OpenSSL 0.9.9 this utility probably won't be required anymore. I have been told that pvk export support will be in that version. This wiki will be updated once it is available.

Step 1: Extracting from the PKCS#12

By default the windows installer for openssl places it at C:\OPENSSL so I recommend that you update the path statement and add that directory to it. Obviously if you didn't install there then change it as required. Here is an example command.


PKCS#12 files often have the extension .p12 or .pfx. So let's assume that your PKCS#12 file is called user.pfx. For these instrutions however you should replace user.pfx with whatever the filename of your PKCS#12 file is called. Then you open a DOS command prompt and execute the following commands (lines starting with '#' are comments and should not be entered):

# (Tip: use copy and paste for these commands)
# Extract the user certificate contained within the PKCS#12 file:
openssl pkcs12 -in user.pfx -nokeys -clcerts -out usercrt.pem

# Extract the CA certificate(s) contained within the PKCS#12 file:
openssl pkcs12 -in user.pfx -nokeys -cacerts -out cacrt.pem

# Extract the private key contained within the PKCS#12 file.
openssl pkcs12 -in user.pfx -nocerts -nodes -out userkey.pem

/!\ The resulting file userkey.pem is not encrypted! Don't keep it around for longer than strictly needed!

Step 2: Converting from PEM

At this stage I assume you have three PEM files called userkey.pem (Private Key), usercrt.pem (the user certificate) and cacrt.pem (the CA certificate(s)). The private key will have to be converted to PVK; a Microsoft proprietary format. The certificates are to be converted into PKCS#7. For the PVK conversion, you will need the pvktool utility by Dr. Stephen N Henson, who is a member of the OpenSSL team. He has reverse engineered the PVK format. Unix/Linux source code and a Windows version of the PVK program are available on his PVK information page.

The three PEM files are converted to the intermediate formats witht he following OpenSSL commands:

# Convert the certificate files to PKCS#7:
# (Note: the second keyword is crl2pkcs7 and not cr12pkcs7. Lower case L.)
openssl crl2pkcs7 -certfile usercrt.pem -certfile cacrt.pem -nocrl -outform PEM -out usercrt.p7b

# Convert the private key file from PEM to the Microsoft
# proprietary PVK format (use pvktool utility mentioned on webpage).
pvk -in userkey.pem -topvk -nocrypt -out userkey.pvk

/!\ The resulting file userkey.pvk is not encrypted! Don't keep it around for longer than strictly needed!


Now you are done. That was all there was to it. At this point you can use those two files in any application directly supporting Authenticode. It has been tested in Installshield Package for the Web (if you can find it).

Since the userkey.pem, cacrt.pem, and usercrt.pem files are no longer required, you can delete them now. Especially the first one.


These instructions were taken from with permission from Jacco de Leeuw. They are a composition of Section 5 of that page.

Authenticode (last edited 2015-03-30 21:26:08 by EtienneRuedin)