Sunday, 3 July 2016

Issues in Signing a .NET Assembly using .pfx file


I have procured a code signing certificate with a view to ensure that one of application that we intend to distribute to external users is signed so that the same can be trusted by the end users. I imported the certificate into the certificate store and used it successfully to sign the Click Once Manifest using the Signing tab in the Projec Properties dialog in Visual Studio 2013. But I could not have the assembly signed. I exported the certificate from the store as a .pfx file and tried using it for signing the assembly, but am getting issues like "Private Key not Found", while the Private key is very much present in the .pfx file.

By: Rajkumar David


Visual Studio 2013 has known issues in handling PKCS# 12 certificate files as it cannot handle files with multilpe certificates in the CA certificate chain. Visual studio may not still consider such certificates for signing the assembly because of the KeySpec Parameter, which is usually set as AT_KEYEXCHANGE(1), whereas Visual Studio expects this to be AT_SIGNATURE(2). It is possible that while requesting the certificate, the KeySpec is set as 1 and as such the certificate is generated with the value as 1. You may verify CSR that you have submitted to the CA to check this.

OK, now what do you with that certificate? You have option to import such certificates with KeySpec set as AT_SIGNATUR. The Windows Servers from 2003 onwards have a commandline certificate import utility - certutil.exe. This command allows you to import the certificate with the right KeySpec parameter. Use the following command to do this:

certutil -importPFX -user <pfxfilename> AT_SIGNATURE

After importing the certificate using the above command into the certificate store and then export it back as .pfx file from the store for assembly signing within Visual Studio. This should resolve the given problem.

More on the CertUtil command can be found here.