I have run into a similar problem to the on encountered here:
How to sign code (.EXE file) with a .SPC or .PEM file from GoDaddy (using Ubuntu)?
I have used both the MONO signcode tool (https://developer.mozilla.org/en-US/docs/Signing_an_executable_with_Authenticode) and osslsigncode (http://sourceforge.net/projects/osslsigncode/files/osslsigncode/) and the executables show a digital certificate present signed with "Go Daddy Class 2 Certification Authority". When I view the certificate details it says "No signature was present in the subject" I have tried with the timestamp server and without the timestamp server and there is no difference. I am running the code on Ubuntu Precise and testing on Windows 7.
Suggestions?
I'm experiencing this same issue with a renewed GoDaddy cert.
I'm on Debian v8 / signing a windows EXE. It's a part of a deploy/publish step.
Using the SPC file from last year, it worked well. With both osslsigncode and Mono's signcode.
Now I get security warnings w/ the "No signature was present in the subject"
To FIX
I re-submitted my original CSR, and after receiving the re-re-issued cert I was able to successfully sign using osslsigncode.
Tested with osslsigncode verify <exe-name>
I ended up getting this to work by using the -pkcs12 <pkcs12 file> argument instead of the -cert <certificate file> and -key <key file> arguments. The .pfx file I used was generated from the exact same .spc and .pvk files I was supplying to osslsigncode, but for whatever reason, it worked while they didn't.
The error message "No signature was present in the subject" can be caused by a mismatch between the private key used for signing and the public key in the certificate.
Related
I have a p12 file, 'test.p12,' that has a certificate, the CA cert (self-signed), and private key for the certificate. The p12 file is generated using the BouncyCastle's C# API.
When trying to import the certificate by using 'CertUtil', i.e., 'CertUtil -f -p password -importpfx test.p12,' CertUtil generates the following error:
CertUtil: -importPFX command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist
Any clues as to what may be wrong? (I'm using Windows 10)
Using openssl, I can see that 'test.p12' does include the certificate, CA cert, and private key. The certificate is using an EC keypair, but I doubt that's a problem since I have a reference p12 file that uses the same algorithm and is imported by CertUtil without problem. Unfortunately, I have no detail on how the reference file is generated.
In my google searches, many seem to suggest that this may be a permission problem, but I doubt that's the case as I'm running the CertUtil as the Administrator.
When importing the same file using 'MMC' with the certificate snap-ins, the certificate is "successfully" imported if I force the MMC to store it in a specific store, e.g., Personal; otherwise, it prompts to select a Smart Card for the certificate. Could this be a related problem?
Thanks,
--Hyong
have installed the gpg4win version 2.2. I have Successfully created the certificate using gpgsm --gen-key > test.p10
I want to export the created certificate request into pkcs12 format with gpgsm --export-secret-key-p12, but while exporting into p12 i get the error message "No Secret key"
When i run gpgsm --list-secret-keys on command prompt,it indeed displays nothing.
Why would the export step is fail? and where the secret keys are present while generating certificates?
I have Successfully created the certificate using gpgsm --gen-key > test.p10
GpgSM from gpg4win-2.x only can generate certificate signing requests.
It stores the secret part of your certificate under %APPDATA%\gnupg\private-keys-v1.d and prints out the signing request. That singing request is supposed to be sent to a Certificate Authority that signs your certificate (like cacert).
You then import the signed certificate and it will then show up unter --list-secret-keys and will be exportable.
With GnuPG 2.1 (can be downloaded as windows installer from gnupg.org) you are asked when generating a key if you want to selfsign it. In that case your "test.p10" would contain the signed certificate that you can then import into gpgsm and use / export it directly without the need for a CA.
I'm trying to sign my app in VS2012 but I'm receiving "Cannot find the certificate and private key for decryption" error.
What I do:
I received my certificate by Comodo CA Limited in Google Chrome.
Exported the certificate to a file with "Include all certificates" and "Export private key" options.
In VS2012, Signing tab I browse to the certificate file and fill in the password. The "Cannot find..." error appear.
I also tried all steps in this tutorial: Visual Studio error 'Cannot find... in Comodo Knowledge Base, but no success.
The same key works fine when signing with the Comodo kSign tool and also when using signtool.exe
....
The most common problem arises when using a .pfx file that contains
chaining information. You can remove chaining information from the key
file by running the Certificate Manager snap-in (Certmgr.msc),
importing the pfx file into the personal certificate store, and then
exporting it without including the certificate chain information.
Importing the certificate in MMC and exporting again doesn't help
...
I tried it on other machine, but the same problem.
Any ideas?
https://msdn.microsoft.com/en-us/library/aa730868%28vs.80%29.aspx#rsvssign_topic3
The .pfx file cannot include certificate chaining information. (If the .pfx file does include this information, the following import error will occur: "Cannot find the certificate and private key for decryption.")
Just do not set "Include all certificates" while exporting the *.pfx file
I'm trying to sign a jar file using a code signing certificate. The alias name includes some special characters (Turkish characters). The alias name is similar to the following:
bi?li?şi?m teknoloji?leri? eği?ti?m's comodo ca limited id
When I try to sign a jar file, the following error occurres:
Certificate chain not found for: bi?li?şi?m teknoloji?leri? eği?ti?m's
comodo ca limited id. bi?li?şi?m teknoloji?leri? eği?ti?m's comodo ca
limited id must reference a valid KeyStore key entry containing a
private key and corresponding public key certificate chain.
I tried to change the alias name by using keytool (jdk) utility, but again, since the alias name was not found, I couldn't succeed.
When I looked at the details by keytool and I see the entry type is "PrivateKeyEntry", so I don't think this error is about a missing private key.
The problem seems related to unrecognized character issue.
How can I solve this problem and proceed to signing my jar file?
The support team from the certificate company responded to my email. They wanted to renew the certificate without using Turkish characters in the company name. As I guessed, the problem was related to unrecognized characters.
I have a c# program and part of it creates a self-signed certificate.
The problem is when i try to import the certificate in MMC it says "This certificate has an invalid digital signature."
And when i try to add this certificate through command prompt using netsh http add it says:
SSL Certificate add failed, Error: 1312 A specified logon session does not exist. It may already have been terminated.
I've tried all suggestions from other questions similar to this but to no luck.
I've also tried downloading Hotfix from Microsoft but it didnt work.
By the way, my machine is running in Windows7-64bit.
I ran into an answer here The basic issue is that DC authority cert creators get sloppy and create multiple certs for the same DC cert authority. I had my self-signed cert created using latest and grates DC cert authority certificate. I had to export and install both root cert and a self signed cert on my destination machine for it to recognize self signed cert used on the server. But the root cert I exported was a cert with the same name but different dates. Once I located the proper root cert and installed it on my destination computer everything worked flawlessly.
In my case it was due to an old self signed certificate with a small key length.
I found the solution here - https://security.stackexchange.com/a/82606/26742 to reduce the security (only in my dev environment)
certutil -setreg chain\minRSAPubKeyBitLength 512