Convert a code signing certificate from Sectigo/Comodo into a .pfx file that is actually usable

Question

When I tried to download the code signing certificate from Sectigo/Comodo, using Firefox I just ended up downloading a file called CollectCCC, with no file extension. It is not clear to me how to use it to sign a binary. When I try to use it to sign a binary (with /debug on) I get the following:

> .\installation\signtool.exe sign /debug /f 'C:\Users\username\Downloads\CollectCCC' .\DraughtHub_Link.exe

The following certificates were considered:
    Issued to: GoDragons
    Issued by: Sectigo RSA Code Signing CA
    Expires:   Fri Oct 22 00:59:59 2021
    SHA1 hash: <hash>

    Issued to: Sectigo RSA Code Signing CA
    Issued by: USERTrust RSA Certification Authority
    Expires:   Wed Jan 01 00:59:59 2031
    SHA1 hash: <hash>

    Issued to: USERTrust RSA Certification Authority
    Issued by: AAA Certificate Services
    Expires:   Mon Jan 01 00:59:59 2029
    SHA1 hash: <hash>

    Issued to: AAA Certificate Services
    Issued by: AAA Certificate Services
    Expires:   Mon Jan 01 00:59:59 2029
    SHA1 hash: <hash>

After EKU filter, 4 certs were left.
After expiry filter, 4 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.

Part of the problem is that I wasn't able to download their certificate using IE (their recommended way, sigh), because I hadn't created a code signing certificate request using IE. I created the code signing certificate request using openssl.

Here is the error message I got from IE:

I tried importing the CollectCCC into IE as well and that failed.

Disclaimer: I would not recommend using Sectigo and/or Comodo for code signing certificates! My experience with them was terrible! It's worth paying more to get a better service.

Answer 1

After a lot of googling, I eventually worked out that the CollectCCC file is of type .p7s.

You can convert .p7s files into .pfx files (required to sign binaries) using openssl with the following commands (it's a two step process):

openssl pkcs7 -inform der -in CollectCCC -print_certs -out CollectCCC.pem
openssl pkcs12 -export -out certificate.pfx -inkey ~/.csr/www.draughthub.com.key -in CollectCCC.pem

where you replace ~/.csr/www.draughthub.com.key with the location of the private key you created to make the code sign certificate request. The second step will prompt you for a password. This is the password you used to create the request (and corresponding private key).

Answer 2

I went through this process recently and I also had troubles with this process. After I bought a code signing certificate from Sectigo, I had to:

Step 1. Create a certificate request file (.csr) and the certificate key file (.key). After this you will have 2 files, one with .key extension and one with .csr extension.

openssl.exe req -nodes -newkey rsa:3072 -nodes -keyout DESIREDNAME.key -out DESRIREDNAME.csr -subj "/C=COUNTRY_CODE/ST=STATE_NAME/L=CITY_NAME/O=ORGANIZATION_NAME /CN=YOUR_DOMAIN_NAME.com"

Step 2. Use the .csr file on Sectigo website to generate your certificate.

Step 3. Download your certificate from the email received from Sectigo. After this step you should have a new file with .crt extension, in my case it was user.crt.

Step 4. Convert the .key and .crt files to a .pfx file for code signing.

openssl.exe pkcs12 -inkey DESIREDNAME.key -in user.crt -export -out mycertificate.pfx

During this process you will be asked to set a password for the .pfx file.

Step 5. Dual sign the file with SHA1 and SHA256.

signtool.exe sign /tr http://timestamp.digicert.com /td sha1 /fd sha1 /f mycertificate.pfx /p MY_CERT_PASSWORD myapp.exe

signtool.exe sign /tr http://timestamp.digicert.com /as /td sha256 /fd sha256 /f mycertificate.pfx /p MY_CERT_PASSWORD myapp.exe

Note that the second call contains the /as parameter to append the signature. Remember, always sign with SHA1 first and append the SHA256 second.

Step 6. Right click your file and select Properties. Check the Digital Signatures tab. Your file should be now digitally signed. Congratulations!

Some side notes:

At Step 1 I have used one openssl.exe found in C:\Program Files\Git\usr\bin\openssl.exe but this one failed at Step 4 with "can't find certificates" error. I had to install Win64 OpenSSL Light from https://slproweb.com/products/Win32OpenSSL.html and then Step 4 worked as expected and my .pfx file was finally generated.

I did not have signtool.exe available on my machine, so from Visual Studio Installer I selected to modify the installation and I added one of the Windows 10 SDK item from Individual Components. Then I had this file available in C:\Program Files (x86)\Windows Kits\10\bin\10xxxx\x64\signtool.exe.

Can't wait to see those AV false positives go away now that my application is digitally signed :)

Answer 3

I did had this issue... I had to renew a 'code certificate' and at every steps, I had difficulties with Sectigo... (Really this s...) Finally, at the 'last' step, I followed their instructions to 'download' the certificate and I found myselfe with a 'CollectCCC' file and no more explanations (real champs those Sectigo guys!). Did reach (again) tech support and they asked me to reach my intermediate company which I purchased the certificate from in order to finalise. Talked with the tech guy and the tips was to do the exact opposite from what they say in their emails (the ask to use Internet Explorer (forget it) or Firefox to download the file.... BUT if you actuelly use 'Chrome' the file you download is not the 'CollectCCC' thing BUT an actual valid .crt file!!! I did test that with tech support from my provider and if you do the opposite from what they say (use Chrom) IT DOES WORK!!! Wow!