It’s quite an adventure, but I was able to figure it out eventually.
- First, there are two ways of creating a CSR (Code Signing Request) - manually, or letting the browser do it.
- I believe that the in-browser method is basically broken and not reliable
- @Greg_O_Lone your suggestion to use Firefox seems out dated - apparently FF 69 or later has broken this feature, see for example https://www.digicert.com/blog/partner-advisory-in-browser-csr-generation-support-dropped-in-firefox-69
- All is not lost, however - you can make a CSR yourself quite easily with a text file and a command-line tool CertReq in windows - see Sectigo
- if you make the CSR yourself, you can get a copy of the Private Key - at that point you can use any browser (or OS) to download the certificate files.
To retrieve the Private Key that CertReq created:
- Start Menu ‘certmgr.msc’ to open Windows Certificate Manager
- Go to Certificate Enrollment Requests / Certificates
- find the key with your company name (note: this is the CSR request key, not the code signing certificate)
- Right click, / All Tasks / export
- Choose: Yes, export the private key
- Choose: PFX format
- Include all certificates
- give a password and remember it
- export to my-private-key.pfx or similar
Once Sectigo has created your Code Signing Certificate, you can download it. Here is where I ran into many issues. I think that their download system is broken, and as described above you get one zero byte file and one file which seems to have the wrong content.
However, with some digging I realized that the cert_xxxx.crt download file actually has 4 certficiates included, and the file appears malformed - it has an extra
-----END CERTIFICATE-----
line at the end.
Here, I started working on the Mac since that’s where I do most of my development.
- If you double-click this malformed CRT file, Keychain Access will import it, but it only imports the first certificate in the chain.
- however, if you simply edit the text file, and move the last certificate to the top of the file, and remove the duplicated line at the end, then the file imports fine into Keychain Access.
A few more steps and we are done:
- double click the my-private-key.pfx file to import it into Keychain Access
- Open Keychain access,
- IMPORTANT: select “My Certificates” in the top Tab bar. (Note: this is important, as if you have “All Items” selected, then you’ll see the certificate and private key as separate items. In ‘Certificates’ view the two will be grouped together so you can export as one item.)
- find the certificate you purchased. Make sure it has a disclosure triangle and has a private key inside it, and has the right expiration date.
- right-click the certificate, choose export, and give same strong password (note: this password protects your Private Key. Never give out your private key, or this password to anyone.)
- Export to a .p12 file (which is the same as a .pfx file) This p12 file can be used back on Windows with SignTool.
(Or can it?) I ran into one final problem:
- In 2021 the minimum size of certificate keys was increased
- older versions of SignTool fail to read these files
- the solution: upgrade to a more modern Windows 10 SDK which includes a newer version of SignTool.exe - see instructdions here: SignTool - Win32 apps | Microsoft Docs