Friedrich (or anyone else),

Is it even possible to buy a certificate from Comodo using Vista? I've
been going 'round the pike with these guys for a few days now. IE7
doesn't show the private key file field on the form, and there seems to
be no way to specify a private key password. My order went through, and
though Comodo support has let me place a new order to try again, I still
have the same problem. They issue a certificate, but it's useless to me
because I don't know the PK password.

I have an XP laptop I can use to place the order - if I do this, is
there any particular problem moving the public and private key to my
desktop machine? Do I just copy the private key and certificate files?

--

Dave

Clarion Magazine: http://www.clarionmag.com
In-depth Clarion articles, news, tips & tricks, printed books and e-books

Dave,
Use the laptop.
Copy the mykey.spc and mykey.pvk files to your other computer(s).
You should know the password, as you create it during the ordering process
(pic).
(If you have a subscription to clarionmag<g>, there are a few old articles
showing the steps)

Someone else

Jane Fleming

> (If you have a subscription to clarionmag<g>, there are a few old
> articles showing the steps)

Heh heh.

Actually I got my first certificate a year ago, but when I went through
the process this time and didn't get asked for a password, I went right
back to the gold standard (your articles) to make sure I was supposed to
get asked for it.

I'm just blown away that Comodo can't seem to get Vista sorted out.

--

Dave

Clarion Magazine: http://www.clarionmag.com
In-depth Clarion articles, news, tips & tricks, printed books and e-books

Hi Dave,

>
> I'm just blown away that Comodo can't seem to get Vista sorted out.
>

It's not a Comodo problem, it's a Vista thing <g>. Comodo (and the other
WebTrust agencies) cannot do anything here :-( Even Verisign (Microsoft's
preferred provider of digital certificate services) have the same problem.
The certificate issuing process does not work when using IE7 on Vista. It
simply cannot send the PVK encryption key file.

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder 6.6
Create Windows Vista ready installations in minutes

-- Official Comodo Code Signing and SSL Certificate Partner

Dave,

I just purchased a 3 year code signing certificate from them Friday. Nothing
went as expected or at least as I recall from last year. I'm running Vista
Business and IE7. The process and screens have changed since Jane's articles,
at least that was my experience with Vista/IE7.

Some important differences were that:

1) I had to check a box if I wanted the file to have a password, I think it was
called "User Protected"? (The box called "Exportable was already checked for me
I left it that way) I did check the "User Protected" box and it did not ask me
for a password, but it used the one I signed in to Comodo with, which is also
the same one I manually assigned last time I bought my certificate about a year
ago. So I'm not sure if it just used the "old" one again or the one from my
Comodo login.

2) There were a couple of points in the process where it tells you to add a
couple of Comodo URL's as trusted sites, I did. I think this is important. The
sites I added as trusted sites are:

https://secure.comodo.net
https://secure.instantssl.com

3) It did not ask me where to put the file, it installed it into Vista/IE7 and
then I exported it from there as a pfx file. Tools menu->Internet
Options->Content tab->Certificates button->Export. That will get you the pfx.

4) From there I followed the FAQ on Comodo to use the OpenSSL and PVK utilities
to create the .pvk and .spc files that are needed for other purposes (like code
signing with SB).

After a bit of a grueling re-learning process I had everything I needed and all
working fine.

I hope this helps, if not I'll check back here and on Skype CW-Talk 2
periodically and see if I can offer any additional assistance.

Regards,
Kelly E Major

> 1) I had to check a box if I wanted the file to have a password, I
> think it was called "User Protected"?

Hmm. They specifically told me not to use that check box. And I would
think that using a private key password that's stored on their server is
a little less secure than I'd like to be. But good on ya for finding a
workaround, and I appreciate the info.

They did give me the instructions on how to extract the certificate from
the browser's store and then extract the private key. All of which was
useless to me without the password.

I think I'll probably drop back to XP to get the certificate.

--

Dave

Clarion Magazine: http://www.clarionmag.com
In-depth Clarion articles, news, tips & tricks, printed books and e-books

Dave,

Just found a couple of good links...

Exporting the certificate...
http://www.tech-pro.net/export-to-pfx.html

Creating .pvk and.spc file pair for use with older MS code signing utilities...
http://www.tech-pro.net/export-to-pvk-spc.html

- Kelly

Kelly,

Smooth move, you forgot the link to the whole series of articles about
certificates...

http://www.tech-pro.net/code-signing-for-developers.html

Way to go <G>

Kelly E Major

> Just found a couple of good links...

Many thanks. I'm still not happy about using my login password but if I
can't get any satisfaction the other way I'll definitely give it a go.

--

Dave

Clarion Magazine: http://www.clarionmag.com
In-depth Clarion articles, news, tips & tricks, printed books and e-books

Dave,

The whole process was so confusing and different, now that I think about it I
may have prompted me later to give it the password. So much happened my memory
might not be perfect, it was confusing when things didn't appear as expected.

Also, I note the pages I referred you to said to leave "User Protected"
unchecked. I guess I'm not sure what that does now. Oh boy! <G>

I wish I had found those links Friday, the day would have gone much better.

- Kelly

For anyone following this and cares <g>...

I've found the following description of the "User Protected" option for some
Comodo certificates. It wasn't referring specifically to code signing but
rather enterprise-wide employee e-mail signing certificates in the document but
it is the only official Comodo reference I can find for this term anywhere and
it's my guess that it is basically the same thing:

-----
Private Key User Protected: Place a tick in this check box to place additional
protection on the use of the private key (signing key) associated with the
employee's Certificate. Additional protection will challenge to the employee to
OK the use of the Certificate every time the private key is used.
-----

My key doesn't seem to be asking for an additional OK in SB which is the only
place I actually use it. It is working exactly like my previous certificate did
but SB uses the .pvk and/or .spc files. However, if I used another tool that
used the .pfx file directly I suspect that I may be challenged with an
additional OK since I checked that box.

- Kelly

David,

Move the key to to "loved" Vista machine and all will be fine

See ... another _good point_ for Vista it seems after all the ones we found
the other day for my tool and ODBC and secwin etc ....

<G>

JP

--
Merci - Thank you

JP

Really Friederich ?
Would we have another Vista bug to enforce the safety of using this OS ?
Impossible mon ami !

<BG>

Dave ..... still want to use absoletely Vista :) ?

JP

--
Merci - Thank you

JP

Seems to be a "hidden Vista limitation", not a bug <g>.

And for several (good) reasons, it would be "suboptimal" for WebTrust
agencies to add a "Not compatible with Vista" note to their web sites.

Friedrich

Correct a bug is only something which does not work in the open <VBG>

Like I did on my new tool's site to tell Vista users who want to use it that
if they are not without UAC then ODBC will not work as it can ....another
story <BG>

Imagine BG's friends putting such words on their sites ? revolution ?
betrayal ?

JP

--
Merci - Thank you

JP

Let's say, an operation system vendor updates the "root certificates" (via
automated web updates) on a very regular basis. Not only for the latest
operation system edition, but also for the previous ones. And if I where
"JPG WebTrust" - the trusted Jean-Pierre Gutsatz authority that issues their
own code-signing certificates and completely depend on the "root
certificates" update feature - then I would not post compatibility issues on
my site <g>. See what I mean?

Friedrich

Yes and that is why I do not issue certificates but only try to sell my tool
and app .... easier to be trusted in this domain <BG>

JP

--
Merci - Thank you

JP

Friedrich,
Are you saying that business politics might be involved in business
decisions????
I am shocked.
SHOCKED, I say <g>

Jane

Jane,

<VBG> This is a strange world, with all sorts of bizarre things in it, and
it promises to only get stranger :)

Friedrich

> It's not a Comodo problem, it's a Vista thing <g>. Comodo (and the
> other WebTrust agencies) cannot do anything here

Okay, fair enough. Now I'm blown away that the first thingout of
Comodo's tech support wasn't "Oh, you're running Vista? You're hosed."

I understand the point about it not being in their interest to say "not
compatible with Vista." But even when they finally got around to asking
about my OS they didn't tell me Vista was the problem. That's either
incompetence or prevarication.

--

Dave

Clarion Magazine: http://www.clarionmag.com
In-depth Clarion articles, news, tips & tricks, printed books and e-books

Dave,

As I said in my other postings, it does work exactly as expected in Windows
Vista. The problem is they don't have the process documented anywhere that I
can tell and it is not intuitive at all.

Now that I've done it and have it working plus also followed up with some
additional research I wouldn't expect to have any problems at all obtaining a
Comodo code signing certificate in Vista/IE7.

Again, the certificate I purchased using Vista/IE7 on Friday is working
perfectly.

- Kelly

Kelly,

I think the problem is that the "standard" process does not work under
Vista. "Standard" means, you create the .pvk when you request the
certificate and Comodo sends the following:

The necessary background checks have been successfully completed and we are
pleased to announce that your Code Signing Certificate has been issued.
To collect your Code Signing Certificate, please click "here"

If you click "here", you download the .spc file and then you have both the
credentials and the private key file.

But Vista has problems with the .pvk files.

Friedrich