PDA

View Full Version : Don't order Comodo Certificate from a VISTA machine



MorningFlight
03-24-2008, 05:47 PM
I decided to start a new thread because http://www.lindersoft.com/forums/showthread.php?t=7489&page=2 started to go off topic.

Code-signing under VISTA has probably been hammered to death elsewhere on this forum, but it bears repeating. Turns out ordering the certificate wrong wasn't all my idea. Take a look at the two screen captures below, the first VISTA, the second XP. Because the machine I used was running VISTA, I was never even given the option to order the certificate the way it should be ordered for SetupBuilder, as an .spc file and a .pvk key. Same website, same browser, different screens. In the XP version, the default should be changed to "In the file" from "In the CSP." In the VISTA version, that line is missing entirely.

Anyway, Comodo bent over backwards to make it right. They issued credit for the single file certificate and, within minutes, sent me the two-file version. Impressive! For what it's worth, here are my recommendations for getting a Code-Signing Certificate and avoiding the hassles:

DO order the $200 three-year special from Lindersoft. You'll save yourself the very large headache of not having to renew every year, and enough cash to almost buy SetupBuilder.

DO change your account name and password if you already have an account with Comodo and you're ordering (or renewing) through Lindersoft.

DO set up an email box at your domain, i.e. John@mycompany.com, then change your WHOIS email contact address with your Registrar to that email box before you place the order with Lindersoft. Comodo will not issue the certificate to another mailbox.

DO have your DUNS number ready. If you don't have a Dun & Bradstreet number, plan on faxing documents to Comodo that prove your company is who and where you say it is.

DON'T order from a VISTA machine. See above. The rocks I'm now throwing at this miserable OS are getting bigger.

DO make sure you see the radio buttons "In the CSP" and "In the file," then tick "In the file" and enter the name you want on the certificate (such as C:\MyCompany). Go there to collect both the .spc and .pvk file after the transaction.

DON'T order the certificate in the CSP wrapper. It's useless that way unless you own Visual Studio and the SDK. Before you can even think about exporting the .spc and .pvk files, you need to convert the certificate to a .pfx file. Then, with command-line conversion tools downloaded from Shining Light Productions, to .pem files, then from there . . . you get the idea. Until last Sunday, I didn't even know what a .pem file was! To find out what you're up against, see http://www.tech-pro.net/export-to-pvk-spc.html. While entering the .pfx file into SetupBuilder is an option, my guess is you still need the .spc file and your .pvk key.

DO make copies of both your .spc certificate and your .pvk key file and store them where you can find them. The certificate is no good without the key, and Comodo can't give you another one.

DO write down the password you assigned to your .pvk key. The key is useless without the password, and that's another thing Comodo can't give you.

Friedrich, did I miss anything?

Hal Heindel
www.printshopmakeover.com

linder
03-25-2008, 03:26 AM
Hal,

Thanks for this most excellent posting. And what you said is also true for the new Windows Server 2008 operating system. Don't order a certificate from a Vista or Windows 2008 machine!

Thanks so much for your time!

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder 6.7
Create Windows Vista ready installations in minutes

-- Official Comodo Code Signing and SSL Certificate Partner

MorningFlight
03-25-2008, 04:41 AM
You're welcome, Friedrich.

Now that I have a working certificate, time to learn SetupBuilder and go after GEN1053.:cool:

Hal Heindel
www.printshopmakeover.com

linder
03-25-2008, 04:45 AM
Hi Hal,

:)

There are several possible reasons for Compiler error GEN1053: Code signing process failed. Error Code: -1

1. Problem with your certificate (expired?). Okay, not in your case <g>
2. If you are using the timestamp server, perhaps it is not accessible (server down?)
3. Wrong password
4. Or see below

http://www.lindersoft.com/forums/showthread.php?t=2170

http://www.lindersoft.com/forums/showthread.php?t=2202

Hope the above helps.

Friedrich

MorningFlight
03-25-2008, 05:45 AM
Thanks, Friedrich

I should tell you that I'm just experimenting with SetupBuilder this morning - haven't done my homework yet. I'll be able to spend more time revamping my installations for VISTA next week (after I've added more padding to the walls in my office!).

About GEN1053, the glitch seems to be with code signing the Uninstall. The first screen below is when I use SignTool, the second when I switch to SignCode. Time to download a new SignTool.exe, or use the old PKEY.exe with SignCode?

Hal Heindel
www.printshopmakeover.com

linder
03-25-2008, 06:02 AM
Hal,

If you are using SignCode.exe (the default option) then you need the .SPC and .PVK files.

If you switch to SignTool.exe then you need a .PFX file! It says "optional" because the use of SignTool.exe is optional.

So your SignTool.exe is okay (if you have downloaded the file from Microsoft and the path to it has been added in Tools | Options... | File Locations -> Digital Signature. The next step is to use your .PFX file and you are done ;)

Does this help?

Friedrich

linder
03-25-2008, 06:09 AM
BTW, see attached screenshots :)

Friedrich

MorningFlight
03-25-2008, 06:31 AM
Friedrich,

How do I remove code signing from the Uninstall? And is there a reason why the Uninstall should be code signed in the first place?

I decided to stick with SignCode for the moment to isolate the glitch. I don't have a problem code signing my app (see the compiler screen shot), but still get the Uninstall error message.

Hal Heindel
www.printshopmakeover.com

MorningFlight
03-25-2008, 06:46 AM
Eureka! Found the solution.

Since the problem had to do with code signing the Uninstaller Exe, not my app, I first ticked "No Digital Signature" for the Installer Exe, which compiled successfully, then ticked "Digital Signature" to re-enable signing the installer package, which then compiled successfully as well.

Looks like all I needed to do was clean the cobwebs out of the closet. If the rest of learning SetupBuilder goes this smoothly, I'm heading for the Costa del Sol this year.

Thanks, Friedrich

Hal Heindel
www.printshopmakeover.com

linder
03-25-2008, 06:56 AM
Perfect! Thank you for the good news, Hal :)

Friedrich

torrid
04-23-2008, 11:58 AM
Hi I just bought a Comodo code signing certificate. I saw no option to get it as spc pvk. I was using Thawte but am switching because this is so much cheaper....

"If you are using SignCode.exe (the default option) then you need the .SPC and .PVK files." per Friedrich's post above...

Now that I read these posts I see that there should have been something in the order process to get the 2 files...

I did not order from Vista. i ordered from Firefox. Since they know we are coming from Lindersoft to get the discount, why is the order process not configured to give us the files we need?

I also emailed support@lindersoft.com about buying the Comodo cert and was not "alerted" to this snafu even though they were helpful in giving me the login to order the Comodo cert.

What do I do now? I need to sign some code today if possible.

Regards,
-Tim

linder
04-23-2008, 12:14 PM
Tim,

The Comodo order page (at the top in red) says: "This webpage will work in most major browsers, but we recommend that you use Internet Explorer."

Your problem has nothing to do with the discount nor with the certificate nor with Comodo. And absolutely nothing with Lindersoft! Your (Firefox) browser simply does not support the option.

BTW, we provide you with a discount for original Comodo certificates. There are even costs involved on our side for your "discounted" certificate. You buy an original Comodo certificate directly from Comodo!!! So what do you mean by saying "I was not alerted" (by Lindersoft)? Alerted for what? We only give you access to the Comodo ordering system.

You have several different options now. SetupBuilder supports both SignCode.exe and SignTool.exe!

Friedrich

linder
04-24-2008, 09:54 AM
Tim,

Did you solve your problem?

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder 6.7
Create Windows Vista ready installations in minutes

-- Official Comodo Code Signing and SSL Certificate Partner

torrid
04-24-2008, 11:14 AM
No I don't have it worked out.

I'm not trying to blame you or Lindersoft... You always give great support... one of your support assistants though emailed me where to log in... I guess if you can support the file type they default to then you wouldn't know to "alert anyone" but when I click to add a digital cert in SB it asks for the spc and pvk files. If that is the default in SB then my personal opinion is that you should also alert people to this problem.

The dumb message on the Comodo site is just that... something that no one looks at. Many many sites for 10 years have said they recommend Internet Explorer but I've never taken that to mean "you won't be able to order what you need because you can't see that option in Firefox". That's not something you can deal with but something Comodo should consider addressing in my opinion...

Anyway all that is water under the bridge... Do I re-order the certificate and ask Comodo for a refund on the other one??? How do I use my certificate if it's in wrong format. I found a post about converting it but I can't get openssl installed or working and don't have the time to figure out "why".

linder
04-24-2008, 01:09 PM
Tim,

The problem is that I have absolutely no idea what you have received from Comodo. Do you already have a .PFX file or do you have your certificate in your certificate store?

If you already have the .PFX file then you only have to get your hands on SignTool.exe and you are done (see the following thread)

http://www.lindersoft.com/forums/showthread.php?t=2202

If you have the certificate in your "certificate store" then you have to export it to .PFX (see the following link)

http://www.tech-pro.net/export-to-pfx.html

Does this help?

BTW, there is no "wrong format" for certificates in SetupBuilder and so we cannot "alert people to this problem". SetupBuilder supports .spc/.pvk and .pfx files and does not have any problem at all with Microsoft Authenticode. Perhaps Firefox should mention that "You cannot request Microsoft Authenticode code-signing certificates in form of .spc/.pvk with Firefox" or Vista should mention that "You cannot request Microsoft Authenticode code-signing certificates in form of .spc/.pvk when using IE7 on Vista". SetupBuilder can use whatever certificate format is available!

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

"point. click. ship" - that's SetupBuilder 6.7
Create Windows Vista ready installations in minutes

-- Official Comodo Code Signing and SSL Certificate Partner

StuAndrews
12-05-2008, 07:56 AM
Hi there Guys,

Am I right in assuming that while you shouldn't ORDER a Comodo Certificate on Vista, it's okay to order on say XP and then move the Certificate across to Vista?

linder
12-05-2008, 08:11 AM
Hi Stu,

Yes, this is correct! Just order on XP and make sure you have "In the File" marked in the "Advanced Private Key" options. You can then use your Private Key File (.pvk) and Credentials File (.spc) on your XP, Vista, Win7 or whatever machine ;)

Does this help?

Friedrich

linder
12-05-2008, 08:13 AM
Stu,

And please use Internet Explorer to request the certificate!

Friedrich

StuAndrews
12-05-2008, 06:38 PM
Friedrich,

Thanks muchly!

Stu

StuAndrews
12-09-2008, 04:08 PM
Hi Stu,

Yes, this is correct! Just order on XP and make sure you have "In the File" marked in the "Advanced Private Key" options. You can then use your Private Key File (.pvk) and Credentials File (.spc) on your XP, Vista, Win7 or whatever machine ;)

Does this help?

Friedrich

Friedrich,

I've got the .pvk file, and have exported the Certificate from IE (on an XP machine), but haven't seen anything like a .spc file.

How do get a hold of that? (Will google now to see if I can find out myself)

Stu

linder
12-10-2008, 01:39 AM
Stu,

Did you use the "In the File" option? IIRC, the confirmation email from Comodo includes the link to the .spc.

Something like:

---

Your Code Signing Certificate is ready!

To collect your Code Signing Certificate, please click here

Your Collection Code is: XXXXXXXX

---

You then have the .pvk and .spc files.

Friedrich

StuAndrews
12-11-2008, 05:02 AM
Ahhh, excellent. I'm still going through the process of my company being validated by Comodo.

tshates
12-23-2008, 08:37 AM
Microsoft Certificate Enrollment Control security warning does NOT pop up on my machine! I am running XP SP2 and IE 6 with the most recent security patches installed. Any ideas on what I might need to do to make this work?

linder
12-23-2008, 09:08 AM
I think users will be prompted as to whether they want to allow the installation of the Microsoft Certificate Enrollment Control add-on. In order to proceed, click on this message, click Run ActiveX Control, and then click Run.

If you don't see this prompt then I assume that it's already installed on your machine.

Friedrich

Rodt
01-06-2009, 04:17 PM
You should remove or correct the information in this thread dealing with order the code signing certificate using Vista.

I just ordered and was issued my certificate using Vista and Internat Explorer 8. I then was able to sign my exe's using the SignTool with the pfx file which I exported from the certificate store.

Command line to sign the file.

signtool sign /f PrivateKey.pfx /p password filenametosign

linder
01-07-2009, 02:15 AM
The problem is that the "In the file" option is not available under Vista. So you can only get a PFX (exported from your certificate store), but not the Credential File (.spc) or the Private Key file (.pvk).

So what has been said here is still perfectly valid! You should not order from a Vista machine if you need the .spc and .pvk files.

Friedrich

Ericc
12-14-2009, 12:07 PM
Does this Vista issue also apply to Windows 7 machine?

I did this 10 years ago with Verisign on a Win98 machine, amazing that its still just as difficult & confusing as it was then (maybe more now:))

linder
12-14-2009, 11:54 PM
Hello,

Good question. I guess the answer is "yes". I think it applies to all UAC-aware operating systems (including Windows 7 and Server 7).

Friedrich

Ericc
12-16-2009, 06:06 PM
not sure if this has already been mentioned but according to comodo, exporting your pfx file to a spc & pvk files can be done by installing OpenSSL, and following these directions:

https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1089&nav=0,96,7

Unregistered
12-22-2009, 11:23 PM
not sure if this has already been mentioned but according to comodo, exporting your pfx file to a spc & pvk files can be done by installing OpenSSL, and following these directions:

https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1089&nav=0,96,7

I just want to confirm that the above steps do work, so getting your certificate in Vista or Win7 is the same. You'll only get a pfx file when you attempt to export it. Following the steps using OpenSSL and the tools listed in the link above you can successfully convert your pfx file to a spc/pvk combination for use with older signing tools. Its an extra 10 minutes of work, but you now have it in both formats.

David - Encourager Sw
09-08-2010, 07:38 PM
This is a followup to some very good instruction by Hal Heindel, but some of his remarks are dated...
HH - Hal Heindel - DT - David Troxell

My company provides additional, updated instruction on the Comodo Code Sign Certificate Order Process with the CHM version of this blog (click on blog link and download CHM from blog).

Product Description - App Data UAC Safe, MFG - Encourager Software
Internet Link - http://profileexchanges.com/blog/?p=120

HH - DO order the $200 three-year special from Lindersoft. You'll save yourself the very large headache of not having to renew every year, and enough cash to almost buy SetupBuilder.

HH - DO change your account name and password if you already have an account with Comodo and you're ordering (or renewing) through Lindersoft.

HH - DO set up an email box at your domain, i.e. John@mycompany.com, then change your WHOIS email contact address with your Registrar to that email box before you place the order with Lindersoft. Comodo will not issue the certificate to another mailbox.

HH - DO have your DUNS number ready. If you don't have a Dun & Bradstreet number, plan on faxing documents to Comodo that prove your company is who and where you say it is.

DT - A valid current business license - NOT Faxed - but SCANNED and attached in Support ticket is all that is necessary for some companies.

Very helpful summary business documentation requirements provided by Friedrich Linder
http://www.lindersoft.com/forums/showthread.php?t=26424

HH - DON'T order from a VISTA machine. See above. The rocks I'm now throwing at this miserable OS are getting bigger.

DT - This is NO longer true - MANY order through Vista and Windows 7, using FireFox, IE, other browsers AND use export to PFX file format methods.

DT - Example from Comodo - Order using Windows 7 and FireFox - Certificate stored in FireFox - Directions to Export to PFX format
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=419&nav=0,96

HH - DO make sure you see the radio buttons "In the CSP" and "In the file," then tick "In the file" and enter the name you want on the certificate (such as C:\MyCompany). Go there to collect both the .spc and .pvk file after the transaction.

DT - This ONLY applies to XP (or W2K) and IE - this is the ONLY way you can get .spc and .pvk file formats during order process. MUST use "In the file," Exportable checkbox - checked

DT - Special NOTE: I used XP PRO and IE in a Virtual Machine to order and retrieve .spc and .pvk file format.

HH - DON'T order the certificate in the CSP wrapper. It's useless that way unless you own Visual Studio and the SDK. Before you can even think about exporting the .spc and .pvk files, you need to convert the certificate to a .pfx file.

DT - MANY are now using Windows 7 and Firefox or IE to order - If you DID NOT use XP (or W2K) and IE - "In the file," Exportable checkbox - checked - any other combination, Windows 7, Vista, Firefox - you MUST export from browser TO PFX format.

DT - If you received your certificate in spc and pvk file format - Jane Fleming includes instructions in her documentation to convert a spc file and pvk file to a singular PFX format using a pvk2pfx program.
http://www.beachbunnysoftware.com/webinar/

DT - If you use signtool.exe - you use the PFX file - that is possibly the ONLY file many will need to code sign certificates - IF you want to use signcode.exe - you use the .spc and .pvk files.

HH - Then, with command-line conversion tools downloaded from Shining Light Productions, to .pem files, then from there . . . you get the idea. Until last Sunday, I didn't even know what a .pem file was! To find out what you're up against, see http://www.tech-pro.net/export-to-pvk-spc.html.

DT - Yes, that is a more difficult conversion process - converting a PFX file to .spc and .pvk file formats.

HH - While entering the .pfx file into SetupBuilder is an option, my guess is you still need the .spc file and your .pvk key.

DT - No guessing needed - :-D

DT - IF you use signtool.exe with SetupBuilder - you need the PFX file.
DT - IF you use signcode.exe with SetupBuilder - you need the .spc and .pvk file

HH - DO make copies of both your .spc certificate and your .pvk key file and store them where you can find them. The certificate is no good without the key, and Comodo can't give you another one.

DT - ONLY applies if you ORDERED using XP (or W2K) and IE - "In the file," Exportable checkbox - checked

HH - DO write down the password you assigned to your .pvk key. The key is useless without the password, and that's another thing Comodo can't give you.

DT - ONLY applies if you ORDERED using XP (or W2K) and IE - "In the file," Exportable checkbox - checked

DT - Hal's screen shot does not display "In the file" selected.

David Troxell - Encourager Software - http://www.encouragersoftware.com/

linder
12-11-2011, 04:53 AM
REMINDER: To help the validation process go smoothly, use an Email address at a domain that is owned by YOU or YOUR company. Comodo will look at the WHOIS of the domain you use on the order page so make sure any WhoisGuard or Privacy options have been disabled. You can re-apply any privacy settings once Comodo verified domain ownership. If you would like to check the WHOIS of your domain, you can use:

http://whois.pairnic.com/

Do not use a free email address like Hotmail, Gmail or an email address provided by your ISP.

Friedrich

--
Friedrich Linder
Lindersoft
www.lindersoft.com
+1.954.252.3910

SetupBuilder is Windows installation -- "point. click. ship"

-- Official Comodo Code Signing and SSL Certificate Partner

CMS Software
08-19-2013, 02:29 PM
Apparently the screens have changed again. The first part looks the same, but the bottom half is not there on the first screen. Worse, I get an error every time I click "NEXT" for the next page. On the right side of the screen is a login/password pair saying that if we have ever ordered from Lindersoft before, we should login there. I have tried every login/password pair I have EVER received from Lindersoft and I keep getting an error of wrong Login/Password.

Which login is the correct one? The "Comodo Code Signing Certificate Request Information" does not work, nor do any of the others I have. My Certificate expired and I am trying to renew it.

-O. D.-

linder
08-20-2013, 01:32 AM
Hello,

No, the Comodo screens did NOT change for 6+ years! The login to the Comodo order system is your serial number and a password (see your SetupBuilder notifications). The login at the Comodo site it the login that YOU created when you ordered the certificate ;) If you get errors then you have set security too high and Authenticode does not work!!!

Friedrich

linder
08-20-2013, 01:43 AM
BTW, with the correct security settings in INTERNET EXPLORER (don't use another browser) it looks like the attached.

Comodo did not modify the screens.

HTH,
Friedrich

linder
08-20-2013, 01:54 AM
And this:

http://www.lindersoft.com/forums/showthread.php?p=69569

Friedrich

CMS Software
08-20-2013, 03:23 PM
Thanks, that got me on the right track. One final question, do we use the same form for Renewals as for New Certificates?

I tried using the same Admin/PWD pair with Comodo that I used when I last renewed this certificate in 2010 but was told that name is already in use and I must choose another. Seems strange on a renewal - you would think that using the existing name would be one more security check passed. Not so, I guess.

-O. D.-

linder
08-21-2013, 01:45 AM
Unfortunately, there is no "renew" process for a code-signing certificate. You always have to request a new one and go through the entire process again (including identity verification). All WebTrust agencies have to follow the same strict verification standard.

Just place a new order using the same company information and Comodo should speed up the validation process. I would suggest to quote your previous Comodo order number in any correspondence with them.

Friedrich

da spud
11-22-2013, 02:28 AM
BTW, with the correct security settings in INTERNET EXPLORER (don't use another browser) it looks like the attached.

Comodo did not modify the screens.

HTH,
Friedrich

The screen http://www.lindersoft.com/forums/attachment.php?attachmentid=3047&d=1376984540 (which is called Cert1.jpg) is different from the actual that I have http://screencast.com/t/SFypEwvE0LG3 in that mine is missing the section for Key Storage and Key size.

Given the discussions about following things precisely, I am reluctant to go on beyond this. I saw mention that nothing has changed in 6+ years (August 2013 post). Is this still true?

linder
11-22-2013, 02:42 AM
Hello,

On an UAC-aware operating system, you should see the following (using Internet Explorer).

HTH,
Friedrich

da spud
11-22-2013, 02:56 AM
OK using IE on Win 8 that is what I am seeing. Thank you.

I am just a little (maybe a lot?) nervous about this process given the stories I have seen about the importance of every tiny little detail. :)

linder
11-22-2013, 03:03 AM
I know what you mean ;) We had to request a new 3yr certificate in September and had to go through the same "nightmare" <g>

Friedrich