To export your private key and software publishing certificate from the .pfx file you need the
OpenSSL tools. You can
download a ready compiled Windows binary package from Shining Light Productions. The 'light' package is all you need.
The OpenSSL utility will export the private key to an OpenSSL .pem format file. The .pvk private key format required by the code signing tools is a Microsoft proprietary format which OpenSSL does not support. Dr. Stephen N Henson, an OpenSSL consultant in the UK, has reverse-engineered the .pvk file format and developed a conversion utility which you can download
here. In case you should have trouble accessing the server it is also mirrored
here. The utility is contained in a Zip archive and you simply need to extract it to the same folder as the OpenSSL tools.
Exporting the files
Having downloaded and installed the conversion tools, you are ready to export your code signing certificate and private key file from the .pfx (.p12) file. The commands given below assume that the location of the conversion tools has been added to the PATH environment variable. Otherwise you should type the full path to each program.
In the examples we will also assume that the .pfx (.p12) file name is mycert.pfx (mycert.p12) and that the desired output filenames are mykey.pvk and mycert.spc. You may, of course, substitute other names if you so wish, and specify a full path if the files are located in a different folder. Remember to quote the paths to the files if they contain spaces.
Exporting the private key
First export the private key to an OpenSSL .pem format file.
openssl.exe pkcs12 -in mycert.p12 -nocerts -nodes -out mykey.pem
You will be asked for the password of the private key file, if you specified one.
Now you use Dr. Henson's conversion utility to convert the .pem file into the proprietary Microsoft .pvk format.
pvk.exe -in mykey.pem -topvk -strong -out mykey.pvk
That takes care of the private key file.
Exporting the software publishing certificate
Converting your code signing certificate into a software publishing certificate .spc file is also a two stage process. First, the certificate is exported to an OpenSSL .pem format file, and then this is converted to the final .spc format.
openssl.exe pkcs12 -in mycert.p12 -nokeys -out mycert.pem
openssl.exe crl2pkcs7 -nocrl -certfile mycert.pem -outform DER -out mycert.spc
Again, you will be asked for the password of the private key file if you specified one.
You now have a .pvk and .spc (YES! I was so excited) pair which you can use to digitally sign executables using signcode.exe. The intermediate .pem files created during the conversion are no longer needed, and may be deleted.