Hi Friedrich, and anyone else following this:

After a couple of days of back-and-forth with Comodo technical support, their 3rd-level support found a solution.

The certificate had been issued incorrectly. Specifically: During enrollment (really when creating the keyset and the CSR) the KeySpec parameter has been incorrectly set to AT_KEYEXCHANGE (1). This must be AT_SIGNATURE (2).

The solution involved exporting the certificate using the MMC and doing an offline re-enrollment through CERTUTIL, to set the KeySpec parameter to AT_SIGNATURE.

I sure know more about code-signing certificates than I ever cared to!

Thanks, Friedrich, for your patience helping me through this.

Wayne
www.analyticabiz.com