When I purchased a GoDaddy code signing certificate, I didn't realize I had to create and keep a private key. After going through the process of obtaining the certificate that I realized that there is more work that is needed to be done before I can use it to sign my Silverlight application.  First off, GoDaddy issues the certificate in a SPC file in PKCS7 format and second the you will need a private key to sign anything.  But not just any private key, it has to be a strong private key.  There are a few onerous steps to go from the SPC to a PFX file.  I have outlined the steps I have gone through here. 

 Here are the basic steps:

1. Generate a private key and CSR
2. Use CSR to request code signing  certificate from CA (GoDaddy.com)
3. Convert private key to a strong private key 
4. Use PVKIMPRT to convert the .SPC  + .PVK to PFX
5. Use PFX to sign the software code using VS

 Let's go through the details:

Step 1. In order to create a PFX file you will need a private key.  You will need a third party software or hardware tool to do this.  I used OpenSSL to create my private key.  You can download the tool at http://www.slproweb.com/products/Win32OpenSSL.html

You will need to download the OpenSSL v.1.0.0d and any dependencies such as Visual C++ 2008 Redistributables.  Make sure you download the correct version for your machine (Win32 or Win64).  Install the OpenSSL tool and note the location of the installation folder. Once installed, navigate to the installation folder and click on the OpenSSL.exe to launch it.

To create the private key and CSR:

1. Launch OpenSSL.exe
2. Type: req -nodes -newkey rsa:2048 -keyout myserver.pvk -out server.csr
3. Enter the values asked.  This is needed to generate the CSR. For example:

   Country Name (2 letter code) [AU]:US
   State or Province Name (full name) [Some-State]:Texas
   Locality Name (eg, city) []:Houston
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:XBITech Corporation
   Organizational Unit Name (eg, section) []:IT Department
   Common Name (eg, YOUR name) []:xbitech.com
   Email Address []:info@xbitech.com
   A challenge password []:*******
   An optional company name []:XBITech Corporation

This will create a private key with 2048-bit encryption and a CSR to request for a code signing certificate from GoDaddy.com.  If you don't specify rsa:2048, it will generate a private key with 1024-bit.  The two files will be saved to the directory that you run the command from (your OpenSSL installation folder). 

Note: GoDaddy.com requires 2048-bit encryption.  Also, make note of the password, you will need it later.

Step 2. Go to GoDaddy.com and purchase a code sign certificate.  Follow the instructions given.  When you get to the part where it ask for a CSR, DO NOT use the automatic CSR generation.  Instead select manual and copy + paste the CSR you generated in Step 1 and submit.  Once they have verified your information, they will generate a certificate in a SPC file.  Download this file to your computer.

Step 3. To convert your SPC file into a PFX file requires a strong private key.  We will use the PVK tool to do this.  You can get this tool here.  Thanks to Dr. Stephen N Henson.

1. Download and unzip the PVK tool.  Open command prompt (cmd.exe) and cd to the location of your PVK tool.  
2. type pvk -in "C:\Users\M4500\Desktop\EMR\xbitech-code-sign.pvk" -strong -out new.pvk -topvk 
   
   Note: I made a copy of the private key file from above (myserver.pvk) to C:\Users\M4500\Desktop\EMR\xbitech-code-sign.pvk
   
   
3.   Then enter the password you've use in creating the CSR from step 1.  The password must be same as the one created in step 1 or this won't work.  If successful, it will generate a strong private key as new.pvk

Step 4. Use PVK Importer tool from Microsoft to convert the two files (SPC + PVK) into a PFX file.  You can download the tool  here.

1. Open your command prompt (cmd.exe) and cd to the location of the  PVKIMPRT tool
2. Type PVKIMPRT.EXE -PFX "C:\Users\M4500\Desktop\EMR\XBITech-Corporation-XBITech-EMR.spc" "C:\Users\M4500\Desktop\pvk\new.pvk" 
   
   Note: I downloaded my SPC file from GoDaddy to C:\Users\M4500\Desktop\EMR\XBITech-Corporation-XBITech-EMR.spc and moved the strong private key to C:\Users\M4500\Desktop\pvk\new.pvk
   
   

Upon executing the above command, it will launch an export wizard.  First it will ask you to enter the password.  Enter the same password as the one you've used above. 

1. You will see "Welcome to the Certificate Export Wizard", click Next
2. Select "Yes, export the private key"
3. Select "Personal Information Exchange - PKCs #12 (.PFX)" if not selected already
4. Check "Include all certificates in the certification path if possible"
5. Click Next
6. Enter and confirm a password for this file (.PFX).  This password could be different from the ones above but I am using the same one.  This password is needed when you sign your code using this PFX.
7. Browse and select the file location and file name to save the exported file (PFX)
8. Click Next
9. Click Finish
    

Step 5. Sign your Silverlight xap file.

1. Open your solution with Visual Studio.
2. Right-click on the Silverlight project, choose Properties
3. Go to the signing tab, check Sign the Xap File
4. Click on Select From File and navigate to the PFX file you've just created
5. Click on open and enter the password you used in Step 4.
6. Click OK and you're done.

Alternative you can put this command in the post build event command line.  Every time you build it will sign your xap file with a timestamp.  Please note the timestamp uri and remember replace the ********* with your actual password in step 4.

"C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\signtool.exe" sign /v /f "C:\XBIPlatform\EMR\XBI.Framework\Library\xbitech-code-sign.pfx" /p "**********" /t http://tsa.starfieldtech.com $(TargetName).xap

If you have questions, contact me at trieu.nguyen@xbitech.com