How to renew your code-Sign certificate if you lost your private key

Code-Sign is critical to delivering software to the public. The modern operating system will prevent launching an unknown software. Only the one with a proper code-sign certificate is allowed to start.

For Windows 10, a famous popup shows up when the user is trying to launch the software from an unknown source.

Windows 10 is protecting your PC :)

Moreover, if the code-sign expires, this popup will show up as well. Usually, to renew the certificate, first, you have to renew the cert from the cert provider, then the new cert must be installed and updated.

Our company’s (VRcollab Pte. Ltd. https://vrcollab.com) software is built on top of Electron and all DLLs and EXEs are signed with electron-builder signing tools. Electron-builder only supports the PFX file as the signing-cert, that being said, the Windows machine must export the certificate from Microsoft Management Console (mmc.exe).

But in our case, things are a bit complicated. We first export the PFX file on Machine A, after that Machine A is formatted and we lost the private key, and we are not able to export a new PFX file on Machine B, and we are also not able to export the private key from the previous PFX file as well.

Fortunately, we found a way to obtain the private key from the previous PFX file. The trick is

  • Convert the PFX to a PEM file
  • Copy the private key section and save it as a key file.

Retrieve your private key file from PFX file

There are many websites available for converting the PFX file to a PEM file. Here is a good one, https://www.sslshopper.com/ssl-converter.html.

  • Upload your PFX file, and select the Type of Current Certificate as PFX/PKCS#12
  • Select Type To Convert To as Standard PEM file
  • Type your PFX password and download the PEM file

Once you obtain your PEM file from the PFX file, you can open the PEM file with any text editor. There should be a Private Key section. Simply copy

-----BEGIN PRIVATE KEY-----
***************************
***************************
-----END PRIVATE KEY-----

to a new file and save it as privateKey.key.

It comes with two files, A PEM file, and an SPC cert file. We can use the OpenSSL command-line tool to generate the new PFX file.

openssl pkcs12 -export -out NewPFX.pfx -inkey privateKey.key -in NewCert.pem -certfile NewCert.spc

For Windows users, openssl tool is available on Windows Subsystem Linux.

After typing the password, you will have the renewed PFX file. :)