openssl - 将 Sectigo/Comodo 的代码签名证书转换为实际可用的 .pfx 文件

问题描述

当我尝试使用 Firefox 从 Sectigo/Comodo 下载代码签名证书时，我最终下载了一个名为 的文件CollectCCC，没有文件扩展名。我不清楚如何使用它来签署二进制文件。当我尝试使用它来签署二进制文件（/debug打开）时，我得到以下信息：

> .\installation\signtool.exe sign /debug /f 'C:\Users\username\Downloads\CollectCCC' .\DraughtHub_Link.exe

The following certificates were considered:
    Issued to: GoDragons
    Issued by: Sectigo RSA Code Signing CA
    Expires:   Fri Oct 22 00:59:59 2021
    SHA1 hash: <hash>

    Issued to: Sectigo RSA Code Signing CA
    Issued by: USERTrust RSA Certification Authority
    Expires:   Wed Jan 01 00:59:59 2031
    SHA1 hash: <hash>

    Issued to: USERTrust RSA Certification Authority
    Issued by: AAA Certificate Services
    Expires:   Mon Jan 01 00:59:59 2029
    SHA1 hash: <hash>

    Issued to: AAA Certificate Services
    Issued by: AAA Certificate Services
    Expires:   Mon Jan 01 00:59:59 2029
    SHA1 hash: <hash>

After EKU filter, 4 certs were left.
After expiry filter, 4 certs were left.
After Private Key filter, 0 certs were left.
SignTool Error: No certificates were found that met all the given criteria.

部分问题是我无法使用 IE 下载他们的证书（他们推荐的方式，叹气），因为我没有使用 IE 创建代码签名证书请求。我使用创建了代码签名证书请求openssl。

这是我从 IE 收到的错误消息：

我也尝试将其导入CollectCCC到 IE 中，但失败了。

免责声明：我不建议将 Sectigo 和/或 Comodo 用于代码签名证书！我和他们的经历很糟糕！为获得更好的服务付出更多是值得的。

标签： opensslcode-signingcode-signing-certificatecodesignkey