如何仅从给定的代码签名文件 cer 创建密钥和 crt 文件？

Question

我有代码签名证书，从他们那里我只得到了一个X.cer 文件。
当我需要签署我的 .exe 时，我需要一个 PFX 文件，我需要两个文件 A.key 和 B.crt

问。我如何从 X.cer 文件、A.key 和 B.crt 制作？这样我就可以开始第 1 步了？

第 1 步：

$ openssl pkcs12 -inkey A.key -in B.crt -export -out GOAL.pfx

第 2 步：

signtool sign /debug /f GOAL.pfx /p MyPassword MyFile.exe

or

signtool sign /debug /n "My Company Certificate" MyFile.exe

编辑：仍然困惑如何制作那个 A.key 文件？

openssl pkcs12 -export -in X.cer -inkey A.key -out GOAL.pfx -certfile ??.cer

or

openssl pkcs12 -export -in X.cer -inkey A.key -out GOAL.pfx

-in 指定输入证书嵌入输出文件（代码签名官方文件）

-inkey 指定您使用 OpenSSL 生成的密钥文件（??????? 如何 ?????）

-out 告诉 openssl 你想要的输出文件名称（PFX 文件）

-certfile 用于指定要添加到输出 pfx 文件的附加证书（可以忽略）可选。

Answer 1

注意：许多专家完全相信并忽略了“您没有密钥文件”，请注意这是正常的，许多供应商不要求提供他们自己制作的密钥文件并提供 PFX 或仅限 CER 文件。结果它变得令人困惑，就像我的情况一样。

1) 创建 A.key

$ openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
Generating a 2048 bit RSA private key
...............+++
....................+++
writing new private key to 'privateKey.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BE
State or Province Name (full name) [Some-State]:Oost-Vlanderen
Locality Name (eg, city) []:Dendermonde
Organization Name (eg, company) [Internet Widgits Pty Ltd]:TEST
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:NAME of DEVLOPER
Email Address []:email@domain.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

$ ls
CSR.csr     privateKey.key

2) 要让 B.crt 重命名 X.cer

3) 最后应用

openssl pkcs12 -export -in X.cer -inkey A.key -out GOAL.pfx

编辑： 终于完成了，我还没有 KEY 文件。供应商给了我 PFX 文件

C:\Program Files (x86)\Windows Kits\8.0\bin\x86>signtool.exe sign /debug /f C:\Users\sun\Downloads\s.pfx /p 1234password C:\Users\sun\Downloads\IeAddOnDemo\IeAddOnDemo\bin\Debug\IeAddOnDemo.dll

The following certificates were considered:
    Issued to: xxxxN.V./S.A.
    Issued by: GlobalSign CodeSigning CA - SHA256 - G2
    Expires:   Wed Apr 08 18:13:59 2015
    SHA1 hash: xxxxx

    Issued to: GlobalSign CodeSigning CA - SHA256 - G2
    Issued by: GlobalSign
    Expires:   Fri Aug 02 12:00:00 2019
    SHA1 hash: xxxxxx

After EKU filter, 2 certs were left.
After expiry filter, 2 certs were left.
After Private Key filter, 1 certs were left.
The following certificate was selected:
    Issued to: xxxN.V./S.A.
    Issued by: GlobalSign CodeSigning CA - SHA256 - G2
    Expires:   Wed Apr 08 18:13:59 2015
    SHA1 hash: xxx


The following additional certificates will be attached:
    Issued to: GlobalSign CodeSigning CA - SHA256 - G2
    Issued by: GlobalSign
    Expires:   Fri Aug 02 12:00:00 2019
    SHA1 hash: xxxx

Done Adding Additional Store
Successfully signed: C:\Users\sun\Downloads\IeAddOnDemo\IeAddOnDemo\bin\Debug\IeAddOnDemo.dll

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0