I had the pleasure to troubleshoot this interesing issue and feel this information might be helpful for everyone dealing with code signing. You might hit this when trying to use the same keyset for strongname signing as well as for manifest and/or Authenticode signing.
As noted in this article Visual Studio 2005 cannot handle PKCS#12 files that hold several certificates (the CA chain). But even if you have ensured that only the end entity certificate is present in the PFX file, you might get an error dialog from Visual Studio after entering the passphrase for the FPX file:
Title: “Error during Import of the Keyset”
Message: “Object already exists”
During enrollment (really when creating the keyset and the CSR) the KeySpec parameter has been incorrectly set to AT_KEYEXCHANGE (1). This must be AT_SIGNATURE (2) for Visual Studio 2005 to work.
- Create a new CSR with KeySpec=2 (using the Certificates MMC in Windows Vista for example) and get that signed by the CA of your choice.
Note: Some web Enrollment Applications (Registration Authorities) seem to set the KeySpec wrongly to “1”. You might want to notify CA’s that do this and get this corrected.
Using CertUitl from Windows Server 2003 SP1 or later you can force KeySpec to match your wishes/needs when importing a PFX (aka PKCS#12) file. Carsten Kinder has documented the relevant options here.
The steps to follow are:
Using the “Certifiates” MMC export the existing keyset (KeySpec=1) to a PFX file.
Note:Please backup this file to a safe location and test if the file can be imported ok on another machine if you really want to play it safe!
Delete the existing certificate from the crypto store (stlll using the MMC).
Open a CMD prompt.
import the PFX file using this command:
certutil -importPFX -user <pfxfilename> AT_SIGNATURE
Enter the passphrase for the pfx when prompted.
You now should have a keyset/Cert with KeySpec=2. If needed you can now export this into another PFX file using the MMC again.