SN v2.0 Works With PFX Files

  • Article

One enhancement to the v2.0 SN tool that may not get noticed right away is that it now has the ability to work with PKCS #12 PFX files in addition to SNK files.  The logic here is that a self signed certificate stored in a PFX file is the moral equivalent of an SNK key, except that it gives you the added benefit of storing your key in encrypted form rather than in the SNK's plain text format.

This feature should be entirely transparent -- anywhere that SN takes a key file as input, you can now specify a PFX file instead. SN will detect this and prompt you for a password:

C:\Build>sn -R DelaySigned.exe KeyPair.pfx

Microsoft (R) .NET Framework Strong Name Utility Version 2.0.50727.42
Copyright (c) Microsoft Corporation. All rights reserved.

Enter the password for the PKCS#12 key file:
Assembly 'DelaySigned.exe' successfully re-signed

Your password will not echo to the screen as you type it.

There are a few limitations to this feature however.  Since it was designed with self signed certificates in mind, SN will not accept a PFX file which contains multiple certificates (there's no way to tell it which certificate you wish to use).

Also, SN will not allow you to redirect standard input and load the password from a pipe.  (In this case it gives a rather cryptic error message "Failed to parse the PKCS#12 blob in KeyPair.pfx -- The handle is invalid."  ... we'll replace that message with something a bit more descriptive in a future release).

Finally, the PFX file must have a password, even if that password is blank.  SN will never attempt to read a certificate with a NULL password.

If you want to create a self signed PFX key, the easiest way is to use Visual Studio 2005.  In the project properties Signing tab, tell Visual Studio to create a new strong name key file.  VS will show you this dialog:

Selecting "Protect my key file with a password", the default option, creates a PFX file.  If you uncheck that option, you'll create a traditional SNK file.  VS will enforce that your password be at least six characters long.  It also provides the ability for you to change the password of an existing key pair.