2

I am developing a plugin using Crossrider and needed a Code Signing Certificate as part of that process. In so doing I took the following actions

  1. Followed GoDaddy's instructions for generating a CSR as shown here

  2. Sent the CSR & private key to the client and asked them to purchase the CSC which they did

  3. Client sent me the .pem and .spc file from GoDaddy

  4. I used OpenSSL to convert the .pem file to a .pfx which Crossrider requires

    OpenSSL> pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.pem

  5. When OpenSSL requested that I "Enter Export Password" I used the same password as when generating the CSR.

  6. I uploaded the .pfx file to Crossrider and supplied the same password again

Crossrider is saying the file or password are not valid. Have I made any mistakes or missed something in the above steps?

UPDATE: 04/30 4:45 PST

The .pem file from GoDaddy already shows four -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- groups so it seems they did the chaining? I was able to import the .pfx file I generated into KeyChain Access on OSX and it shows up with our company name and as issued by GoDaddy with all of the details.

When I run openssl verify this is what I get...

OpenSSL> verify certificate.pem 
certificate.pem: /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
error 18 at 0 depth lookup:self signed certificate
OK

I'm pretty lost so please offer any suggestions. I can post whatever info to help solve.

jww
  • 97,681
  • 90
  • 411
  • 885
ThinkCL
  • 119
  • 3
  • 12
  • possible duplicate of [Adding an intermediate certificates to a pkcs12 file](http://stackoverflow.com/questions/22618108/adding-an-intermediate-certificates-to-a-pkcs12-file) – jww Apr 30 '14 at 22:25
  • It looks like you are missing the intermediates from the CA that issued the certificate. You have to add them by hand to `certificate.pem` before creating the `{PFX|P12}` file. – jww Apr 30 '14 at 22:27
  • @jww – Thanks for the reply. I just read your linked post and am trying to digest the info. I modified my question with some more info that might give more insight. – ThinkCL Apr 30 '14 at 23:49
  • To resolve the OpenSSL issue: download the appropriate CA (Go Daddy Class 2 Certification Authority) from [GoDaddy CA Repository](https://certs.godaddy.com/anonymous/repository.pki). Then issue `openssl verify certificate.pem -CAFile `, where `` is the CA you downloaded. You should get something similar to `Verify return code: 0 (Ok)`. If everything is OK, then try removing the password from the `{PFX|P12}` file before upload. The password is a moot point anyway since its uploaded to the server and likely stored on the filesystem. – jww Apr 30 '14 at 23:56
  • @jww – How do I know which one to download? I tried the two root certs that seemed applicable gd-class2-root.crt and gdroot-g2.crt but they both threw errors when I specified them as CAFile: `Error opening certificate file -CAFile` – ThinkCL May 01 '14 at 00:51
  • "but they both threw errors when I specified them as CAFile" - it sounds like the are DER encoded. Convert them to PEM with `openssl x509 -in xxx.der -inform DER -out xxx.pem -outform.pem`. Also, there's three certs on that page named `Go Daddy Class 2 Certification Authority`. Two are `Go Daddy Class 2 Certification Authority`, and the third is `Go Daddy Class 2 Certification Authority - G2`. I'm not sure which one you need. I would had have to try them one-by-one like you. Since you have the server cert, you could look at the Authority Key Identifier (AKI). – jww May 01 '14 at 00:59

1 Answers1

2

This was an issue with Crossrider not the OpenSSL generation of the .pfx file. I posted the issue to their support board last night and they responded that their dev team took a look and asked me to try again. I uploaded it and it worked.

ThinkCL
  • 119
  • 3
  • 12
  • 1
    As mentioned, there was an issue with the CSC upload mechanism that has now been resolved. @ThinkCL, thank you for reporting the problem and apologies for the inconvenience [**Disclosure**: I am a Crossrider employee] – Shlomo May 01 '14 at 18:16